Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    26-05-2024 15:41

General

  • Target

    pornhub.exe

  • Size

    85KB

  • MD5

    d9f622dd3ba5ba4e70a51e7d690e8019

  • SHA1

    e7a5149a04e34782d8cf95248955d726df26ad72

  • SHA256

    ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526

  • SHA512

    a0cbeafabfcd916e132f8d4bfcc69adb280022a107102199cd99372fb8b76fc08332f9d24863eab19f264e697b3340917a85073a7a5be76e158abcca3145b1a7

  • SSDEEP

    1536:X8cC9V4pEQ5RZxzK1bgB+bN4JdErIlkUH66q7ICKO7JIbVhk:X82DZ3B+bN1IlLHWUdO9I5hk

Malware Config

Extracted

Family

xworm

C2

character-estimate.gl.at.ply.gg:61192

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Chrome.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\pornhub.exe
    "C:\Users\Admin\AppData\Local\Temp\pornhub.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3508
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\pornhub.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1076
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'pornhub.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1596
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Chrome.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3376
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:1088
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4664
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4604
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.0.65561302\974666775" -parentBuildID 20221007134813 -prefsHandle 1704 -prefMapHandle 1688 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b472684b-5978-46bb-abae-f6d9c031a52e} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 1796 1677bed0158 gpu
        3⤵
          PID:1516
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.1.2009978888\1533454162" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ed61d75-046b-42dd-b408-47f0dc99e40f} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 2152 1676ff6f858 socket
          3⤵
            PID:4848
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.2.793737724\1704977890" -childID 1 -isForBrowser -prefsHandle 2880 -prefMapHandle 2700 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {77c8b9cf-158a-4ec4-b3e6-119c0ee64874} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 2692 16702cb8558 tab
            3⤵
              PID:4600
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.3.438245170\1800960304" -childID 2 -isForBrowser -prefsHandle 3508 -prefMapHandle 3504 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba649d18-4247-40cc-b15a-252907faa9f9} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 3496 167008fa658 tab
              3⤵
                PID:4484
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.4.137159032\1638134915" -childID 3 -isForBrowser -prefsHandle 4080 -prefMapHandle 4076 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {de0bee18-0810-48dd-b540-160cb489a2d7} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 4092 1670300fe58 tab
                3⤵
                  PID:1096
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.5.780020215\1910889039" -childID 4 -isForBrowser -prefsHandle 4796 -prefMapHandle 4780 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {60ac9b9c-e2eb-4aa7-9654-080ddbd88b1f} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 4804 1670329fb58 tab
                  3⤵
                    PID:2960
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.6.1845768467\1971945075" -childID 5 -isForBrowser -prefsHandle 4920 -prefMapHandle 4924 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce8520d1-e8c4-418e-bb0b-176599cfd13d} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 4912 16704f8c058 tab
                    3⤵
                      PID:4196
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.7.1226406622\1142837431" -childID 6 -isForBrowser -prefsHandle 5108 -prefMapHandle 5112 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f21cf5fe-f5de-4574-96ab-aa06140f6e73} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 5096 16704f8de58 tab
                      3⤵
                        PID:2492
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.8.985399268\1830031175" -childID 7 -isForBrowser -prefsHandle 2632 -prefMapHandle 4960 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3dc45e2d-b4ae-4797-9d82-59c8e54d276f} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 1652 16706706258 tab
                        3⤵
                          PID:5644
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.9.224315821\434547114" -parentBuildID 20221007134813 -prefsHandle 4208 -prefMapHandle 5748 -prefsLen 26503 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9a9c19d-cc54-431c-a28f-2110defa1fd6} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 4184 16704a7e458 rdd
                          3⤵
                            PID:5988
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.10.629507646\1741374541" -childID 8 -isForBrowser -prefsHandle 4104 -prefMapHandle 5756 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0bd6153a-4c33-40b9-a8c5-464653a79bcb} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 5768 167070f0058 tab
                            3⤵
                              PID:5080
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.11.195892538\735245328" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 5940 -prefMapHandle 5944 -prefsLen 26503 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {73445504-ba1c-4d88-a60b-2c24c6fd4c16} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 5952 167071efe58 utility
                              3⤵
                                PID:5376

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                            Filesize

                            3KB

                            MD5

                            ad5cd538ca58cb28ede39c108acb5785

                            SHA1

                            1ae910026f3dbe90ed025e9e96ead2b5399be877

                            SHA256

                            c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

                            SHA512

                            c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Filesize

                            1KB

                            MD5

                            ffcd54dd827958b88e7857046a01199e

                            SHA1

                            dd2f0f6481938dd32b56509388a411140a969f56

                            SHA256

                            55404ea7250cb00233f801b1bb39ede1d6259c74edcb1ca1e9ca4726bc529c0e

                            SHA512

                            c114fc486b76c5200923f575dc51c7994f9816c74babad2a7543b03d20801895e9ccae3d47dd0a79fa70c1796591ef5b34b555b7636f44fa364211d93d9f05d4

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Filesize

                            1KB

                            MD5

                            03cc07fcae677bd98a01df26de18b9d8

                            SHA1

                            964c92925cc8573ca714ca209b37eaf0c57e6bdf

                            SHA256

                            8ff34a2cfe096bf1b2318184b9ffdc4af114cb792dfce5b6f971893c1c6fac52

                            SHA512

                            00590e6e42239912e1d815ad937cf61fd81cff97b0ddc7dba3a8edbc772293b50f538b514c789ea3463421278dbaebd4cb164dbadd8b99bc5621811223f0eb7a

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Filesize

                            1KB

                            MD5

                            3df03b7292eeda72e97180e347b03cf3

                            SHA1

                            6dcf07eba6cbefa06b5ca7cc458e2e87d18fb750

                            SHA256

                            a3b2aa06d843fcb2399f1d529737e59b2beeb20519bd80035c2033dac646a52f

                            SHA512

                            1d458b231c87f3a70031284430a63553e2739e9bd406d8a04a4f9d9b19ab4f97b4e785b41e2e530321767e8d7f6c12c2299078335491dfb205669f749ab29cb6

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\11653

                            Filesize

                            16KB

                            MD5

                            7fa1bba94908d44e221e5a7a91b4e647

                            SHA1

                            f2cd7a4d378cc4ffaa2722d80024b794228c3870

                            SHA256

                            9e3092004bd23dd874849f6e09efdeb0af44e20c689bdf0369771e0f32f4080f

                            SHA512

                            a3725dfa927ae5459245f271c2a02d71a4611e3d6a607f089b294787fdc2278a111de9670b0463f2d282e99684ec53c85e7a316de87a7744d0219ebdbf04c102

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\18072

                            Filesize

                            16KB

                            MD5

                            e875e80d1ca157fa33d33fdc86c93fd0

                            SHA1

                            d3fc9c7694a147e0d49b601170c92a1dc1cec23c

                            SHA256

                            38a8641f92b3f37ae55413c0fd2f60b9551ddad994c2aa1cd3dfb922c4419da8

                            SHA512

                            d34e7c3727bcec7196c82a49e21ad8ee33b4093f089807ea5bcce956eea87788f276b4b50e8f54e33cf9c9ca90cac6240e029de0e20cf7852198bbc43d4be298

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\18799

                            Filesize

                            16KB

                            MD5

                            3e71e8da5d551801ed2d8a5d2a69b93f

                            SHA1

                            cbcd22b0eb2ab924fa0ca8e173d660c53f87df67

                            SHA256

                            99ecc1a0bb78d5a9e1ede139aa5c420f38a1cef7b08a32be052ff9bf508b46c3

                            SHA512

                            a783d7953676a4f771148803d1f2f5695ee3138f1c1e55db585cac756ad6040a2470b5e75176fde399e836c4e26db45f7700357ab9f92fda1e48dcbcba015794

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\21616

                            Filesize

                            16KB

                            MD5

                            f1089602ae8f6a99a7b4f021b6c2cb1a

                            SHA1

                            2e6d1f62c57ef41964735033fac43d0ce8175e11

                            SHA256

                            52da9e67f8a0768ec335881da2b9915a23ae8731b0e6747146e0421c3752179e

                            SHA512

                            c805b34615285abb1b3732cf0cb7673472adcc0e8375bc8632d10e1aa2d175fac2495c5f8f330e7095db2ef25db6c1baf1bfe305719f477cc298f55308b9783c

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\21650

                            Filesize

                            16KB

                            MD5

                            2cc770b3a14bb958eba5c904e196a9de

                            SHA1

                            32f0ab3a59b3d4a1c07ecd3866d5f50cfa7d6c02

                            SHA256

                            47c40a0b7ac3561cbfb312709d9a2ceae7879b68bb6d30a131725a58808c4bc4

                            SHA512

                            378c9e61c5c779ca4d7d87d13dca47ea0d52a17c0ae3d554fc91760da29751b9e773ba6da1d7049dc6b643ad2d4ddddcb983fd68b5eeec0fa4955d0783970efb

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\21840

                            Filesize

                            16KB

                            MD5

                            ffa98abec1cd058ac77b4707c5019c23

                            SHA1

                            f890beb0f37450f7f81328efdf61c8f789882fcc

                            SHA256

                            9bc78d92034d211da8bb0be4862b533bcbf4d26dd00f800286f31d2ffa36e921

                            SHA512

                            ed56dbf7020b309425d42d3dba8eb99fe24a6d4d940f4eb5aa15a7c158417cb6b6f25c9d88fbfe7673119c59e342b3c607a8aba2654a7cb9ddf81e347c2f552c

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\25276

                            Filesize

                            16KB

                            MD5

                            5a2c3234d645258487faf165c6137727

                            SHA1

                            63a5b410d1b344d56e15aa4f583d0bdb92c2e47f

                            SHA256

                            e48921e9ab4e289a597d3382d2d4e6b2b78edc8c5a6382d3f93fc1ab002d2954

                            SHA512

                            56e7929e28ea971f97af679f9b1641f268ac0ec4f16c88d0bdd4ea972e9a19107d6b1e61b2c7a8d1bb3cf7328bb8fd0ebadf64e190320d531a96fd8f60fc16d1

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\28542

                            Filesize

                            16KB

                            MD5

                            5c8523edaff8cd24e111e735a47dd0ac

                            SHA1

                            7fd940d74c29fec166528e752e469d01c53eba72

                            SHA256

                            fd08542992d7435e233dce7067037381f1642543f0afda3a588e0f1f3f558d90

                            SHA512

                            40dd54387fa921a62eb919824734de788f65339ab608c4ec111802fa2c252c32389b38a00add6e9ebb112b000813f14016974eb182a6c2dcda126f6d0cbb279d

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\31583

                            Filesize

                            16KB

                            MD5

                            13fbe801c1ad70a6b88484623effca06

                            SHA1

                            6a65b1147bb0edf8d862709ba086af9abfc22a73

                            SHA256

                            b8246b5e3e1935de66782a7892e9e2f763fdc2a63350362cf958d678cb3bcc5f

                            SHA512

                            1b574c6a31bc0fb34d9593dd87f984ddece2d167a9176fdf3e1c4c34c13cde71255c0b03ccf82ede42d4b681b33c8a5beea89f448da05515e1670ca831925fbd

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\31862

                            Filesize

                            16KB

                            MD5

                            459e73884a6d5a55b06f66f3748493a1

                            SHA1

                            2b548c7e5e8451623fcb2ce798cbc157ce4ee00d

                            SHA256

                            d9d413c67364dbf98ca4dd5941723310485c36d4822bfe64e6abcd7c5a571b30

                            SHA512

                            62b69004c5f20d828d6010d056b43b10a0319878ef86eae335c1aed561b55835a512492086aac03e5dd2f08abcf06647c6138b30577bbf1c8d1e2d69a825b7e2

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\3706

                            Filesize

                            16KB

                            MD5

                            4874273708b329665351e8898662f3ea

                            SHA1

                            a8271ef039b5258de0a1888fc1ab432292cc2cc8

                            SHA256

                            251422b381c3a9859f51d0813d557da85fa10973d7db0cde0f4808873dc12abb

                            SHA512

                            bd101e2234020c09de40bc312a3834c8e7d481f21e03348ed0104bf9b8171b7f4ac906acf05aa4c0ba4190c5c2bd30170a8816fb4efb820adc9e11d69813b47f

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uwdpg32l.0wz.ps1

                            Filesize

                            1B

                            MD5

                            c4ca4238a0b923820dcc509a6f75849b

                            SHA1

                            356a192b7913b04c54574d18c28d46e6395428ab

                            SHA256

                            6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                            SHA512

                            4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                          • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                            Filesize

                            442KB

                            MD5

                            85430baed3398695717b0263807cf97c

                            SHA1

                            fffbee923cea216f50fce5d54219a188a5100f41

                            SHA256

                            a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                            SHA512

                            06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                          • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                            Filesize

                            8.0MB

                            MD5

                            a01c5ecd6108350ae23d2cddf0e77c17

                            SHA1

                            c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                            SHA256

                            345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                            SHA512

                            b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin

                            Filesize

                            2KB

                            MD5

                            678382b730e0f5aac919f0431ca52364

                            SHA1

                            f48d445b92663a6a55975f9a4704db2f78865bbe

                            SHA256

                            bf320d1a0c11b025512e393c20486a47689ea2df6979a330fc9d2b636aa7e1a5

                            SHA512

                            5943f154c3225b02aeb3db49ba49221ba9e395e60c8a7b29a4f61e3601b69db70b35c3d66b8bc5d2cbf2ef0df6183dec4c19e653644edc6246f4dc016f113138

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\2039f202-ff63-4624-b19e-de3f4112357e

                            Filesize

                            746B

                            MD5

                            80e190ead2ad5aa2b73a5d55fab7fcfc

                            SHA1

                            176a7a5dea773b96c26b8cb660643a3798189fa8

                            SHA256

                            fa7aea8a6a8ad255635bd35fd53c2d4a2efd82bebba6ca1c2a560e7d3c4ea442

                            SHA512

                            a54a4e3faaa4bd713921239c4b0c98d4bb32bdf24ac4eba0f44ca7a9395d20c5749514c04d7290e2e7d6f541c65d2703f3493cf94d77a16c51d5c77138b68974

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\c1bfb18f-8506-4d9f-b92e-b635bdcb1e11

                            Filesize

                            11KB

                            MD5

                            b36713939f4b70ec25c7b612d51721b2

                            SHA1

                            8629377ea070f3a4fb7f7ea489a98c4244c425c4

                            SHA256

                            e120e6ad3bd808efae8cae7aef761b3d28eabc46b4801dfa9ce7720d5268b872

                            SHA512

                            d0b11b5a9248bb3de73a1aefa46f5fc6acc90c41ff4f1a211304f4ea0761c7d3ac848e89bde7f312b8d7801d2a1dfc3eadda3fb7251f4cf84660289f03f6eeaf

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

                            Filesize

                            997KB

                            MD5

                            fe3355639648c417e8307c6d051e3e37

                            SHA1

                            f54602d4b4778da21bc97c7238fc66aa68c8ee34

                            SHA256

                            1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                            SHA512

                            8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

                            Filesize

                            116B

                            MD5

                            3d33cdc0b3d281e67dd52e14435dd04f

                            SHA1

                            4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                            SHA256

                            f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                            SHA512

                            a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

                            Filesize

                            479B

                            MD5

                            49ddb419d96dceb9069018535fb2e2fc

                            SHA1

                            62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                            SHA256

                            2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                            SHA512

                            48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

                            Filesize

                            372B

                            MD5

                            8be33af717bb1b67fbd61c3f4b807e9e

                            SHA1

                            7cf17656d174d951957ff36810e874a134dd49e0

                            SHA256

                            e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                            SHA512

                            6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

                            Filesize

                            11.8MB

                            MD5

                            33bf7b0439480effb9fb212efce87b13

                            SHA1

                            cee50f2745edc6dc291887b6075ca64d716f495a

                            SHA256

                            8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                            SHA512

                            d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

                            Filesize

                            1KB

                            MD5

                            688bed3676d2104e7f17ae1cd2c59404

                            SHA1

                            952b2cdf783ac72fcb98338723e9afd38d47ad8e

                            SHA256

                            33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                            SHA512

                            7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

                            Filesize

                            1KB

                            MD5

                            937326fead5fd401f6cca9118bd9ade9

                            SHA1

                            4526a57d4ae14ed29b37632c72aef3c408189d91

                            SHA256

                            68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                            SHA512

                            b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

                            Filesize

                            7KB

                            MD5

                            545992bcc3657be95fa22ae18cdf8807

                            SHA1

                            441c85f5864b6b86aaaa0c1e516d1da21c7d3c46

                            SHA256

                            0baef5a6540bfc1143b1eb8f3ec9603cdc5a556b4c4a0892c7592ca81680f6e3

                            SHA512

                            ba7f47574d4e6836c225901db43cb6f5140f33a17271ca9acdff45355f4237896da3bdeb1ecfc1029989f42f43ad1c9c98edd8a4334bacf48cfa895ec5f19cc7

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

                            Filesize

                            6KB

                            MD5

                            5e2f273ee3f26e100332dcb28ed18eaf

                            SHA1

                            73f19c35508030440f2df57b36502aa556b1f59d

                            SHA256

                            298b338ea56cd0ab7554b2fcc65c8e11d780c31cb8855d1857cc35280821bfed

                            SHA512

                            b4abfd3349fe859dcf25eed875196cbafcd1cbf020e7264f14b0cd87d5baf9660448ce37844b1309efd50c8ec587c20da7b1a82c8b5a305abed4e175188e86d4

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

                            Filesize

                            6KB

                            MD5

                            922d69a3142032cbbc3af5a0d027be43

                            SHA1

                            4c766ec2dd83d9ca1a6e50a8afeec1d17a28d7a8

                            SHA256

                            c49f11f737c555758cba508b6e6ed2f2c8561ef3b5c506075eba0a401184c05a

                            SHA512

                            c9bc1cb67de823014ae51366b3e0e39259b253cbfb91a6f8585d265de91cd27f1cc39734794bd59db908527ba22356d837586d09bfd2f4821b243a9c0df6bcf4

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

                            Filesize

                            6KB

                            MD5

                            48e70e627459afc3eb24dffe216a690a

                            SHA1

                            fa5c8d1b942d4a2ff7d7dcc74b941da03dc28492

                            SHA256

                            bdc176f73a82c972cd32a53f7d6d4c88e2eca12a800dc60a2d068f72fa7e7305

                            SHA512

                            dc013ceb43207da668eb16ec626e5d9adf3b73db9b3753cc6a05a64cb7250cc6f9926e04d34b29c1763513578ac10417ad82bdc366ffb55ae515c50fde45cf93

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

                            Filesize

                            3KB

                            MD5

                            a552d729e0774e3f38a9747c3e7de4ff

                            SHA1

                            6f74e2708f2fffd9d69ad10e8f526b89da11e7c2

                            SHA256

                            a779506ef649add3a3b704b11fa8fcabb1426d2335e6c63452c20da6ef24c6cf

                            SHA512

                            151643b8face85e45f92038bf8f9dd33adabf8f9e8591fd1417e83cd11bb2490c11372f57d2475c7412aa23f2ad7c3c74ad4187ca53d4f49a43fcc9eb94f16b9

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

                            Filesize

                            4KB

                            MD5

                            bcca65a489811c5ec11b9621d1eacf42

                            SHA1

                            12e336d2ba9cc0ada739935d05c7c1c1b659cfde

                            SHA256

                            d29da7d252a4074016b8da18dbc9a8c5b2628ba8ddc14697415635cc918231ef

                            SHA512

                            e346055ed51e2cb94f7455ef9fce2f4273e45fc2c0ec455e641630c91eb32700e1b603d5e2ba477862dc84693839246ce8720e3707659072fd7d0cf40a98c115

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

                            Filesize

                            4KB

                            MD5

                            28cba90ad814ffea902f2d0b3864777f

                            SHA1

                            e123c0895f52ba86b8b7520eb983c81fafd37521

                            SHA256

                            4f0dacd4383d39da115748b4614436a1b95fe84da14814bae38e3be1f3ce6fd5

                            SHA512

                            750ef68c6e0658a1ebabd45ab1bd5a53b49fee0dea565963717b65dafc2313eeb4342a6de414924f9c8ce82f7766d52be8b632d963385cae4826f8edae5667d2

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                            Filesize

                            184KB

                            MD5

                            7f868e557b098795d645df9ea302427f

                            SHA1

                            001f3306144559b4049a8ab139b4139f51e59c0e

                            SHA256

                            b228e23ecfb7965e3badefcbb031de0b4bb887634bccb34a826ac8ac89124ac5

                            SHA512

                            56fd8aa514cc25db5a2c9191d665eaffe90182cc5e4f15317e0cfbc9adf7336d9ad937d20384b0504f784e5939b76b4c4b0020cb06e4a472c650355cc6c4c89a

                          • C:\Users\Admin\Desktop\CheckpointProtect.m1v

                            Filesize

                            424KB

                            MD5

                            e911d5061fed57806a94a208b9114a17

                            SHA1

                            bac9d8ff9c960b9cb1f68b51b207488650c81e5c

                            SHA256

                            e89f1d2899a044dd6e8346879d0dca269290d1353571bcc935df319336b2d59f

                            SHA512

                            d2285c67e62937f510bfa6da9951bf22d87d25345894013eb5b8d475bcc75761bd7ed2e10f174472d755ff7bc1bfbe80ba3dc650ccc52ed24226b61ef94d4ef2

                          • C:\Users\Admin\Desktop\ConvertFromTrace.vdx

                            Filesize

                            791KB

                            MD5

                            0da67631e74dcfb5ebe8bd34906e2bb1

                            SHA1

                            526aa368befb5da15df74285df4e553a7e5c5e69

                            SHA256

                            c8abbbdf6f6b12a869667167ca3eea41d176371d802fa87a4cdf0ad446811a16

                            SHA512

                            0b29612a246a42d2cba38fc3a5d2b93f93d4ce3d21c70e9c47d7d24ca153ea0c12293e66adb493b12a30085d4b5131198ca9f9645300da999b53187abab57310

                          • C:\Users\Admin\Desktop\DenyFind.dxf

                            Filesize

                            722KB

                            MD5

                            7d7d6b328041c014dbf0dd839f5d52c8

                            SHA1

                            5889cf643583dbe340bc907cb0d327808422afdb

                            SHA256

                            a726731da87d2f7021626fba239f02ef158ce78ec1d6a023d9b6f37a7f32dfa7

                            SHA512

                            2b7fd6e109e1656dad05c6fc4b7346a5c15b95c4e0632d3340190935ab9d02f25dfd7293c62f9b0ca52c59434de5ef86b823e380e324616134bb23a65ef75ba5

                          • C:\Users\Admin\Desktop\DisconnectStep.svg

                            Filesize

                            630KB

                            MD5

                            660f2f7d5538d4d7c4a923e927c7c178

                            SHA1

                            e766506820dfc13a8c8a8c635f334b268c4e0d08

                            SHA256

                            d14314f800e44156114ac57b342b9b6a680804be4c5ea35115891e1f486e9125

                            SHA512

                            1d789a4174709d552f982ae4103a43f36a3188c9777d321f70c25f9756092c8f689e8206cf6f5bb7b0dc5ab5fd64f504941d751c326f51ac491e557aa530105a

                          • C:\Users\Admin\Desktop\EnableClear.crw

                            Filesize

                            378KB

                            MD5

                            c26ba60af9929673b0dc015e60783ea3

                            SHA1

                            9ef8d6340dcdb2a5ec64da61c9c8b9cfbbc0923d

                            SHA256

                            82610c5a89000e24c635306bd6f064b2b269fa97a08e10e02360dc92cce86e28

                            SHA512

                            2ded22030561e7bcbfc1074e29fd0d99785906eb4d9417e42184f6317e846ce192ebb53b013f1bb34d0166f7ec3ca77785105b095c6fdcee28d04e233191a171

                          • C:\Users\Admin\Desktop\EnterPop.dwfx

                            Filesize

                            584KB

                            MD5

                            fdb68a6c677b0e598002d1a6730c73fb

                            SHA1

                            12b99218f722fa786e70333cd130a4df2bc83964

                            SHA256

                            f553911a4a7f412a96366fe3bbd388c3f5ae46603a295eb3c5904985156c5071

                            SHA512

                            a799c43ef5d170a3e8b10fb918e17c32244c8fbecb5d1bb45d3ab77af14b20c92832cf9a1bf5fa22a8a85b570d2e7d11aefd947f42b9c9f6f022d59ac596fc99

                          • C:\Users\Admin\Desktop\ExitClear.scf

                            Filesize

                            676KB

                            MD5

                            9ec1f17961ea08f47cdb4e1552a13e97

                            SHA1

                            9e769d137954febcb40e78063aa9a9fe53e073d6

                            SHA256

                            cea902ccdd222ce8885476e6b0364956f8e3629cd614c3c05568a89cddf543c5

                            SHA512

                            01e4a06ada7efadbe7272fe15af47cc1212e8003487dc093b0bf8f653d45554e643d707ec8e5e865ba9ee1150ae105ee2d223741d996e5813770ef281c74a61e

                          • C:\Users\Admin\Desktop\HideUndo.txt

                            Filesize

                            309KB

                            MD5

                            d319151f302da4b8be6ef3cde3bc0d8c

                            SHA1

                            9336cbefbd4028b06257a878790eda6463570196

                            SHA256

                            64db0852fc2cebd6e461562442b0b1b97873008d1a575ca853bece004391590f

                            SHA512

                            92edac20cbed7cb50e460c6e0f543da3cb794d1529284d92470678a3dda75675db836d413a167d3f14e4310f3e0255d2749de04466888114143b405bfd3eb2d0

                          • C:\Users\Admin\Desktop\InstallInvoke.mp4v

                            Filesize

                            286KB

                            MD5

                            ff80266f63451e4233ba38b99bc4d328

                            SHA1

                            0ec9be28dc7d2c1f13e480be44231e66d477546b

                            SHA256

                            8f76959b6e9cffc1254eb25c2f5d9c645b41a207290e1431ecba5f331df0a7df

                            SHA512

                            0fc3aefd724472d8f8364e7c3ccf04245d0d8a08bfcd85569f0b008f852e712785578e5a555ad5adbf1b5e960fb4b330a9a2c6d41b9c64510e00a55c831f707a

                          • C:\Users\Admin\Desktop\LimitSwitch.TS

                            Filesize

                            401KB

                            MD5

                            c88b10548288c98e2bad7460ade86015

                            SHA1

                            e0e73519d3348761a92e73a826fbe6d9c16afae9

                            SHA256

                            c39863494d0850ad17b494722ac378f242483ad2bd29309eb7b2aed678382f3d

                            SHA512

                            426b41acf4b934d919a698447761ee3f3da9f260539e6f02f912a3ffff45c527be9b5210e32ceebf098b164a39cbbb9cff18225384ea6c5f1fb5247f178b6c34

                          • C:\Users\Admin\Desktop\OptimizeReceive.dib

                            Filesize

                            814KB

                            MD5

                            295d89bfe71ea3171b130b149b29ca66

                            SHA1

                            74a792bb109c453b0923e5ef4a61ae63b7d6ae4e

                            SHA256

                            d87c9d7ec0ae19411b6f087e652876cb0c9d2dac8773f1b5b478018a0f0d7cb3

                            SHA512

                            22f1d62f10bedb7c4810bac2268a3a08444d14c1f07c4ad77f48ce3b1822100ade0bf50f6d84d440d30db5aab21379ac75d25c37de9b2817c9c29fb2bc4324af

                          • C:\Users\Admin\Desktop\PublishSwitch.mp4

                            Filesize

                            493KB

                            MD5

                            0e78f81c8efa781da701702cf3afa032

                            SHA1

                            752601a9770d777d7347b397a5df547cf0a04ef0

                            SHA256

                            1c2ebd2467d1eaa33bae67a738ef78aa117293965cb200d754d1d9266062994e

                            SHA512

                            9b92d174ccd1cb583f95cd2b69978351f9c745053774df618ce3f6fce89f895a903443a67ac6bcef857728ac165aae0ffb142cae176b4982eeed75482fcf8d69

                          • C:\Users\Admin\Desktop\PushReset.3g2

                            Filesize

                            332KB

                            MD5

                            a623796146e6485d2b13205d47fd2415

                            SHA1

                            ad3379338688f3dfbdf87710c74a5045f60f6d0a

                            SHA256

                            8552a6421cb4b93cc34f84edc5552561f81e0c6fad2ff2794e77be71b0f3d093

                            SHA512

                            b91b12f34961e8f7a77589e2077a7633f84bf545f62f7efc00ae358dc9413e924e25a477567d04cb39e6559635fb49e043f878c7a318e0640eeff6f6fe7bb706

                          • C:\Users\Admin\Desktop\ResolveCompress.inf

                            Filesize

                            699KB

                            MD5

                            10104564a11ca79864edfed359d4fbe5

                            SHA1

                            db198896a4909c07f34ca666df6ee0cccd0d42a6

                            SHA256

                            0c7bbc79414a15862e8f02b2b91708d231b90344775aa15533a1d8960f7df3f0

                            SHA512

                            f9e7bd6d53a0e29ee27a50ff6e4217f8b07435459ef099fe480da0c2e71d21f330bf7a4f62965b0441f98f8795f3f37511c94a3daade564e855b734e0f7ec0d6

                          • C:\Users\Admin\Desktop\ResumeUnregister.hta

                            Filesize

                            355KB

                            MD5

                            2f840a77ae6175fc45a605819612f64e

                            SHA1

                            023dbd1a5a5dc89644dbbd149c7e43333e5cf885

                            SHA256

                            7dddb253c6f2583845deb10edcef9d9af91f37bc3da54e64c7df1a816cbff08a

                            SHA512

                            fab81c8517c438606907972778bede87e11d8ca20a77345d2d98b91c42c34655d9ad60be6fcba5797b2b5102dd4f3fe04d0ad17c3dcf0a329202d54274fa4df8

                          • C:\Users\Admin\Desktop\RevokeRepair.cr2

                            Filesize

                            1.1MB

                            MD5

                            92767c8595b51bbc73fb0da95269ac9e

                            SHA1

                            a83ab91fca4e8de8675fe6b2bf870624d0a4605d

                            SHA256

                            10c363fab712cef1768a41d4af258a4933af6f5cfbf9b329f9357b9d25fd4cbd

                            SHA512

                            7b5c98008e9fb04649a0a3f754549bff2f9a5654779e5ec1360e59bc71043d181c4076ca2515620b1fdd68b9f9d31e86820ec30ab675531021234fdacae75c57

                          • C:\Users\Admin\Desktop\SearchDeny.vbs

                            Filesize

                            516KB

                            MD5

                            8a10bcdd0bf52e9a83ad166eb67be4e4

                            SHA1

                            9eae5fd44d91db471728f88d3e1277ce01de61fe

                            SHA256

                            a8069518e27e4c4cd7ee7a29ed2b792a0f2852cd186a25b92f1606d88321cef3

                            SHA512

                            7cd2cbd81ca393dd9acf6fe5527c3ab9c6380de0455e0f6e525c35e3778ba095ab85e5182d9cca0658221c9e2d7a74b7d25d3cc212c7a81dec0596bcd72a3749

                          • C:\Users\Admin\Desktop\SelectDebug.php

                            Filesize

                            653KB

                            MD5

                            19518a17cb26955b73a14ab559617bdf

                            SHA1

                            421c3770d2013224ef4354a7ca46010c4fc93660

                            SHA256

                            58df27d876957eddf64050d1005c9feb4804af7e7091914481e8539e5d634851

                            SHA512

                            f44afb8b12c3310f5238e2ec281c80b9531b3a74c7e87a7ede277770f37cd2b33fc612f87e3c7caec7f5755611755f294bacce71331f4a6a067548f79855db15

                          • C:\Users\Admin\Desktop\StepUnprotect.TS

                            Filesize

                            607KB

                            MD5

                            e389ddf177c129da892be16e23bbb9e1

                            SHA1

                            f655e81f75af1ae087b26a56a3a0cbcd60bd4a5c

                            SHA256

                            e9b9c60b606a5ab48be67e41a18110fe3b54aa4fa1edaaa2ac13f73a4e926328

                            SHA512

                            be6c4cadd0a6ceeece949d0f8e5c2a413da00aa8dd9a8d433877e8bd7d1dd21f62791eace48f4df2b92224fd242b052234d872db786801578687cf8976961671

                          • C:\Users\Admin\Desktop\StopRegister.ini

                            Filesize

                            447KB

                            MD5

                            a81d8d2e5bd893b006b3e2b085ec667f

                            SHA1

                            6edad61a0c225ac5a9f0eee73281519c76e0b2ea

                            SHA256

                            4fd0e19bb8d3c688d18548eb697f24f0addcf3db5658a463e25cc40e0da962e7

                            SHA512

                            e1419d37047664c06ae46b3fda11087f5fa067e759db3bdee01fee3ec8b1402ccd481ebf7761cc5630124593c46ee373f4131664797374bb56580a201fe2ef55

                          • C:\Users\Admin\Desktop\StopUnpublish.avi

                            Filesize

                            561KB

                            MD5

                            6ecde1f1b65e9dbf863b783e1eecdc76

                            SHA1

                            318e4d6b6d8fb6d0bffecb3deeeeba5947f895a6

                            SHA256

                            9dd2d0a2ef81cc5f06d99736c4e1ef818806c7622825d73e6f5057972959ca79

                            SHA512

                            5ff5f3ae558337c937c43b7f73c95ae07e1c4ade4ee2d16fe71ac8d6e61b613877bfcc0308acde82474ba1ca42019d839c5075097dcdc3bfa9ce608db98e3994

                          • C:\Users\Admin\Desktop\SyncResume.asx

                            Filesize

                            768KB

                            MD5

                            511aa4197951d849d87462738b3b90ea

                            SHA1

                            e51cf38577652515e6463e71e48f8dbdd6354c57

                            SHA256

                            fe19a0639d70654c036aa3d707e17de863b658f796b9a8b4c69e4dfed3138a29

                            SHA512

                            f144616753b44edec0b00222eb59695640394132bde81a4285c14932c6233304fd4f2f862cb67f236c4df5dc6652829437730301e5df2fd6375be34264d3bbfa

                          • C:\Users\Admin\Desktop\SyncSkip.avi

                            Filesize

                            470KB

                            MD5

                            1a9735d6667e321c91e8abadf1e3bafa

                            SHA1

                            2540df704a0aea72b014c82d5687c9d414428e06

                            SHA256

                            70299e860f5bb1a125f5ee9192148839fc8e7f7ced0712cdd947af963e8e2e62

                            SHA512

                            3635d473a04301a09c829cee8527c26638ff400631c7fcee9520f7ffa59285d23afcdd8f7ad13ececab0418e5898a3492e12cf188aa3e500f8c269065b0dcfa2

                          • C:\Users\Admin\Desktop\WaitInstall.lnk

                            Filesize

                            745KB

                            MD5

                            13eb344d5411e56ec83b74372c3f6bd6

                            SHA1

                            916a2c95a7d29740f1bb7a8aa252eff8efae6566

                            SHA256

                            66e2881e3f6eee7498fa8c758d45b601dbcdd98719ff680dbad814bf42eb3d07

                            SHA512

                            db7027216d9cb94a0483d7a577f0b683dc2373fef47298a654ae7d62e9b04df969ffdeffbd88ba60ce33931aad107c20e13306915c52bdf430325f721d793de4

                          • C:\Users\Admin\Desktop\WriteInvoke.wm

                            Filesize

                            539KB

                            MD5

                            fdb4a269238f136cb1f64c33cb0bd783

                            SHA1

                            720f7c8841253726fe50fa4fee37710ca447a593

                            SHA256

                            b4e4a690fbcb1aa64f619f47cb399c2dd86d87e26863e66f7dc4c31e9e31a867

                            SHA512

                            2dbceebd9a5a9953f7aad573ae5d80af97ac482e3f7ffa6863fb961a10087d2a95708e37b263ae2f8fdce04064af405d470df62f095a044683555fc54d076862

                          • C:\Users\Public\Desktop\Acrobat Reader DC.lnk

                            Filesize

                            2KB

                            MD5

                            6f1e4b9ce0fee4ac3d5bbb48745d5717

                            SHA1

                            fde19343a446e9f917a5440a1fb31cf9faf4e1aa

                            SHA256

                            2c74ee14a4b44682ca938f99f40157f266bfe31e37dca4b1d56b3eadc1d1aee2

                            SHA512

                            e96980b3303329dcc882588c147a01d238b92600972a1dc59bcded4aa525341c5b5604e5ce3cadec0c49e6586f4cd6b93b693ae1b6dcedb79a0b65f5000d7c59

                          • C:\Users\Public\Desktop\Firefox.lnk

                            Filesize

                            1000B

                            MD5

                            059b0fcb8926d3575b1e75e4e9651ec8

                            SHA1

                            9f15e121c9940fecf10b83b42c2b68dd0b3f95f5

                            SHA256

                            02045f6f7a5e9ebe593e9a31cbd56c104a037857614be176c361bce229f7abc0

                            SHA512

                            22514bdda4b816ef633a4b7a9e1bda32e1098a66988a9ae2b08a75bba7d83ac760bda0af52f6c6b8ed439ae9f124f7d0f0113751a5c27f32200b1d95000c64f9

                          • C:\Users\Public\Desktop\Google Chrome.lnk

                            Filesize

                            2KB

                            MD5

                            17d1e9be8c3e0a93a91eec279f118465

                            SHA1

                            57856a34eddcff41d327a9e29cc35ee28d272e88

                            SHA256

                            6277e131e69c7fb06bd900d6163707b6e832fe3cb2952368b354d16fcb999033

                            SHA512

                            1461845bd7e6823e82c979ec42921fe297fe8a3e0a37643ef4655931b9ba03f92588ffe5bf9768a05833f64267d9e24c4ee191982f9c7c34e4f9ba1f135ad1f3

                          • C:\Users\Public\Desktop\VLC media player.lnk

                            Filesize

                            923B

                            MD5

                            db4639b8d64bc676737a319e004888f9

                            SHA1

                            ec227b223a8af743aef253c5b0d9ba7a06a66d6b

                            SHA256

                            7a230783076133d02e4bc487853f4f73711b654be36752164157ee8da5ea6d49

                            SHA512

                            3dbe30edd55253425d7e004dc8a16c818aba26f03a7d67d3154165f98c78c670cbc7bcaacb23697d4087fd5f78b9f823b6a53ddff68a3ab2cebd1b8fd441db50

                          • memory/1076-52-0x00007FFAEF890000-0x00007FFAF027C000-memory.dmp

                            Filesize

                            9.9MB

                          • memory/1076-48-0x00007FFAEF890000-0x00007FFAF027C000-memory.dmp

                            Filesize

                            9.9MB

                          • memory/1076-41-0x00007FFAEF890000-0x00007FFAF027C000-memory.dmp

                            Filesize

                            9.9MB

                          • memory/1076-12-0x00007FFAEF890000-0x00007FFAF027C000-memory.dmp

                            Filesize

                            9.9MB

                          • memory/1076-11-0x000001B8F1110000-0x000001B8F1186000-memory.dmp

                            Filesize

                            472KB

                          • memory/1076-10-0x00007FFAEF890000-0x00007FFAF027C000-memory.dmp

                            Filesize

                            9.9MB

                          • memory/1076-9-0x00007FFAEF890000-0x00007FFAF027C000-memory.dmp

                            Filesize

                            9.9MB

                          • memory/1076-6-0x000001B8D8B00000-0x000001B8D8B22000-memory.dmp

                            Filesize

                            136KB

                          • memory/3508-188-0x00007FFAEF890000-0x00007FFAF027C000-memory.dmp

                            Filesize

                            9.9MB

                          • memory/3508-187-0x00007FFAEF890000-0x00007FFAF027C000-memory.dmp

                            Filesize

                            9.9MB

                          • memory/3508-0-0x00007FFAEF893000-0x00007FFAEF894000-memory.dmp

                            Filesize

                            4KB

                          • memory/3508-1-0x0000000000D30000-0x0000000000D4C000-memory.dmp

                            Filesize

                            112KB