agenttesla | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

Analysis

max time kernel
45s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 04:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

8KB
MD5

69994ff2f00eeca9335ccd502198e05b
SHA1

b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512

ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP

96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Score

10^/10

agenttesla redline rhadamanthys stealc vidar default logsdiller cloud (tg: @logsdillabot)rave discovery evasion execution infostealer keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

stealc

Botnet

rave

http://185.215.113.103

Attributes

url_path
/e2b1563c6670f193.php

Extracted

Family

vidar

https://t.me/edm0d

https://steamcommunity.com/profiles/76561199768374681

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0

Extracted

Family

stealc

Botnet

default

http://46.8.231.109

Attributes

url_path
/c4754d4f680ead72.php

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.jeepcommerce.rs
Port:
21
Username:
[email protected]
Password:
QtU[bF0Zo#+M

Extracted

Family

rhadamanthys

https://94.131.99.108:8899/e2eb98731b48eb55a/b8fkfuft.w7s34

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

193.233.255.84:4284

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Vidar Stealer 21 IoCs

stealer

Processes:

resource	yara_rule
behavioral6/memory/8-249-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral6/memory/8-254-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral6/memory/8-252-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral6/memory/2752-260-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral6/memory/2752-264-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral6/memory/2752-262-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral6/memory/3460-295-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral6/memory/3460-297-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral6/memory/3460-299-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral6/memory/3708-307-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral6/memory/3708-311-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral6/memory/3708-309-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral6/memory/8-410-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral6/memory/8-414-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral6/memory/8-432-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral6/memory/8-449-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral6/memory/8-465-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral6/memory/8-477-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral6/memory/8-503-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral6/memory/8-504-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral6/memory/8-514-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
behavioral6/memory/5192-1189-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral6/memory/5248-1204-0x00000000025C0000-0x0000000002606000-memory.dmp	family_redline
behavioral6/memory/5248-1205-0x00000000049B0000-0x00000000049F4000-memory.dmp	family_redline

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

game.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ game.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

3364 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	game.exe

pid	process
3364	powershell.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

game.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	game.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	game.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

New Text Document mod.exe231.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	New Text Document mod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	231.tmp

Executes dropped EXE 15 IoCs

Processes:

66eb0d09c9f08_Gads.exe66eaf17e9bd9e_Softwarepaxck.exegame.exe66eaee5323f5d_setup3.exeWYI6FUQAFV1NX.exe231.exe231.tmp231.exe231.tmpvfagms15.exevsfdajg16.exelnfsda.exevkfsags12.exesmdsg.exevlsadg.exe

pid	process
1632	66eb0d09c9f08_Gads.exe
4144	66eaf17e9bd9e_Softwarepaxck.exe
2588	game.exe
1040	66eaee5323f5d_setup3.exe
2444	WYI6FUQAFV1NX.exe
3312	231.exe
1900	231.tmp
2472	231.exe
976	231.tmp
4444	vfagms15.exe
4868	vsfdajg16.exe
4544	lnfsda.exe
5028	vkfsags12.exe
2744	smdsg.exe
2032	vlsadg.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

game.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine game.exe
Loads dropped DLL 2 IoCs

Processes:

231.tmp231.tmp

pid process

1900 231.tmp
976 231.tmp
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

124 bitbucket.org
125 bitbucket.org
331 pastebin.com
332 pastebin.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

245 ip-api.com
Power Settings 1 TTPs 4 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

Power Settings
T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

5292 powercfg.exe
5316 powercfg.exe
5308 powercfg.exe
5300 powercfg.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine	game.exe

pid	process
1900	231.tmp
976	231.tmp

flow	ioc
124	bitbucket.org
125	bitbucket.org
331	pastebin.com
332	pastebin.com

flow	ioc
245	ip-api.com

pid	process
5292	powercfg.exe
5316	powercfg.exe
5308	powercfg.exe
5300	powercfg.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\random.exe	autoit_exe

Enumerates processes with tasklist 1 TTPs 6 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

3484 tasklist.exe
3412 tasklist.exe
4296 tasklist.exe
2712 tasklist.exe
2412 tasklist.exe
5000 tasklist.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

game.exe

pid process

2588 game.exe

pid	process
3484	tasklist.exe
3412	tasklist.exe
4296	tasklist.exe
2712	tasklist.exe
2412	tasklist.exe
5000	tasklist.exe

pid	process
2588	game.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

66eb0d09c9f08_Gads.exe66eaf17e9bd9e_Softwarepaxck.exevfagms15.exevsfdajg16.exelnfsda.exevkfsags12.exesmdsg.exe

description	pid	process	target process
PID 1632 set thread context of 4928	1632	66eb0d09c9f08_Gads.exe	BitLockerToGo.exe
PID 4144 set thread context of 3492	4144	66eaf17e9bd9e_Softwarepaxck.exe	BitLockerToGo.exe
PID 4444 set thread context of 8	4444	vfagms15.exe	RegAsm.exe
PID 4868 set thread context of 2752	4868	vsfdajg16.exe	RegAsm.exe
PID 4544 set thread context of 3796	4544	lnfsda.exe	AdminGIDAECGDAF.exe
PID 5028 set thread context of 3460	5028	vkfsags12.exe	RegAsm.exe
PID 2744 set thread context of 3004	2744	smdsg.exe	RegAsm.exe

Drops file in Program Files directory 1 IoCs

Processes:

BitLockerToGo.exe

description ioc process

File created C:\Program Files\Google\Chrome\Application\WYI6FUQAFV1NX.exe BitLockerToGo.exe
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

5324 sc.exe
5280 sc.exe
6012 sc.exe
4020 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Program Files\Google\Chrome\Application\WYI6FUQAFV1NX.exe	BitLockerToGo.exe

pid	process
5324	sc.exe
5280	sc.exe
6012	sc.exe
4020	sc.exe

Program crash 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3104	1040	WerFault.exe	66eaee5323f5d_setup3.exe
5300	5576	WerFault.exe	kin.exe
1224	5248	WerFault.exe	66e805302f63c_otr.exe
6072	3952	WerFault.exe	RegAsm.exe
440	4972	WerFault.exe	setup2.exe
6276	1632	WerFault.exe	ScreenUpdateSync.exe
6448	5392	WerFault.exe	univ.exe
6500	5392	WerFault.exe	univ.exe
6584	5392	WerFault.exe	univ.exe
6632	5392	WerFault.exe	univ.exe
6688	5392	WerFault.exe	univ.exe
6736	5392	WerFault.exe	univ.exe
6796	5392	WerFault.exe	univ.exe
6848	5392	WerFault.exe	univ.exe
6900	5392	WerFault.exe	univ.exe

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

66eb0d09c9f08_Gads.exe66eaf17e9bd9e_Softwarepaxck.exe66eaee5323f5d_setup3.exe231.tmp231.exevsfdajg16.exevkfsags12.exeRegAsm.exeRegAsm.exevlsadg.exeRegAsm.exeBitLockerToGo.exeBitLockerToGo.exe231.exeRegAsm.exegame.exeWYI6FUQAFV1NX.exe231.tmpvfagms15.exelnfsda.exesmdsg.exeRegAsm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66eb0d09c9f08_Gads.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66eaf17e9bd9e_Softwarepaxck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66eaee5323f5d_setup3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	231.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	231.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vsfdajg16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vkfsags12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vlsadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	231.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WYI6FUQAFV1NX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	231.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vfagms15.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lnfsda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smdsg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

66eaee5323f5d_setup3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	66eaee5323f5d_setup3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	66eaee5323f5d_setup3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	66eaee5323f5d_setup3.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2560 timeout.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

game.exe231.tmpRegAsm.exe

pid process

2588 game.exe
2588 game.exe
976 231.tmp
976 231.tmp
8 RegAsm.exe
8 RegAsm.exe

pid	process
2560	timeout.exe

pid	process
2588	game.exe
2588	game.exe
976	231.tmp
976	231.tmp
8	RegAsm.exe
8	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

New Text Document mod.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	4048	New Text Document mod.exe
Token: SeDebugPrivilege	2412	tasklist.exe
Token: SeDebugPrivilege	5000	tasklist.exe
Token: SeDebugPrivilege	3484	tasklist.exe
Token: SeDebugPrivilege	3412	tasklist.exe
Token: SeDebugPrivilege	4296	tasklist.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

231.tmp

pid process

976 231.tmp

pid	process
976	231.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

New Text Document mod.exe66eb0d09c9f08_Gads.exe66eaf17e9bd9e_Softwarepaxck.exeBitLockerToGo.exe231.exe231.tmp231.exe231.tmpcmd.execmd.exe

description	pid	process	target process
PID 4048 wrote to memory of 1632	4048	New Text Document mod.exe	66eb0d09c9f08_Gads.exe
PID 4048 wrote to memory of 1632	4048	New Text Document mod.exe	66eb0d09c9f08_Gads.exe
PID 4048 wrote to memory of 1632	4048	New Text Document mod.exe	66eb0d09c9f08_Gads.exe
PID 4048 wrote to memory of 4144	4048	New Text Document mod.exe	66eaf17e9bd9e_Softwarepaxck.exe
PID 4048 wrote to memory of 4144	4048	New Text Document mod.exe	66eaf17e9bd9e_Softwarepaxck.exe
PID 4048 wrote to memory of 4144	4048	New Text Document mod.exe	66eaf17e9bd9e_Softwarepaxck.exe
PID 1632 wrote to memory of 4928	1632	66eb0d09c9f08_Gads.exe	BitLockerToGo.exe
PID 1632 wrote to memory of 4928	1632	66eb0d09c9f08_Gads.exe	BitLockerToGo.exe
PID 1632 wrote to memory of 4928	1632	66eb0d09c9f08_Gads.exe	BitLockerToGo.exe
PID 1632 wrote to memory of 4928	1632	66eb0d09c9f08_Gads.exe	BitLockerToGo.exe
PID 1632 wrote to memory of 4928	1632	66eb0d09c9f08_Gads.exe	BitLockerToGo.exe
PID 1632 wrote to memory of 4928	1632	66eb0d09c9f08_Gads.exe	BitLockerToGo.exe
PID 4048 wrote to memory of 2588	4048	New Text Document mod.exe	game.exe
PID 4048 wrote to memory of 2588	4048	New Text Document mod.exe	game.exe
PID 4048 wrote to memory of 2588	4048	New Text Document mod.exe	game.exe
PID 4048 wrote to memory of 1040	4048	New Text Document mod.exe	66eaee5323f5d_setup3.exe
PID 4048 wrote to memory of 1040	4048	New Text Document mod.exe	66eaee5323f5d_setup3.exe
PID 4048 wrote to memory of 1040	4048	New Text Document mod.exe	66eaee5323f5d_setup3.exe
PID 1632 wrote to memory of 4928	1632	66eb0d09c9f08_Gads.exe	BitLockerToGo.exe
PID 1632 wrote to memory of 4928	1632	66eb0d09c9f08_Gads.exe	BitLockerToGo.exe
PID 1632 wrote to memory of 4928	1632	66eb0d09c9f08_Gads.exe	BitLockerToGo.exe
PID 4144 wrote to memory of 3492	4144	66eaf17e9bd9e_Softwarepaxck.exe	BitLockerToGo.exe
PID 4144 wrote to memory of 3492	4144	66eaf17e9bd9e_Softwarepaxck.exe	BitLockerToGo.exe
PID 4144 wrote to memory of 3492	4144	66eaf17e9bd9e_Softwarepaxck.exe	BitLockerToGo.exe
PID 4144 wrote to memory of 3492	4144	66eaf17e9bd9e_Softwarepaxck.exe	BitLockerToGo.exe
PID 4144 wrote to memory of 3492	4144	66eaf17e9bd9e_Softwarepaxck.exe	BitLockerToGo.exe
PID 4144 wrote to memory of 3492	4144	66eaf17e9bd9e_Softwarepaxck.exe	BitLockerToGo.exe
PID 4144 wrote to memory of 3492	4144	66eaf17e9bd9e_Softwarepaxck.exe	BitLockerToGo.exe
PID 4144 wrote to memory of 3492	4144	66eaf17e9bd9e_Softwarepaxck.exe	BitLockerToGo.exe
PID 4144 wrote to memory of 3492	4144	66eaf17e9bd9e_Softwarepaxck.exe	BitLockerToGo.exe
PID 3492 wrote to memory of 2444	3492	BitLockerToGo.exe	WYI6FUQAFV1NX.exe
PID 3492 wrote to memory of 2444	3492	BitLockerToGo.exe	WYI6FUQAFV1NX.exe
PID 3492 wrote to memory of 2444	3492	BitLockerToGo.exe	WYI6FUQAFV1NX.exe
PID 4048 wrote to memory of 3312	4048	New Text Document mod.exe	231.exe
PID 4048 wrote to memory of 3312	4048	New Text Document mod.exe	231.exe
PID 4048 wrote to memory of 3312	4048	New Text Document mod.exe	231.exe
PID 3312 wrote to memory of 1900	3312	231.exe	231.tmp
PID 3312 wrote to memory of 1900	3312	231.exe	231.tmp
PID 3312 wrote to memory of 1900	3312	231.exe	231.tmp
PID 1900 wrote to memory of 2472	1900	231.tmp	231.exe
PID 1900 wrote to memory of 2472	1900	231.tmp	231.exe
PID 1900 wrote to memory of 2472	1900	231.tmp	231.exe
PID 2472 wrote to memory of 976	2472	231.exe	231.tmp
PID 2472 wrote to memory of 976	2472	231.exe	231.tmp
PID 2472 wrote to memory of 976	2472	231.exe	231.tmp
PID 4048 wrote to memory of 4444	4048	New Text Document mod.exe	vfagms15.exe
PID 4048 wrote to memory of 4444	4048	New Text Document mod.exe	vfagms15.exe
PID 4048 wrote to memory of 4444	4048	New Text Document mod.exe	vfagms15.exe
PID 4048 wrote to memory of 4868	4048	New Text Document mod.exe	vsfdajg16.exe
PID 4048 wrote to memory of 4868	4048	New Text Document mod.exe	vsfdajg16.exe
PID 4048 wrote to memory of 4868	4048	New Text Document mod.exe	vsfdajg16.exe
PID 976 wrote to memory of 5048	976	231.tmp	cmd.exe
PID 976 wrote to memory of 5048	976	231.tmp	cmd.exe
PID 5048 wrote to memory of 2412	5048	cmd.exe	tasklist.exe
PID 5048 wrote to memory of 2412	5048	cmd.exe	tasklist.exe
PID 5048 wrote to memory of 3004	5048	cmd.exe	RegAsm.exe
PID 5048 wrote to memory of 3004	5048	cmd.exe	RegAsm.exe
PID 4048 wrote to memory of 4544	4048	New Text Document mod.exe	lnfsda.exe
PID 4048 wrote to memory of 4544	4048	New Text Document mod.exe	lnfsda.exe
PID 4048 wrote to memory of 4544	4048	New Text Document mod.exe	lnfsda.exe
PID 976 wrote to memory of 1296	976	231.tmp	cmd.exe
PID 976 wrote to memory of 1296	976	231.tmp	cmd.exe
PID 1296 wrote to memory of 5000	1296	cmd.exe	tasklist.exe
PID 1296 wrote to memory of 5000	1296	cmd.exe	tasklist.exe

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Users\Admin\AppData\Local\Temp\a\66eb0d09c9f08_Gads.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66eb0d09c9f08_Gads.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4928
- C:\Users\Admin\AppData\Local\Temp\a\66eaf17e9bd9e_Softwarepaxck.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66eaf17e9bd9e_Softwarepaxck.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4144
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    3⤵
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3492
  - - C:\Program Files\Google\Chrome\Application\WYI6FUQAFV1NX.exe
      "C:\Program Files\Google\Chrome\Application\WYI6FUQAFV1NX.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2444
- C:\Users\Admin\AppData\Local\Temp\a\game.exe
  "C:\Users\Admin\AppData\Local\Temp\a\game.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2588
- C:\Users\Admin\AppData\Local\Temp\a\66eaee5323f5d_setup3.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66eaee5323f5d_setup3.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks SCSI registry key(s)
  PID:1040
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 352
    3⤵
    - Program crash
    PID:3104
- C:\Users\Admin\AppData\Local\Temp\a\231.exe
  "C:\Users\Admin\AppData\Local\Temp\a\231.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3312
- - C:\Users\Admin\AppData\Local\Temp\is-94REJ.tmp\231.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-94REJ.tmp\231.tmp" /SL5="$801DC,10740751,812544,C:\Users\Admin\AppData\Local\Temp\a\231.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Users\Admin\AppData\Local\Temp\a\231.exe
      "C:\Users\Admin\AppData\Local\Temp\a\231.exe" /VERYSILENT /NORESTART
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Users\Admin\AppData\Local\Temp\is-JBJ49.tmp\231.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-JBJ49.tmp\231.tmp" /SL5="$901DC,10740751,812544,C:\Users\Admin\AppData\Local\Temp\a\231.exe" /VERYSILENT /NORESTART
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:976
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
        
        C:\Windows\system32\find.exe
        
        find /I "wrsa.exe"
        7⤵
        
        PID:3004
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5000
        
        C:\Windows\system32\find.exe
        
        find /I "opssvc.exe"
        7⤵
        
        PID:1668
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
        6⤵
        
        PID:2300
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3484
        
        C:\Windows\system32\find.exe
        
        find /I "avastui.exe"
        7⤵
        
        PID:3604
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
        6⤵
        
        PID:4500
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3412
        
        C:\Windows\system32\find.exe
        
        find /I "avgui.exe"
        7⤵
        
        PID:3600
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
        6⤵
        
        PID:1680
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4296
        
        C:\Windows\system32\find.exe
        
        find /I "nswscsvc.exe"
        7⤵
        
        PID:1860
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
        6⤵
        
        PID:1752
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        
        PID:2712
        
        C:\Windows\system32\find.exe
        
        find /I "sophoshealth.exe"
        7⤵
        
        PID:536
      - C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe
        
        "C:\Users\Admin\AppData\Local\acetiam\\AutoIt3.exe" "C:\Users\Admin\AppData\Local\acetiam\\grayhound1..a3x"
        6⤵
        
        PID:1136
- C:\Users\Admin\AppData\Local\Temp\a\vfagms15.exe
  "C:\Users\Admin\AppData\Local\Temp\a\vfagms15.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4444
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:8
  - - C:\ProgramData\CBAKEBGIID.exe
      "C:\ProgramData\CBAKEBGIID.exe"
      4⤵
      PID:4444
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:4188
  - - C:\ProgramData\EHDHDHIECG.exe
      "C:\ProgramData\EHDHDHIECG.exe"
      4⤵
      PID:1660
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:1060
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GIJDAFBKFIEC" & exit
      4⤵
      PID:4060
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:2560
- C:\Users\Admin\AppData\Local\Temp\a\vsfdajg16.exe
  "C:\Users\Admin\AppData\Local\Temp\a\vsfdajg16.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4868
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2752
- C:\Users\Admin\AppData\Local\Temp\a\lnfsda.exe
  "C:\Users\Admin\AppData\Local\Temp\a\lnfsda.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4544
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3796
- C:\Users\Admin\AppData\Local\Temp\a\vkfsags12.exe
  "C:\Users\Admin\AppData\Local\Temp\a\vkfsags12.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5028
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3880
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4516
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3460
- C:\Users\Admin\AppData\Local\Temp\a\smdsg.exe
  "C:\Users\Admin\AppData\Local\Temp\a\smdsg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2744
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3740
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2936
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3004
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminGIDAECGDAF.exe"
      4⤵
      PID:2936
    - - C:\Users\AdminGIDAECGDAF.exe
        
        "C:\Users\AdminGIDAECGDAF.exe"
        5⤵
        
        PID:3796
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:4832
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminJDGCGDBGCA.exe"
      4⤵
      PID:4908
    - - C:\Users\AdminJDGCGDBGCA.exe
        
        "C:\Users\AdminJDGCGDBGCA.exe"
        5⤵
        
        PID:2712
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:2300
- C:\Users\Admin\AppData\Local\Temp\a\vlsadg.exe
  "C:\Users\Admin\AppData\Local\Temp\a\vlsadg.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2032
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3708
- C:\Users\Admin\AppData\Local\Temp\a\66ea645129e6a_jacobs.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66ea645129e6a_jacobs.exe"
  2⤵
  PID:4224
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:5292
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:5300
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:5308
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:5316
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "RRTELIGS"
    3⤵
    - Launches sc.exe
    PID:5324
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "RRTELIGS" binpath= "C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:5280
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:4020
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "RRTELIGS"
    3⤵
    - Launches sc.exe
    PID:6012
- C:\Users\Admin\AppData\Local\Temp\a\onePackage.exe
  "C:\Users\Admin\AppData\Local\Temp\a\onePackage.exe"
  2⤵
  PID:3996
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    3⤵
    PID:5904
- C:\Users\Admin\AppData\Local\Temp\a\random.exe
  "C:\Users\Admin\AppData\Local\Temp\a\random.exe"
  2⤵
  PID:4616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
    3⤵
    PID:5028
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      4⤵
      PID:5068
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7abe568-ce50-4051-87a7-55185a242f46} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" gpu
        5⤵
        
        PID:3104
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d20a0d40-2a1a-48d4-b0ea-645881111db6} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" socket
        5⤵
        
        PID:5100
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3172 -childID 1 -isForBrowser -prefsHandle 2728 -prefMapHandle 1652 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8b04bcf-72e6-4b98-9fcd-e2d1ec88fb63} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" tab
        5⤵
        
        PID:4856
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3584 -childID 2 -isForBrowser -prefsHandle 3660 -prefMapHandle 3656 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97137336-fbf6-482d-a0a4-e8171ce7ad73} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" tab
        5⤵
        
        PID:1900
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4172 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4132 -prefMapHandle 4156 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {110bfbd4-2e63-49a6-84e6-5b3183f13345} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" utility
        5⤵
        
        PID:5164
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5048 -childID 3 -isForBrowser -prefsHandle 5040 -prefMapHandle 5036 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af180845-f65b-4499-b73c-751674f933d1} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" tab
        5⤵
        
        PID:6128
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5192 -childID 4 -isForBrowser -prefsHandle 5196 -prefMapHandle 5200 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {90297bec-b8d5-42d7-89cc-ee2b5137bec9} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" tab
        5⤵
        
        PID:1044
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5464 -childID 5 -isForBrowser -prefsHandle 5384 -prefMapHandle 5388 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f078a995-3fcf-427c-b281-a21061a9bbe8} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" tab
        5⤵
        
        PID:232
- C:\Users\Admin\AppData\Local\Temp\a\gefox.exe
  "C:\Users\Admin\AppData\Local\Temp\a\gefox.exe"
  2⤵
  PID:3312
- - C:\Users\Admin\AppData\Local\Temp\is-DMLA6.tmp\gefox.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-DMLA6.tmp\gefox.tmp" /SL5="$11026C,2784848,56832,C:\Users\Admin\AppData\Local\Temp\a\gefox.exe"
    3⤵
    PID:5000
  - - C:\Users\Admin\AppData\Local\Jekky Video Editor\jekkyvideoeditor32_64.exe
      "C:\Users\Admin\AppData\Local\Jekky Video Editor\jekkyvideoeditor32_64.exe" -i
      4⤵
      PID:4832
- C:\Users\Admin\AppData\Local\Temp\a\66e9b62daa62d_xin.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66e9b62daa62d_xin.exe"
  2⤵
  PID:4836
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5832
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5848
- C:\Users\Admin\AppData\Local\Temp\a\B.exe
  "C:\Users\Admin\AppData\Local\Temp\a\B.exe"
  2⤵
  PID:4668
- C:\Users\Admin\AppData\Local\Temp\a\ord.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ord.exe"
  2⤵
  PID:5340
- C:\Users\Admin\AppData\Local\Temp\a\kin.exe
  "C:\Users\Admin\AppData\Local\Temp\a\kin.exe"
  2⤵
  PID:5576
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5576 -s 1800
    3⤵
    - Program crash
    PID:5300
- C:\Users\Admin\AppData\Local\Temp\a\rar.exe
  "C:\Users\Admin\AppData\Local\Temp\a\rar.exe"
  2⤵
  PID:5908
- C:\Users\Admin\AppData\Local\Temp\a\euro.exe
  "C:\Users\Admin\AppData\Local\Temp\a\euro.exe"
  2⤵
  PID:2992
- C:\Users\Admin\AppData\Local\Temp\a\66e98ff1d44e2_crypted.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66e98ff1d44e2_crypted.exe"
  2⤵
  PID:5220
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5192
- C:\Users\Admin\AppData\Local\Temp\a\66e6ea133c92f_crypted.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66e6ea133c92f_crypted.exe"
  2⤵
  PID:4836
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3656
- C:\Users\Admin\AppData\Local\Temp\a\66e57a08ef022_crypted.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66e57a08ef022_crypted.exe"
  2⤵
  PID:1688
- C:\Users\Admin\AppData\Local\Temp\a\66e57196bb898_111.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66e57196bb898_111.exe"
  2⤵
  PID:2116
- - C:\Windows\Temp\1.exe
    "C:\Windows\Temp\1.exe"
    3⤵
    PID:6016
- - C:\Windows\Temp\2.exe
    "C:\Windows\Temp\2.exe"
    3⤵
    PID:3160
- C:\Users\Admin\AppData\Local\Temp\a\66e805302f63c_otr.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66e805302f63c_otr.exe"
  2⤵
  PID:5248
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5248 -s 2044
    3⤵
    - Program crash
    PID:1224
- C:\Users\Admin\AppData\Local\Temp\a\66e8771a651d2_voewgngr.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66e8771a651d2_voewgngr.exe"
  2⤵
  PID:1696
- C:\Users\Admin\AppData\Local\Temp\a\zabardast-movie2024.mp3.exe
  "C:\Users\Admin\AppData\Local\Temp\a\zabardast-movie2024.mp3.exe"
  2⤵
  PID:832
- C:\Users\Admin\AppData\Local\Temp\a\vtrwh12.exe
  "C:\Users\Admin\AppData\Local\Temp\a\vtrwh12.exe"
  2⤵
  PID:3164
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3952
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 2184
      4⤵
      Program crash
      PID:6072
- C:\Users\Admin\AppData\Local\Temp\a\qm2014chs.exe
  "C:\Users\Admin\AppData\Local\Temp\a\qm2014chs.exe"
  2⤵
  PID:5300
- - C:\Users\Admin\AppData\Local\Temp\is-7KPT9.tmp\qm2014chs.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-7KPT9.tmp\qm2014chs.tmp" /SL5="$602CE,23530974,254976,C:\Users\Admin\AppData\Local\Temp\a\qm2014chs.exe"
    3⤵
    PID:6052
- C:\Users\Admin\AppData\Local\Temp\a\Channel2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Channel2.exe"
  2⤵
  PID:5396
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3364
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
    3⤵
    PID:3308
- C:\Users\Admin\AppData\Local\Temp\a\Office2024.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Office2024.exe"
  2⤵
  PID:4648
- C:\Users\Admin\AppData\Local\Temp\a\anon.exe
  "C:\Users\Admin\AppData\Local\Temp\a\anon.exe"
  2⤵
  PID:3368
- - C:\Users\Admin\AppData\Local\Temp\12584a06d7\Hkbsse.exe
    "C:\Users\Admin\AppData\Local\Temp\12584a06d7\Hkbsse.exe"
    3⤵
    PID:4552
- C:\Users\Admin\AppData\Local\Temp\a\univ.exe
  "C:\Users\Admin\AppData\Local\Temp\a\univ.exe"
  2⤵
  PID:5392
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5392 -s 452
    3⤵
    - Program crash
    PID:6448
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5392 -s 480
    3⤵
    - Program crash
    PID:6500
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5392 -s 756
    3⤵
    - Program crash
    PID:6584
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5392 -s 764
    3⤵
    - Program crash
    PID:6632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5392 -s 828
    3⤵
    - Program crash
    PID:6688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5392 -s 836
    3⤵
    - Program crash
    PID:6736
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5392 -s 884
    3⤵
    - Program crash
    PID:6796
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5392 -s 816
    3⤵
    - Program crash
    PID:6848
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5392 -s 1032
    3⤵
    - Program crash
    PID:6900
- C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe"
  2⤵
  PID:1632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 256
    3⤵
    - Program crash
    PID:6276
- C:\Users\Admin\AppData\Local\Temp\a\setup2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\setup2.exe"
  2⤵
  PID:4972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 352
    3⤵
    - Program crash
    PID:440
- C:\Users\Admin\AppData\Local\Temp\a\J2ste.exe
  "C:\Users\Admin\AppData\Local\Temp\a\J2ste.exe"
  2⤵
  PID:6068
- C:\Users\Admin\AppData\Local\Temp\a\Amadeus.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Amadeus.exe"
  2⤵
  PID:6164
- C:\Users\Admin\AppData\Local\Temp\a\clip.exe
  "C:\Users\Admin\AppData\Local\Temp\a\clip.exe"
  2⤵
  PID:6220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1040 -ip 1040
1⤵
PID:4516

C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe
C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe
1⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5576 -ip 5576
1⤵
PID:4564

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4864
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4668 -ip 4668
1⤵
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3952 -ip 3952
1⤵
PID:4584

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5872

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4972 -ip 4972
1⤵
PID:4064

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1632 -ip 1632
1⤵
PID:6248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5392 -ip 5392
1⤵
PID:6428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5392 -ip 5392
1⤵
PID:6480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5392 -ip 5392
1⤵
PID:6560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5392 -ip 5392
1⤵
PID:6612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5392 -ip 5392
1⤵
PID:6664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5392 -ip 5392
1⤵
PID:6716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5392 -ip 5392
1⤵
PID:6772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5392 -ip 5392
1⤵
PID:6828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5392 -ip 5392
1⤵
PID:6880

C:\Users\Admin\AppData\Local\Temp\12584a06d7\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\12584a06d7\Hkbsse.exe
1⤵
PID:6088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\WYI6FUQAFV1NX.exe

Filesize
226KB

MD5
a64beab5d4516beca4c40b25dc0c1cd8

SHA1
d7ab35d89d9b348ccadf6f6b91259776be9b064e

SHA256
36fb87f4e3048659d91fb4250d07582bbbeda35a7a5839ca61aa0d85dc1bd63c

SHA512
26818459084194b5675e521ead75a0c2d2f1ae0299e63e05af645113caa8ed6dcdcdb1b499d24712db084a2e0948bb4a0a5e9ea7e0adfe28a99911256e565328

Download Submit
C:\ProgramData\DSound High Level lib 9.18.45\DSound High Level lib 9.18.45.exe

Filesize
2.6MB

MD5
4976ad606dbe62c71d713e2ef8f58c50

SHA1
6b1902728c307ce1fa29ba708659249a3696c1f6

SHA256
9ba1afb660a7cca1858c81e037710f79403d1dcebc9b8b66624ec893b8b26d76

SHA512
0bb0edc1a8bcaac1e9473842fe27a4cd0d6f97c54cee6bf35d956800005ffca358f9c4a22094ab56cc66726f6fd3454df06115fee265de961781a848abd47880

Download Submit
C:\ProgramData\GCGDGHCBGDHJ\ECFHJK

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\ProgramData\GCGDGHCBGDHJ\IDGDAA

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\ProgramData\GCGDGHCBGDHJ\IDGDAA

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\ProgramData\GIJDAFBKFIEC\CBAKEB

Filesize
114KB

MD5
e228c51c082ab10d054c3ddc12f0d34c

SHA1
79b5574c9ce43d2195dcbfaf32015f473dfa4d2e

SHA256
02f65483e90802c728726ce1d16f2b405158f666c36e2c63090e27877ae4e309

SHA512
233ca5e06591e1646edfadb84a31bdfc12632fb73c47240a2109020accfbd1e337371bcc3340eae7a1f04140bbdeb0b416ce2de00fa85671671bb5f6c04aa822

Download Submit
C:\ProgramData\GIJDAFBKFIEC\EGCGHC

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\GIJDAFBKFIEC\JEGHJD

Filesize
11KB

MD5
fa92649cbf9b926c3866de9047261e23

SHA1
e6744ab9116cc90ddbf165c110c56986d029eb07

SHA256
10295e722ba463b68b931b58d4736347e1084aecb7c5775ce8cc9f0a74ed6d0d

SHA512
6cd301125a659ae32c54b71e269292c1d92190935d90eb45ec8ae47d3976afb1f644cc679b87edd632df8a743c2bbd08070d68197d7eb43a56c333d14a55340e

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\AdminGIDAECGDAF.exe

Filesize
355KB

MD5
731a25a9b1f2c31056f7bd75c71deac4

SHA1
ac95005a75add78f8226e553ff3bb32bcfeef1ea

SHA256
d0285d1ff85d7ef17ce9e3c0b185bd93624d6fde47a2cf0ec99a8cfd4a7afb0d

SHA512
efccfa84482c3a262c2efe9d5107a22a94efae352a46d01c0c677266835bb1d4b04a105ff7b94c5042640d40672576512ca06201260a5ee82257c7f524304fa4

Download Submit
C:\Users\AdminJDGCGDBGCA.exe

Filesize
293KB

MD5
6d1999f1096cee3f06507e0d896d7c4a

SHA1
947cde63e799d23622468caecd0172a4ce8e8c17

SHA256
6f8b44c727d44c82461e3e33098a1d93517bd200c4489120914f34e22715309c

SHA512
eb46aa64facd4456eaad1b24ee158b9e7bd5426580caf1ca4d5cd24fe08127612b8fcb2e1cedd054daff85e315d3942fb75bc5959c89baadf832d70a8a0982b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\156887258BBD6E1FEF562837733EA04E_5BBC02CEDFD3F7AC9E268D830CF231EE

Filesize
2KB

MD5
912f27bcbbbdd339d73baf2ecec184e7

SHA1
de4c42adf7c06de811958807014887a4c0d41c95

SHA256
ac4301cf80e1320cc836f85d90d28221a50ec57e6129b195acf0cb00df5d18b2

SHA512
3315247d610e70893844af18d903d1010e0d9df7dc3dcaee2b83e4d52fd52910e2623cdcb5e33bc8e8253129914091e20a7a35d51b500fdf4eba2c48da83fcd8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
2KB

MD5
9541342916b0c5b0ee2f6062398b867f

SHA1
46fc51b5aa29f366ef96946c16cbe9b7f67c9392

SHA256
e6548a38d5a516be84c393b45ce4a1577e4bbd6bb40aad980237037fe0e5a740

SHA512
d763f9f0676bb94f8211aae463896cf1c545531c1c43ee9d60272427c3a7ea56dc332e8e4a08c570a87bc26908de326ef0f196da8ad79051f6cad2dfcd0579aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
1KB

MD5
8515f6b60a6e8becf75da139b0767c36

SHA1
a926e7923af47636662c56e51ec8e0485d0e7b61

SHA256
42f8b46499f0f8fd94833336b4bdc1e908cb2b6b719d72229764bef52b80a6d6

SHA512
67450b06ebcc344b6eee9e5913a741161b1cf081cdb0d4ea5a6224735b2d490c46f1cb4783299265ec13212672af49de8b271b284951c9c229c700468ed322d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0DE068383AE2420BC8A7F145640D9D9

Filesize
504B

MD5
a85a9786bc7148d3f6459010e2b06bc4

SHA1
be2bedb5f29aeff215b9f94127ced3bd86a5debd

SHA256
b6a65f0474d64d62801ee284c91e656eba15773d9a5cd12587a3564c9ed6439f

SHA512
6be7443e85eae2109074b9c548af6a3f1786d1c1d07a44f3eeb622253aeeccf2e75fad145a37b57d2406137c3b1e93503fdb7a07d992d568d35027d45a27a304

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
cf69c14804e813c7a76e706b48994726

SHA1
e80836a824064e5f1f3c3891708ccbf84489ed7d

SHA256
6592b6ae3de38c81ce76589ff4ce96be39f3e71b5daa15edfb0f2197583a80e5

SHA512
ddd21c7740d95a1e1fdb8d7976ffa033a6091eaa79a9d6c47f0ea24cc1c9e20320e588116306df349e24a1f722cea35901dbd8ccf0b972b87915871105c2d475

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\156887258BBD6E1FEF562837733EA04E_5BBC02CEDFD3F7AC9E268D830CF231EE

Filesize
458B

MD5
fb494bc6ab35b0502e9090e9ccb0e48c

SHA1
71d5aeefbbdf9f684ee35c9aeda10be9f1fe00b9

SHA256
bb57cc36ca68acdcd9a44b68db38d9e1b02fadee363d7ab7895e3e2cd8bae2db

SHA512
ccaf2b87e08a769d1d3d9cb4a7314fc1a83c1a768d987ae3b3b3596fcc68b21d8476b51e7e49127dc9e97d14faa33961480bdccec8f2bd4b9313801636202f06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
450B

MD5
9d37e4e77b6aea62ef8d48d45aef809e

SHA1
e0e11d01ec921b7cff33181d57c1696d3345ac88

SHA256
44825a1d1dbe8ba0dc324b92c26fe14a16298071d5a2853d9c5395b1158f4f63

SHA512
cf36be0d7f1434f6e8c37f06a9f098034b1d0a38f873f80e14c4bca4bf686aa01a852531c243986b08f390a126e47316ad1622887f5896562871e1f7142eb885

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
458B

MD5
18ed4db43514bbc04bda0ec64b60736a

SHA1
89f78b0b6054c94825bb0298880dab21ef2ed114

SHA256
c167b0ef0131db80e7711a5f6762916e578166dd36cca3eca2179985f38c4ab4

SHA512
29fddaf32d342e2b3564bbecd936fc57453cfa7b5ae02541daa5c11dbf27866a15c3bf2c6ab30a6d986468041137719d7a0dacdd14dfbb335a39c0ba7a58dcb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0DE068383AE2420BC8A7F145640D9D9

Filesize
550B

MD5
d60d59618dddff11ca365df077603605

SHA1
4d823d949164b04d6f228a0415886ae223407496

SHA256
ea283123393e29b817d134c4296056187a139302a1a3a19b156af39a644ff583

SHA512
6b3eb8337016c279422e67c555f0b5862c042ed8a0717afca9d0a2092398882e26aa297a7f54b6d68606b510b7c14cd26ef3a98b945a6b2618e472754fe18f0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\smdsg.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KDOTUZKP\download[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\activity-stream.discovery_stream.json

Filesize
30KB

MD5
528d1b9c53377c889795652e74ffc115

SHA1
4b04646a0049ce439e490c4c318ffb4fa22b4937

SHA256
81226f30a7c2638c35af7cda62278f2a025e593b21ca0a88884e1255782c3a1e

SHA512
64b66678c612b544e35f0e9d87390c5ece73237b90546cfa56b4d31bf84e988f998be44a35a5f8324e6861a7d861c7b9af8a53049b4da28ae2cc03f84063ced6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\cache2\entries\0EA2E1AC3653A248EDE38E975FF2A4ADDA308244

Filesize
480KB

MD5
80bc4e0ddd9cf029406050baeffd37b7

SHA1
7edfc4e29d95454a5ebb2af01270a100bdfe8bc5

SHA256
5e0d6f4e15ed3ed171770552c275ab67bb8295325a3df4f0c736254d3a8e0254

SHA512
0a3b6cbf9ec0543d11f6e8dccbe0cc586f17b113cb138843d7e8e2e549c84987316bbf8901b79eb383d8750da8daafacdb04fc7e01edfeb30585d526125f6990

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\MP05IF81\microsoft.windows[1].xml

Filesize
96B

MD5
188f8f76ad695de69c313c1113722ec5

SHA1
acf66cf340e75c0997ab844f745ed139e05b5c1c

SHA256
d926dfadf64142c9d6e871f8e3d4709e78b5e82e237fcde0680740eed9c82b5b

SHA512
00eb7bda00afe8efe5b3f29460e2d92d173911f7deabb097d9995fb9af556371c4cecb473d328c8f9c7c85978fd560b1b9cec723805c44bd167ff59c3cf5bbf3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133711941527340768.txt

Filesize
75KB

MD5
2336f1e6e1993a9ee74a09bc980bec41

SHA1
99c0cabb8aac0ff6fbde6ebb58dc3578b7aa815c

SHA256
1b8a2c0ef7d55726b52ca89bf00f1d2de7b96aeb6ca515bcfcfd7e30736c4464

SHA512
84a3ab469eb24935fdd23530f17a06187a0c2ea47eb07cb7f12d125d6cf1a0c8e309edc68c924d3cb505d283492a3a8524b1ec780079390150a9e345aca96222

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp1543.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\231.exe

Filesize
11.2MB

MD5
4fa734db8e9f7ce5ecd217b34ecc6969

SHA1
fbfc15ded2ebd130c92d812c26dc052561f7ff83

SHA256
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b

SHA512
76ffd5839721ba668762c4458fd8da8fa8edc656c232e5957c253acc67c599846b89bc9acda1ec8dc5b07d229e143d3deca415c528ba4c04bf9264670f74f48a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66e57196bb898_111.exe

Filesize
887KB

MD5
b2a7b79dd7a9fe2786679a0ee2cddfa1

SHA1
bc86afc382707167791784d5e47089c721e441b3

SHA256
bb6b7a806b6fbc27e47c95d876f018a0e1823d696f76e58a3d6b5f745d72b070

SHA512
a4097ecdc0712ff8b5480e486982516de0a10d9d8c738ae2c7193ea81beacb8ecdc3a33c18416181e226ba9a3548d783d2d4eba2da7dc657c881c6b36e31e0b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66e57a08ef022_crypted.exe

Filesize
314KB

MD5
8240da70945e9b8a7844f1f4e2f1c770

SHA1
37c0f67a71107a5821e1e3f98563e8c331f3618d

SHA256
50c33eaa07d5b99a35a9860123e2fd84551a0907170a199ead8f5e1e2b0097c6

SHA512
e8b6f7baa8ce2d0d2cd18ab59f15be033d8785a5b9c89e9b2cbd6abdfd169856ca11860e2f9cdf8c910f332aa26f39c8b093a0c67671fc05016ae3eb56f5c039

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66e6ea133c92f_crypted.exe

Filesize
343KB

MD5
ba0dc71d562da0d40e7f409502daa9e0

SHA1
80618645fc93f72086cf1eaf3c1580fb764c5b27

SHA256
d5dd7234246219e84199d9cf575586760737bed43a6994c2abed41fcee4e1403

SHA512
b0750b985bc39ee54ae5d39860fe69463556eaabae725b2ec11bceda7bdb4b21148cb247c290366d50d4a00f94776bee931c2273ece05f1ae97fbe531b5ad5c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66e805302f63c_otr.exe

Filesize
395KB

MD5
d3d2aafaf86262baa7528e397f1ce761

SHA1
f30e50655abeb2509fa313fdef291afddc9d8218

SHA256
36befc5f19af22b3b731c573b8244d7e70a594730789351b3470dcfcaf9a7e71

SHA512
078f87337739dd1247f0fc65bad9ddf9cc9e60ff0424cb482a14c80e90dc43e21d9f98535acb6785f0e73d894002c53df2f09e6b45ff8b879d174fa5c43faef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66e8771a651d2_voewgngr.exe

Filesize
283KB

MD5
ac7314c596e766b8f4f368579e2e0f8f

SHA1
0e4941e5e4299d04b9408194542c7362bcabcd2f

SHA256
be442a04bc031b4dc72835efeeeb025e9a103c8012382173965fba30bd3a96b9

SHA512
4258b6d15cd1c87d1787507f9132e5cf2caebfbf46dd055950dec8bb55faa094571d5b88cc58078adbab49f72fd3439f14ccae04de3d4bde672a540699a49428

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66e9359d801ce_sbgfds.exe

Filesize
206KB

MD5
de6101b925ca754f1ea8c8ab216a38f6

SHA1
9b94e543b94c8bdcf1925dcea2b181a7300d58bc

SHA256
6d70e80c80af977af8b15cb47304b4cbd78759faa406906ed3a9e0a6dac74773

SHA512
4dab34e66be8ad89650a43ec1707a56b6a701a1319008e3bd2b809d14e0cffef465f6d41f691b47ef40dac90cc92904a02c2e97dec59d09d53bd9b63e8dc560f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66e98ff1d44e2_crypted.exe

Filesize
323KB

MD5
a0c6989730b44ee30722feccd86d946b

SHA1
4ef62e701352c7dfdf0807460dc4bb3c22be67f0

SHA256
5669998000fdc457a919dea600b100809d0bb5681cbca6a67b544307233b5915

SHA512
e5c622f22ad40cddae798853d40af4695a37bd75624193c0181504a3ac2a28c146339bf06ae0110a995c90bdfcaab9a3072e18a7f610cbed24d5b1d028fc5eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66e9b62daa62d_xin.exe

Filesize
352KB

MD5
8e3fb69a56d807d7ef1c432ea1590496

SHA1
78843735c41af9906484df7c3e3a1d1cd4a0b83d

SHA256
cb2e830d6df32fd5168d39a10d138a1f724651b7dcc561b2b87b59cc96ebb20a

SHA512
12ee5797845e86768d5a99e45fb7cd93b328f4839031a91ea735f41f0eec373a2fb593bce7bb13201e982ee75bd0bc22ed7c2b6caa954facfa238c2a5bae521b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66ea645129e6a_jacobs.exe

Filesize
11.0MB

MD5
d60d266e8fbdbd7794653ecf2aba26ed

SHA1
469ed7d853d590e90f05bdf77af114b84c88de2c

SHA256
d4df1aba83289161d578336e1b7b6daf7269bb73acc92bd9dfa2c262ebc6c4d2

SHA512
80df5d568e34dfc086f546e8d076749e58a7230ed1aa33f3a5c9d966809becadc9922317095032d6e6a7ecdfbfbce02a72cc82513ab0d132c5ffa6c07682bd87

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66eaee5323f5d_setup3.exe

Filesize
227KB

MD5
a7d7d48f4a9bb7718ec17d11fba9cad8

SHA1
748fec11d5becea085af46e8197f42ac9a1e011b

SHA256
de74bd2a1d74bfb4f73d97a1e652c2a5bd778ae108df31ede4dd96950485118c

SHA512
98dda258e460098e79b9aaee795dbd0122f4541f9864fcf71d039ada426dff0fb8540725d779412eea52a6e66d45875665f11961fc7d7d3a2d2be061671e2e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66eaf17e9bd9e_Softwarepaxck.exe

Filesize
10.8MB

MD5
e4795aedf3d67af6b0cc029d010f7183

SHA1
d29438881071842571f96e658ede500cfba2deb5

SHA256
8f96d1f67c72bf89b1b57433e52a1b193efbc243ee14fb716c7c9b0aa68a3a9f

SHA512
2e6beaf7814e95ea1b425b3783233ae00e4fad44cb360f8e4c129ff97b0bf4d17cebe2dc757988e876463a0962dc8ad636cccdedefaf5325c58b7fb1f139130e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66eb0d09c9f08_Gads.exe

Filesize
10.7MB

MD5
5fb5e099087ca0db68f8d58ae7555949

SHA1
caafb9713225e958041183455c1113d2018b9879

SHA256
f37c412bd47fc18d4c153664b116ea18c7d251eb8cdd0af8f130010958a93353

SHA512
307af716a5fd9ce4c01fcc72618595867c167c8de26c4727fd4595e444fa15af9ae8ddcaf35809effc3148552fb166c57a0dd35e38e2082cb29559b6d90b1116

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Amadeus.exe

Filesize
5.3MB

MD5
36a627b26fae167e6009b4950ff15805

SHA1
f3cb255ab3a524ee05c8bab7b4c01c202906b801

SHA256
a2389de50f83a11d6fe99639fc5c644f6d4dcea6834ecbf90a4ead3d5f36274a

SHA512
2133aba3e2a41475b2694c23a9532c238abab0cbae7771de83f9d14a8b2c0905d44b1ba0b1f7aae501052f4eba0b6c74018d66c3cbc8e8e3443158438a621094

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\B.exe

Filesize
239KB

MD5
7778bbeacc8add7df3996267fc83ece5

SHA1
0aab0f274c4e262a49109f4cd3c53580678b2fc1

SHA256
5711154a5a3b1fddef167b688eb44716d120b1b6a21d67449bf49d77ce33059e

SHA512
14eccff71e0671cb05a96bdb1fe2a0f3f7724923661955b0e4153afc1682b721b3c623afab3816e812fe13d19cceab93651be55aa5a2f961f695f097607dfbe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Channel2.exe

Filesize
2.2MB

MD5
ec3afdbd761916a682e9372834365939

SHA1
35e3b8bc572d9ceadb2d519c4013fcf3632da802

SHA256
6e4422d8d101bf53165220c1fce47839b23a41057420d070fb909979415553f8

SHA512
1d5debda8b3a48c66845692fffb5fbcc9224e48fca6dc549661b1d583d88706660894fc380fc731c00c82c0bc276ee9f68cf00fab6613f510fbc3e837012f3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\DataSyncTest.exe

Filesize
273KB

MD5
40e39bc133b1d86109d7e8c31370ee3c

SHA1
4aef60c43d3132bd28a1509b0d60a73c783896a0

SHA256
6b0160d53e1adce070b7a7adececb664b5052ab782b18f5b238b6820691b58b9

SHA512
b8f2001742a70cf746b49e2b78ad87d1b8e3f3fdd69b52cec1027aab47eb8396114905006980ade216ea4ce5b3aa238db07634cb22707e8121e4bf2b8644ae1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\J2ste.exe

Filesize
23.1MB

MD5
8094be340c539b9ac0d2af7ea4c3120c

SHA1
8d7e93d2ea05a156eefde875bcfaaceaae09b0e6

SHA256
71b814a0a6c6d9cd59504a14918e29f59d2b77d981dca01d22a97f098c89c782

SHA512
395029ace96b8c0c2d926ac5c2295b625ba93e91d27fd92b6605660c3c555c618df79db01c61ff28e29c05532554b6aac9361e103134cea794e9443439cd460d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Office2024.exe

Filesize
2.7MB

MD5
df92abd264b50c9f069246a6e65453f0

SHA1
f5025a44910ceddf26fb3fffb5da28ea93ee1a20

SHA256
bc7d010eb971dbc9cbeedc543f93bb1b6924d57597e213dbe10c2c1efd8d0296

SHA512
a3f48831efa65cea6a2cf313f698b59d84119023196e11b1266d937a5b4c05aa4aab67c6d40450bef5c9245b46316980906fa73196d892f2880abc2b1b863455

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe

Filesize
273KB

MD5
c96e1cc3ee850f8af2d4e9426a607727

SHA1
47b16086637f1e08af27b86039162058f74c10fd

SHA256
0cddd86b45cb5c65cd5abc0a6ca7eea0f8e0d1c6831c135f4f96772c31330d2b

SHA512
8e7f09a5e5cf9033e0cd23ac9e2b8cef92266286920ed2ef4007cc71914c2130ce0d7fbbb2072e22fcf40b61a282d34f725dcb8a571c7a21cd7bb420f20e3e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\anon.exe

Filesize
416KB

MD5
897d350557c45f49b9fd780735b218e2

SHA1
a8cfecfe05ed2d3765bf57178338f8a4e93ad6fb

SHA256
ea4964f3eccefd735166a547f6fed7a123a292fab52f9a810936ccaabce8eaa9

SHA512
b1b322f6b2044ec7a31508190eee60fc9502ad2d6ec302e4cd81f4cc05028f013ecedfabb3dda6037b85e94aebad85df394c00a35b679304328fd5ba4b96bae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\clip.exe

Filesize
507KB

MD5
6ca0b0717cfa0684963ff129abb8dce9

SHA1
69fb325f5fb1fe019756d68cb1555a50294dd04a

SHA256
2500aa539a7a5ae690d830fae6a2b89e26ba536f8751ba554e9f4967d48e6cfa

SHA512
48f9435cf0a17aed8ff4103fa4d52e9c56f6625331a8b9627b891a5ccada14f14c2641aac6a5c09570f26452e5416ac28b31fe760a3f8ba2f5fe9222d3c336ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\euro.exe

Filesize
239KB

MD5
e89f78e780b64eeb920d5dfebd033ffa

SHA1
b964dc9e8f5350d3a917b6a26b58853099859d8b

SHA256
d48ee1f6f04504d641c8769aeef83185c8de8745458a3fbc362cd53c20ef10d9

SHA512
ee38ff8ed0c955616bd7ef3ab4112765407490a2bf93523a66ba8924b8674febe73d90c95406acd0fc793904f8cb641f300f8c0a4ee48345f094ce02a91e4fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\game.exe

Filesize
2.7MB

MD5
4ce02a77839364d0c6622c43095b2fd2

SHA1
08f5c9628408f6c3fca6f80f112db755d7c0ff62

SHA256
55dae00b91675ae4aeede8d34151a18a10b6b3d37c94d31782800f30eceab373

SHA512
17b4d01c38ecee620d338c049b3efcaa1cab17cc47a98f4bfedd656a81865f918014393650d8ddd66566d5bab27b06bd0c02dff3c0860377fc112dc374311fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\gefox.exe

Filesize
2.9MB

MD5
75e79e5b6134267e8eaa0af2b2be6952

SHA1
554c9d9d31b6f11e96ac957c7ad6d285a120c8a4

SHA256
0ecc78c8637b4b28d7158a31ee3ca75f07dea64d7bb8c2330ce38189340a4c9e

SHA512
5d1ad17950921fea0a3b08a61df8596200e55db384eabbdd3f2b618cdc472d8529a9933af6461877a0ad021dd4b4ecc73de589b95c2f15d92473cdf16d7ab4ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\kin.exe

Filesize
239KB

MD5
2eac5118a040a13e0207693aabfe88fe

SHA1
5596609073d18903506351dcbe44cb973b0394d2

SHA256
e13e7d8d8aad930b652ff5528e22fe505495688f7ffb27eeb1a1f80d0f5c5fd3

SHA512
a512961cce7a6af063b05530807bbb39b92da88920a6fd19effe6ab7552834b579d7eef2bcdd8828587f8ee261403d397b1e0fae2160df61c0e0da5a0657e061

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\lnfsda.exe

Filesize
352KB

MD5
6f4a0ae013610785ad54438f4af26f1a

SHA1
c8ff55002963dde8457db2b11f68e67a070ddb21

SHA256
ccb16a2e8b58be824d838d5607ecd4b07123de87f9fe9e42e64507d77b0f374d

SHA512
6f3a30e8ee4ff36cfaac09bfe1272ed4678783c4628dd82e47dd1ef23d4a8ef1c153a9a4e8951cb38b4c7a833f2bc744dbcc7dac1e550b2f44ffadc8181d8ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\onePackage.exe

Filesize
8.3MB

MD5
6c2db0ef90b27f880a1566de7711e6c6

SHA1
e9e14a284fae52c5c91200f81af4f94b53526816

SHA256
c2588125970db20ac97818d2170eecec857f578d7bf3f24ef8f6a3f303798ac6

SHA512
1a9a1220958cc5b9d32dc70074df174eae7040c53bbf1fa4c97753a9f8c2a9a8c20668fc957d743fb038a97ca0017e333181856a783e10cfae0f557d2aab73a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ord.exe

Filesize
281KB

MD5
c9de515a559b9423bf8bcc7e4449afb5

SHA1
d80ad372d1a4d2693239f570c3f71d4f6e172a53

SHA256
f8281ab4854afae09b60e2a66953587e0c5459d079bb1b307ef29a28e5f1be0c

SHA512
e1290e736ac2c0d0e23a2b197df98e324dac73c0f4b702b3b3fea19f57c1a7a6e71d8deaf4e0e3287c050758b93136bd874f05bb73f8c64eacffa90c633f1604

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\qm2014chs.exe

Filesize
23.0MB

MD5
6c09010377f246069c564a6829667e4e

SHA1
736a946db8bb44dcb253bcf091fd6421758c5d38

SHA256
91befc7b3e6f1a09ac4e0dc94f6701fbb0122727ceeb0ddc604e7a5a873acffa

SHA512
26022e11194dc5ad310d9566832fb5da041d88ccd63601707d8392a4019fe9fc3e5ca744bee746cdcf300b1afa3e7311bcf0f40fbd103939b778de44efbc3b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\random.exe

Filesize
898KB

MD5
42f4943fe59d8eafe5ffd7c99bb0a1e4

SHA1
353113d2518ce00390917a73078e81aa52f644fd

SHA256
56f80df241846ea5b1ef32dfb08f156978f6d5ac80e5982f5d7265585bb9fc83

SHA512
02c8e8e54d56fe6d0b4ac697831235d046db31b55e9ebcf8564bbb233a4fc5e21859b8c4240763d6de54c92e58a707f4d35d81205cfb1084d0ca54d2a2c28e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\rar.exe

Filesize
355KB

MD5
8da6d3f4326ca248d0a99d21d2d8b135

SHA1
45872803f6ccfb405b4383d079c79eff87a3c9c0

SHA256
95897f8814e4c651671799af51c40fbe0a2334827683c82640627e270c57d9d7

SHA512
f1a3f3c3dd87694bd0792e3325887fba197f73f3eaf51bd94ddfc86582eba8539177797fca4d7a7701e2baa541f98043e37925fed08c6de70401d6cad9d69eb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\setup2.exe

Filesize
350KB

MD5
d78d85135f584e455f692923d9feb804

SHA1
7bf6d4d00326ecfa3e48644896d3407ab473a9d5

SHA256
41582c8b6bd111a2f141dee52b619d13278ef68754691263abeb3238d485f404

SHA512
1fb4e040511f3bbf8c04459942d1a5915b5f8fe78dd169b932e04dc7ccdb227aee42327a8071136b27a368f2fe8b8b5de3c9187d4b3cc5354cbba0a1d89d26bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\smdsg.exe

Filesize
216KB

MD5
272b330726dec4add609e0d8025d71b7

SHA1
75543ac27b430ef6fec461056ceb6a55a35c7369

SHA256
e48219567f84882f41bb1e957bbd1358e453274ca0d2025505c66779f642bc30

SHA512
6e2731c61ce8ce018deb9e20f772bbe8b6b57df77ac5054fd67b18199ae2de1399add3b29b7a18bdc994f5ab1f8678f3454e593685e1626d4ef525df59532558

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\univ.exe

Filesize
325KB

MD5
85737d1c7426259423c84f96719e82ea

SHA1
0cc96b89ffc0150d6f28143cac0a1070e7d86e40

SHA256
5aba703ae3636bbd23110d80621643e39f4b924a664f85bd6542f9f10c6b983b

SHA512
5dbeaceb38a1991b539e5c11e31b4fdea806d845466052a0ca2c9de46b2d98af64c80d1fd237218f58770f1b334c09e02dd4a6dc7f4043767911a212d359abcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\vfagms15.exe

Filesize
292KB

MD5
89599341387624a951de84b66f9ec572

SHA1
e44a6665fecc1b38903a01c72901ee88e618f077

SHA256
5c4992108c7c312408fb94508890b2615fbe7fecb09cac3b7a2cf38581e28be5

SHA512
9e7f25b5e6704dc91bbbc9ba1e1528b2c34d81ead50ad3cdf6b3b4911a044e5b9d733d0882316cc97735971ff3aadf9b5117af355a6ca48a6ac96610668465cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\vkfsags12.exe

Filesize
292KB

MD5
fede424830238cf2c2e661b5cb12e584

SHA1
5a8f787c25eccd1e5a8d293625ef80c5d416da19

SHA256
72d4e5a68545de1c0268a4616db6807e90a027e0191dda20377ecbd61ae577f0

SHA512
713891e18a615e7013f555d05b08eb91e7520b94e1bba0fa0483c29f6f3af5ef8f2055b2e35e8e83b75cd41256b5fd86405318b87440da463b82daedfd8ac39f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\vlsadg.exe

Filesize
292KB

MD5
a714209db1b2b68a95e680df111922ed

SHA1
5533ed29bf3239839e6acf03965cf27ddf4f4138

SHA256
7ad095de4171dfb3458752e1f4406b726ea94327e529fd83e2189b8c04ffee86

SHA512
25ce432979995987a26e9442c2c9ac026d55ff9f4820d983ab30496d28a75dec508c4083b11a2433f5bc3c2f903828ed2849aa5542fc7de84394b44a29fbcf55

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\vsfdajg16.exe

Filesize
292KB

MD5
d0263e1e29b4f202bffd383f136395c4

SHA1
24a701fe63e5b6d31c103db118ca21a75ed4496b

SHA256
a6fc0eacb5308bb4e616a6f5caabc12104256d13049ee0744cf53ca7debe6efd

SHA512
2d8af02d8bf2b8eb09c15a87e2c2cbcd7d34c619180e6dca29be3fd43108a0e993ab7aad418a2ecb2bb2e0792f382bb8b79dc85537f5bb7da1fdd7673e41339f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\vtrwh12.exe

Filesize
283KB

MD5
d264213f54193475ffd0301f7d92639f

SHA1
8e494a7d4b3d54e03a3b27c8dfde51295bb56737

SHA256
6b11a91599104b307955a4cde5942d89ed2aa29e833fa229e21368a73139186d

SHA512
1a699be3bb71083c35d5c0bbbcb862fdacb71f67fc8c4e34cfa68c52e7ed1b4360c1975ba290d14d95dee8233558e6dfc1b10e628d5da97a2faffced2bb14f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1UM82.tmp\CMachineCodeDll.dll

Filesize
1.7MB

MD5
6be2867f65c64ce98c5b3d834e12891f

SHA1
ec5274fbef877ca6eb4f924c2036bbfb67b61c7e

SHA256
12a4788b49ab22f8c6e79b61b944ffc242a0f4e257577f3ba1c84c88896cdcc5

SHA512
d41bc38d45951a27f207c40783769754f3f85c288a5b5afd3c8e02009364754eba5edc70f9d03b82e1b0696bd9e64d513d21675a4a2de8adf6d28e8f5d9bd8bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1UM82.tmp\Close.png

Filesize
1KB

MD5
3b4d7903c5cae5573c8151045b4648cb

SHA1
d30f6679c151b9fd9c406572612d5761f087ed5c

SHA256
56488c6e80114fcacabb65919ca8309b19096d78e52542f865698b5abdc671f8

SHA512
b7a03405b415e650ebc5db6bd3148a226119d9f13bf3d1441a0f796364fd8c7936fafd3ed780d9a71b92f1fc903661aad83a143ff8c2b1c5a4a0f9703325d1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1UM82.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-94REJ.tmp\231.tmp

Filesize
3.1MB

MD5
81636f80b1e7c0b8f946c8ff0081436a

SHA1
9e7b01f8324e089b925cb9050ce74cd099c58370

SHA256
ca3de247b4d58905e04277ee2386cedaeff38a0fad1f46bfff304ba9f0710f35

SHA512
67432e1a56e043573bc67d904f4c735f70333b35fe6efe2bb11ee1137bdd96bdbd3ed2956dbf8314b3a15ea2b2260fb5d3904481efb96c7dbb6661a32b13a85a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IS295.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe

Filesize
921KB

MD5
3f58a517f1f4796225137e7659ad2adb

SHA1
e264ba0e9987b0ad0812e5dd4dd3075531cfe269

SHA256
1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

SHA512
acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

Download Submit
C:\Users\Admin\AppData\Local\acetiam\grayhound.pptx

Filesize
940KB

MD5
0bc6d1c595e440233c6daa45813657a0

SHA1
3a04c1fcd93642fe7b0ad47d67c29344ebddc9a3

SHA256
1841f77c752744d0054847a13cccc5851408d2e38caafcb153e37c56a01f6bac

SHA512
0fe0b161095deaa389ca9b81e8d0b5210598d1f750cc849828bca77168a9e7be0d747ac01c0a2f1d338e2562dcad7ca372c346b575ceb481b9cd7a24da10362f

Download Submit
C:\Users\Admin\AppData\Local\acetiam\grayhound1..a3x

Filesize
62KB

MD5
647d824a19511783d1a011f8b775c1d4

SHA1
46b0213afa55d27a688e9729ac120d4574318cb5

SHA256
8674025ff9edbf37ad8d7e1af8b93bd63e0fe2e8eaea61ee6e1317c468a0e48b

SHA512
ed57dcb8817d329bf989b642be2244976f7725edecb5565788eb1643b81b58fd22c39dcdec827b3f7067ae844f4b62622bf8d079679df10af4f203f67efe1d1f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin

Filesize
8KB

MD5
841605648ef8f0d9779ee1fc34fb0100

SHA1
971f4e3ee55685a35928e0d7ad63404601e561ce

SHA256
44f646b85a2c3fc32159e3c19d3b9e42e7260b76f4e69a33e3e71ffbe8eda3c7

SHA512
6330c7a52147a3c34678c22f0027552ea84591c4de542a92f043a2d4768d5f554bf9f1187c291712f580328939c57e84166d136967aae6b11252a3fb2a913296

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin

Filesize
16KB

MD5
f7e46f73b6bc48232bcf353b58ddddaf

SHA1
abb6e86ca53bf7c05c4a31569dcec60cc8c660f5

SHA256
dfcde59a656813ebd3e3daa8b790262d375c53f83856fa5f0c254a3a72f801ef

SHA512
ce8ac3a354dbc51577ee4790547531b9419586cc0e60eff5378bfa070cbe7c9b0b6eb63a8238c72e148073a890b2ae45b4f98701f84ffe72fbbb246c98fb1f9d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin

Filesize
6KB

MD5
e7f4528425d198f875e00c233f8d9512

SHA1
a50fb204ac9162dfc1701c4c1a06b9b803338573

SHA256
1f7eb891b917bc9c2791e87e6d2fbb246c046e82fb60cb5ec1bc8c3b8b4ab0f1

SHA512
e1f2e2ba3c665f675b95dfcc2ff3994974fc54d02751b227800449148421fa72651a0287a325674da559af3796bc087789adbaf1c5d0c3dec28eb1b2538d1a8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
15e5cb7e2c96d1982a2db633fde563b5

SHA1
87e699385013e6bf9e7d225a899f0ba56513fe61

SHA256
cb7aa48702200887ee40111384b3ab7d797a7902f520c81ff7e0fdad225e7370

SHA512
11d46603741f605eeecff3ce46f51e9d8a5a9337521d6f577687040208927b8107cf5038de6e4f1a1f2324dbdd0bde1204858e05454d12bcc3e4fe57127b2bc0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp

Filesize
30KB

MD5
688704175dd363f47acb1fe11a2141cf

SHA1
d74e63577a5012b16a02ff257cfbc82f19914132

SHA256
33d98aff1f53d170f57cf7f0022e7dc37d7548e61d87fec3707cabc4f482c096

SHA512
9c2bd7f580c1ba0e377216c8b7b2f9543253f40ecdee8364560f88ff04ed19f415dc6b93708d0c5c27e7411dacd43c891f132085a8eb6d9074088c514f21fd97

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
dcc106a83869eb6ae5651faa9b41adcf

SHA1
e0dc5565dc47baae49fa92057da7ab9f48472d1b

SHA256
e7607825c10e8f1a5b4f407a59567b49db0059b52185b6d9864fa9f67c91a235

SHA512
3a0943f75711ce2c1aac05e652c4762c9882f139cec46386af0bc5933d058778d09e2ccf5500c273daf798bc7aebf9309b4dd86dc6b9b20787f5b6d3b136da4e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\6bc34806-99e1-4301-b4d1-eb636860b745

Filesize
27KB

MD5
5e4b4fd3d59d2118ae2601ae453632f6

SHA1
33694c10dfef52762200d4a6c43e4c59ca9e9f76

SHA256
e4baa91a4a97a2310fa6d27526a051da67826dde33e4a7d2df281faf48de261d

SHA512
8670cb8e4dcb893c449f12542091156d57b904c4a06cad64e13571deeb8d993d59a121010462910afcd7247e8bee10f3e56b91cd78c1be57dbea36b84fde7169

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\edb4a525-2d83-4d61-8da0-bc56482cd71e

Filesize
671B

MD5
6693ea7199ff7ab0bbda335f8e64a5b2

SHA1
8eb604fa7a000b7e8ef03a0b0bf31d49d060a637

SHA256
1f3652293cdaf92842cf583d5ac6797466fc9ff0cf53854ea0339bde3a7272d7

SHA512
9089f7c00163cad438e1541ebf72410dbdf2438f3577db032ce5a2a19ca4e9916f6f8dedac95dd626f54fbf48aa5890fcab4d0edf47b37eb40b939d347539825

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\f2b9a47d-8282-460a-97d9-7a3b686f6363

Filesize
982B

MD5
71beb89c1520b27b571d506a8964a5a7

SHA1
f4648e781ec1e1c7590e0aa265d0c153305f77c1

SHA256
97ee0c6db3a0a80c041ed57dfd841109ce36acdeccb2d4e8547c6397f425a697

SHA512
a5ecd1febb38355c4fd3452077f147426a2dad50271a69e91f155c33a5d10cd40965fc8a90f123f68a7680913406e09d49c4db00d854fa5d825932439ddeb3a0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs-1.js

Filesize
11KB

MD5
9290fa84f0f6e8d9db863095afd7ec13

SHA1
36114e65641e98691987c51456c2dd620eabae32

SHA256
8c93e6f40f2d7ce8c1e17b26802887928ffaaf4d6e8655f06074f0c91b1983aa

SHA512
900e00861f1520098a7e6f8feac9d1c8aa79b16e8cd5c1b5c105fdaa98993c525153e3b2fb6fd1361ca0dfeccb38900c65b840ab7f4187d18ea52958afd8e3e1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs-1.js

Filesize
12KB

MD5
672ed1eb61a9990c0dc2a8f96f734866

SHA1
023d2d39ed7ac11a8125fa2f44d00d6b7a171907

SHA256
2b0172f911795147ead110762aa29b909221359559b8edde82cdb84ba42e4546

SHA512
ccfbf19fd2423d80a49c342cb30ddd87292345b41459a044ff179c7bd136bef70082c5f869df6642d5bc635ac378cd6d3a65be3841838ca1484d1c6e0d470f5c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs.js

Filesize
11KB

MD5
f64b58f78e47fe9a461e121f4d5ed250

SHA1
04ae9b8d66fc6fb4aa351707167022755485449a

SHA256
8c5cef4a9d505e25ba051b46371c3a1c7910548e3544da3a92313751ab24b946

SHA512
3149d68df50161693df9a268d97ce61a44e8492f8ba0858019691516cb67a8efd26f34c4443ec6f37623b6544a0ee65f797ae8789235681a1369223d0b9087c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
368KB

MD5
0858c817b1070f1e765c8dee383217fe

SHA1
9d1359e988aaa08e5d0b1cc87cc0ad096fd5670e

SHA256
e5157506ce78208b60d78755e8fd5cede3673e4601e54033664dca3965b9f563

SHA512
fe874a9379bc8f922fcaf877c7410f51bdccba2bef6cdfa1b65d06d35bf5d89c21a4527cb9b26dd65d07779021128c63c699f2b2e424add08b22ef25807dc815

Download Submit
C:\Users\Admin\Pictures\h6xx1rBQJ62XH6QaLc8R55UF.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Windows\Temp\1.exe

Filesize
313KB

MD5
a36dc92515ad9a1efd791c57e6b8825b

SHA1
787767c3c8717c4f165adc1b20acc9a8352bab06

SHA256
e3b5a04c8bc029a519b7edb6f32ef05b48e83f8ba5d78957aaff4900c1abbbad

SHA512
74401be47fc01142abd227bc1383958be499dabefff142be673d2b340e17e8944f4ee9d82f07d2380532f7f45eaa1dce2f73b482b17d39da19f9da5d1db0421f

Download Submit
C:\Windows\Temp\2.exe

Filesize
435KB

MD5
1f3cfcf8aad3e5e3164405d272aa213e

SHA1
96f1c646d19deab4ff071fbc6b3c73c87ce56e49

SHA256
fcdab9639af874cba780e20c21a9bc662b160dc313ddb75e5f82f779f1680101

SHA512
0d2008b613bed0f1bed205ace8e89d13d5b5e0fca924ca1f9d0e322564c7d7610e0e735e3686701d3042fef1c164dcd43e40a67eb60199b885fbcb761fa41b06

Download Submit
memory/8-415-0x0000000021D70000-0x0000000021FCF000-memory.dmp

Filesize
2.4MB

Download
memory/8-432-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/8-249-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/8-410-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/8-414-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/8-252-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/8-514-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/8-254-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/8-449-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/8-465-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/8-477-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/8-503-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/8-504-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/976-367-0x0000000000BF0000-0x0000000000F24000-memory.dmp

Filesize
3.2MB

Download
memory/1040-48-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1688-1188-0x0000000000FD0000-0x0000000001024000-memory.dmp

Filesize
336KB

Download
memory/1900-83-0x00000000005B0000-0x00000000008E4000-memory.dmp

Filesize
3.2MB

Download
memory/2032-284-0x0000000000970000-0x00000000009BA000-memory.dmp

Filesize
296KB

Download
memory/2472-369-0x00000000009B0000-0x0000000000A84000-memory.dmp

Filesize
848KB

Download
memory/2472-81-0x00000000009B0000-0x0000000000A84000-memory.dmp

Filesize
848KB

Download
memory/2588-36-0x0000000000490000-0x0000000000975000-memory.dmp

Filesize
4.9MB

Download
memory/2588-46-0x0000000000490000-0x0000000000975000-memory.dmp

Filesize
4.9MB

Download
memory/2712-529-0x00000000005A0000-0x00000000005EA000-memory.dmp

Filesize
296KB

Download
memory/2744-259-0x0000000000260000-0x0000000000298000-memory.dmp

Filesize
224KB

Download
memory/2752-264-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2752-262-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2752-260-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2992-1048-0x0000000000910000-0x0000000000952000-memory.dmp

Filesize
264KB

Download
memory/3004-305-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3004-370-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3004-303-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3164-1357-0x0000000000780000-0x00000000007CA000-memory.dmp

Filesize
296KB

Download
memory/3308-1783-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3312-85-0x00000000009B0000-0x0000000000A84000-memory.dmp

Filesize
848KB

Download
memory/3312-69-0x00000000009B0000-0x0000000000A84000-memory.dmp

Filesize
848KB

Download
memory/3460-299-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/3460-297-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/3460-295-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/3492-52-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3492-53-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3708-307-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/3708-311-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/3708-309-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/3796-280-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3796-522-0x0000000000F70000-0x0000000000FCA000-memory.dmp

Filesize
360KB

Download
memory/3796-278-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3796-282-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4048-4-0x00007FFF9EEC0000-0x00007FFF9F981000-memory.dmp

Filesize
10.8MB

Download
memory/4048-1-0x00000000005F0000-0x00000000005F8000-memory.dmp

Filesize
32KB

Download
memory/4048-2-0x00007FFF9EEC0000-0x00007FFF9F981000-memory.dmp

Filesize
10.8MB

Download
memory/4048-0-0x00007FFF9EEC3000-0x00007FFF9EEC5000-memory.dmp

Filesize
8KB

Download
memory/4048-3-0x00007FFF9EEC3000-0x00007FFF9EEC5000-memory.dmp

Filesize
8KB

Download
memory/4444-132-0x0000000000300000-0x000000000034A000-memory.dmp

Filesize
296KB

Download
memory/4544-226-0x00000000007D0000-0x000000000082A000-memory.dmp

Filesize
360KB

Download
memory/4668-900-0x0000000004DC0000-0x0000000004E26000-memory.dmp

Filesize
408KB

Download
memory/4668-897-0x00000000051E0000-0x0000000005784000-memory.dmp

Filesize
5.6MB

Download
memory/4668-896-0x0000000000370000-0x00000000003B2000-memory.dmp

Filesize
264KB

Download
memory/4832-681-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/4836-696-0x00000000001D0000-0x000000000022C000-memory.dmp

Filesize
368KB

Download
memory/4836-1173-0x0000000000C00000-0x0000000000C5C000-memory.dmp

Filesize
368KB

Download
memory/4868-214-0x0000000000DB0000-0x0000000000DFA000-memory.dmp

Filesize
296KB

Download
memory/4928-49-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4928-27-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4928-50-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4928-51-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5028-238-0x0000000000860000-0x00000000008AA000-memory.dmp

Filesize
296KB

Download
memory/5192-1248-0x0000000005E20000-0x0000000005E96000-memory.dmp

Filesize
472KB

Download
memory/5192-1262-0x0000000006510000-0x000000000652E000-memory.dmp

Filesize
120KB

Download
memory/5192-1189-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5220-1140-0x0000000000670000-0x00000000006C4000-memory.dmp

Filesize
336KB

Download
memory/5248-1204-0x00000000025C0000-0x0000000002606000-memory.dmp

Filesize
280KB

Download
memory/5248-1205-0x00000000049B0000-0x00000000049F4000-memory.dmp

Filesize
272KB

Download
memory/5576-921-0x00000000001E0000-0x0000000000222000-memory.dmp

Filesize
264KB

Download
memory/5848-1258-0x0000000007D50000-0x0000000007D8C000-memory.dmp

Filesize
240KB

Download
memory/5848-1075-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/5848-1257-0x0000000007CF0000-0x0000000007D02000-memory.dmp

Filesize
72KB

Download
memory/5848-1254-0x0000000008280000-0x0000000008898000-memory.dmp

Filesize
6.1MB

Download
memory/5848-1076-0x0000000005020000-0x00000000050B2000-memory.dmp

Filesize
584KB

Download
memory/5848-1261-0x0000000007EB0000-0x0000000007EFC000-memory.dmp

Filesize
304KB

Download
memory/5848-1255-0x0000000007DA0000-0x0000000007EAA000-memory.dmp

Filesize
1.0MB

Download
memory/5848-1093-0x00000000050E0000-0x00000000050EA000-memory.dmp

Filesize
40KB

Download
memory/5908-941-0x0000000000230000-0x000000000029D000-memory.dmp

Filesize
436KB

Download