hxxps://web[.]archive[.]org/

Analysis

max time kernel
1527s
max time network
1559s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://web.archive.org/

Score

10^/10

bootkit defense_evasion discovery evasion execution exploit persistence privilege_escalation trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	ProtegentTS.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	ProtegentTS.tmp

Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\Active Setup\Installed Components	INSTALLER.exe
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\Active Setup\Installed Components	INSTALLER.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Downloads MZ/PE file

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\netfilter2.sys	ProtegentTS.tmp
File created	C:\Windows\system32\drivers\pgsecdl.sys	ProtegentTS.tmp
File opened for modification	C:\Windows\SysWOW64\DRIVERS\SET79C2.tmp	ProtegentTS.tmp
File created	C:\Windows\SysWOW64\DRIVERS\SET79C2.tmp	ProtegentTS.tmp
File opened for modification	C:\Windows\SysWOW64\DRIVERS\pgsecdl.sys	ProtegentTS.tmp
File created	C:\Windows\system32\drivers\netfilter2.sys	ProtegentTS.tmp

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
4340	takeown.exe
4972	icacls.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\Geo\Nation	pgisgui.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\Geo\Nation	pgisgui.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\Geo\Nation	pgisgui.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\Geo\Nation	pgisgui.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\Geo\Nation	pgisgui.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 61 IoCs

pid	Process
3368	PAVSetup (1).exe
3880	Setup.exe
3964	Setup.exe
2180	P360Setup.exe
3656	Setup.exe
3524	USPL-P360-S65.exe
3520	USPL-P360-S65.tmp
3912	ProtegentTS.exe
2300	ProtegentTS.tmp
3976	pgxsrv.exe
2152	pgxsrv.exe
1312	pgisgui.exe
1068	USPL-AR-S65.exe
1944	USPL-AR-S65.tmp
1724	AReporter.exe
540	proserv.exe
1236	USPL-PL-S65.exe
2144	USPL-PL-S65.tmp
300	USPL-LL-S65.exe
3128	USPL-LL-S65.tmp
2936	LLActivate.exe
1328	LLaptop.exe
1808	proserv.exe
2572	LLaptop.exe
1692	LLaptop.exe
5092	USPL-SBE-S65.exe
5112	USPL-SBE-S65.tmp
3600	Setup.exe
4384	Proserv.exe
4272	Proserv.exe
4512	LLStartUp.exe
4580	LLActivate.exe
4804	awesomium_process.exe
1524	Protegent360.exe
1720	LLStartUp.exe
3176	awesomium_process.exe
3856	ActivateAll.exe
4768	ActivateAll.exe
4704	Protegent360.exe
2576	LLStartUp.exe
3452	awesomium_process.exe
4316	LLStartUp.exe
4664	awesomium_process.exe
3432	pgisgui.exe
4252	pgisgui.exe
4864	pgisgui.exe
3600	LLStartUp.exe
4488	Proserv.exe
4020	pgisgui.exe
3724	MEMZ.exe
4992	MEMZ.exe
4968	MEMZ.exe
2232	MEMZ.exe
4732	MEMZ.exe
4532	MEMZ.exe
1388	MEMZ.exe
3428	Bonzify.exe
1012	INSTALLER.exe
4588	AgentSvr.exe
5036	INSTALLER.exe
3236	AgentSvr.exe

Impair Defenses: Safe Mode Boot 1 TTPs 4 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\pgsecdl.sys	ProtegentTS.tmp
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SecureDevice	USPL-PL-S65.tmp
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SecureDevice\	USPL-PL-S65.tmp
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\pgxsrv	ProtegentTS.tmp

Loads dropped DLL 64 IoCs

pid	Process
3368	PAVSetup (1).exe
3368	PAVSetup (1).exe
3368	PAVSetup (1).exe
3368	PAVSetup (1).exe
3880	Setup.exe
2180	P360Setup.exe
2180	P360Setup.exe
2180	P360Setup.exe
2180	P360Setup.exe
3656	Setup.exe
3524	USPL-P360-S65.exe
3520	USPL-P360-S65.tmp
3520	USPL-P360-S65.tmp
3520	USPL-P360-S65.tmp
3520	USPL-P360-S65.tmp
3520	USPL-P360-S65.tmp
3520	USPL-P360-S65.tmp
3656	Setup.exe
3912	ProtegentTS.exe
2300	ProtegentTS.tmp
2300	ProtegentTS.tmp
2300	ProtegentTS.tmp
2300	ProtegentTS.tmp
2300	ProtegentTS.tmp
3976	pgxsrv.exe
3976	pgxsrv.exe
3976	pgxsrv.exe
3976	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe
1940	regsvr32.exe
3656	Setup.exe
1068	USPL-AR-S65.exe
1944	USPL-AR-S65.tmp
1944	USPL-AR-S65.tmp
1944	USPL-AR-S65.tmp
1944	USPL-AR-S65.tmp
1944	USPL-AR-S65.tmp
3656	Setup.exe
1704	regsvr32.exe
1236	USPL-PL-S65.exe
2144	USPL-PL-S65.tmp
2144	USPL-PL-S65.tmp
2144	USPL-PL-S65.tmp
3656	Setup.exe
300	USPL-LL-S65.exe
3128	USPL-LL-S65.tmp
3128	USPL-LL-S65.tmp
3128	USPL-LL-S65.tmp
3128	USPL-LL-S65.tmp
3128	USPL-LL-S65.tmp
3128	USPL-LL-S65.tmp
3128	USPL-LL-S65.tmp
3656	Setup.exe
5092	USPL-SBE-S65.exe
5112	USPL-SBE-S65.tmp
5112	USPL-SBE-S65.tmp
5112	USPL-SBE-S65.tmp
3656	Setup.exe
3600	Setup.exe
3600	Setup.exe
3600	Setup.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4972	icacls.exe
4340	takeown.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Protegent Total Security = "\"C:\\Program Files\\Protegent Total Security\\pgisgui.exe\" -minimize"	ProtegentTS.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet"	INSTALLER.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AutorunPro = "C:\\Program Files (x86)\\Protegent360\\AutorunPro.exe"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	ProtegentTS.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
442	raw.githubusercontent.com
443	raw.githubusercontent.com
444	raw.githubusercontent.com
437	raw.githubusercontent.com
438	raw.githubusercontent.com
439	raw.githubusercontent.com
440	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\Users\Admin\Desktop\PAV\autorun.inf	PAVSetup (1).exe
File opened for modification	C:\Users\Admin\Desktop\PAV\autorun.inf	PAVSetup (1).exe
File created	C:\P360\Unistal\PRO_PRD\CrashProof\Windows\autorun.inf	P360Setup.exe
File opened for modification	C:\P360\Unistal\PRO_PRD\CrashProof\Windows\autorun.inf	P360Setup.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\pro\is-J2GPH.tmp	USPL-AR-S65.tmp
File opened for modification	C:\Windows\SysWOW64\pro\Proserv.exe	USPL-PL-S65.tmp
File opened for modification	C:\Windows\SysWOW64\pro\avutil-51.dll	USPL-LL-S65.tmp
File created	C:\Windows\SysWOW64\pro\is-3D29R.tmp	USPL-LL-S65.tmp
File opened for modification	C:\Windows\SysWOW64\SETBF11.tmp	INSTALLER.exe
File opened for modification	C:\Windows\SysWOW64\pro\SecureDevice_Serv.exe	USPL-PL-S65.tmp
File created	C:\Windows\SysWOW64\pro\is-FMJA4.tmp	USPL-PL-S65.tmp
File opened for modification	C:\Windows\SysWOW64\pro\LLaptop.exe	USPL-LL-S65.tmp
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	pgxsrv.exe
File opened for modification	C:\Windows\SysWOW64\pro\AReporter.exe	USPL-AR-S65.tmp
File opened for modification	C:\Windows\SysWOW64\pro\SecureDevice_Serv_x64.exe	USPL-PL-S65.tmp
File opened for modification	C:\Windows\SysWOW64\pro\Proserv.exe	USPL-LL-S65.tmp
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	LLStartUp.exe
File opened for modification	C:\Windows\SysWOW64\pro\Proserv.exe	USPL-AR-S65.tmp
File created	C:\Windows\SysWOW64\pro\is-FCP30.tmp	USPL-AR-S65.tmp
File created	C:\Windows\SysWOW64\pro\is-TG7MG.tmp	USPL-PL-S65.tmp
File created	C:\Windows\SysWOW64\pro\is-MM4H3.tmp	USPL-LL-S65.tmp
File created	C:\Windows\SysWOW64\pro\is-KM4RE.tmp	USPL-LL-S65.tmp
File created	C:\Windows\SysWOW64\SETBF11.tmp	INSTALLER.exe
File opened for modification	C:\Windows\SysWOW64\msvcp50.dll	INSTALLER.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Activity Reporter\BMP\is-2JDS1.tmp	USPL-AR-S65.tmp
File created	C:\Program Files (x86)\Activity Reporter\BMP\is-IJT9Q.tmp	USPL-AR-S65.tmp
File created	C:\Program Files (x86)\Activity Reporter\BMP\is-PV83C.tmp	USPL-AR-S65.tmp
File opened for modification	C:\Program Files (x86)\Activity Reporter\ARIB.exe	USPL-AR-S65.tmp
File opened for modification	C:\Program Files (x86)\Activity Reporter\msvcr100.dll	USPL-AR-S65.tmp
File created	C:\Program Files (x86)\Activity Reporter\BMP\is-L8V6I.tmp	USPL-AR-S65.tmp
File created	C:\Program Files (x86)\Activity Reporter\BMP\is-5H15G.tmp	USPL-AR-S65.tmp
File created	C:\Program Files (x86)\Activity Reporter\BMP\is-6HV32.tmp	USPL-AR-S65.tmp
File created	C:\Program Files (x86)\Activity Reporter\is-Q2K74.tmp	USPL-AR-S65.tmp
File created	C:\PROGRA~3\UNI\LL\Report\LLAddFolder.exe	LLaptop.exe
File opened for modification	C:\Program Files (x86)\Protegent360\Registration.exe	USPL-P360-S65.tmp
File created	C:\Program Files (x86)\Locate Laptop\is-N9RH3.tmp	USPL-LL-S65.tmp
File opened for modification	C:\Program Files\Protegent Total Security\msdbgc.db	pgxsrv.exe
File created	C:\Program Files (x86)\Activity Reporter\BMP\is-L6TTT.tmp	USPL-AR-S65.tmp
File created	C:\Program Files (x86)\Locate Laptop\is-K898S.tmp	USPL-LL-S65.tmp
File opened for modification	C:\Program Files (x86)\Port Locker\DiskSerial.dll	USPL-PL-S65.tmp
File created	C:\PROGRA~3\UNI\LL\Report\mfcm90.dll	LLaptop.exe
File created	C:\Program Files (x86)\Protegent360\is-U41KH.tmp	USPL-P360-S65.tmp
File opened for modification	C:\Program Files\Protegent Total Security\nss\certutil.exe	ProtegentTS.tmp
File created	C:\Program Files\Protegent Total Security\is-R59KT.tmp	ProtegentTS.tmp
File created	C:\Program Files (x86)\Activity Reporter\BMP\is-DQ4OM.tmp	USPL-AR-S65.tmp
File created	C:\Program Files (x86)\Activity Reporter\BMP\is-6AC1D.tmp	USPL-AR-S65.tmp
File opened for modification	C:\Program Files (x86)\Port Locker\IdleTrac.dll	USPL-PL-S65.tmp
File created	C:\Program Files (x86)\Locate Laptop\is-BQBM5.tmp	USPL-LL-S65.tmp
File created	C:\Program Files\Protegent Total Security\is-3LIII.tmp	ProtegentTS.tmp
File created	C:\Program Files (x86)\Activity Reporter\BMP\is-B8GAV.tmp	USPL-AR-S65.tmp
File created	C:\Program Files (x86)\Activity Reporter\BMP\is-LH609.tmp	USPL-AR-S65.tmp
File created	C:\Program Files (x86)\Activity Reporter\BMP\is-GD857.tmp	USPL-AR-S65.tmp
File created	C:\Program Files (x86)\Activity Reporter\is-J0SRS.tmp	USPL-AR-S65.tmp
File opened for modification	C:\Program Files (x86)\Locate Laptop\msvcr100.dll	USPL-LL-S65.tmp
File opened for modification	C:\Program Files (x86)\SysBoost\FreeSpace.dll	USPL-SBE-S65.tmp
File created	C:\Program Files (x86)\SysBoost\is-ECU7A.tmp	USPL-SBE-S65.tmp
File created	C:\Program Files (x86)\Protegent360\is-VNSIJ.tmp	USPL-P360-S65.tmp
File created	C:\Program Files (x86)\Activity Reporter\BMP\is-DJF3N.tmp	USPL-AR-S65.tmp
File created	C:\Program Files (x86)\Activity Reporter\BMP\is-T142H.tmp	USPL-AR-S65.tmp
File created	C:\Program Files (x86)\Activity Reporter\Reports\is-PM6OA.tmp	USPL-AR-S65.tmp
File created	C:\Program Files (x86)\Port Locker\is-A4V1P.tmp	USPL-PL-S65.tmp
File opened for modification	C:\Program Files (x86)\Locate Laptop\awesomium.log	awesomium_process.exe
File created	C:\Program Files (x86)\Locate Laptop\is-DCPU4.tmp	USPL-LL-S65.tmp
File created	C:\Program Files (x86)\Locate Laptop\Servlog.txt	LLaptop.exe
File created	C:\Program Files (x86)\Activity Reporter\BMP\is-2CLC3.tmp	USPL-AR-S65.tmp
File created	C:\Program Files (x86)\Activity Reporter\BMP\is-64ID0.tmp	USPL-AR-S65.tmp
File created	C:\Program Files (x86)\Activity Reporter\BMP\is-77Q04.tmp	USPL-AR-S65.tmp
File opened for modification	C:\Program Files (x86)\Locate Laptop\opencv_highgui2413.dll	USPL-LL-S65.tmp
File opened for modification	C:\Program Files (x86)\Locate Laptop\mfcm90.dll	USPL-LL-S65.tmp
File created	C:\Program Files (x86)\Activity Reporter\BMP\is-CDOAA.tmp	USPL-AR-S65.tmp
File created	C:\Program Files (x86)\Activity Reporter\BMP\is-GJ6HU.tmp	USPL-AR-S65.tmp
File created	C:\Program Files (x86)\Port Locker\is-45C3R.tmp	USPL-PL-S65.tmp
File created	C:\PROGRA~3\UNI\LL\Report\libGLESv2.dll	LLaptop.exe
File opened for modification	C:\Program Files\Protegent Total Security\unins000.dat	ProtegentTS.tmp
File opened for modification	C:\Program Files (x86)\Activity Reporter\Activity.dll	USPL-AR-S65.tmp
File created	C:\Program Files (x86)\Locate Laptop\is-F77LR.tmp	USPL-LL-S65.tmp
File created	C:\PROGRA~3\UNI\LL\Report\msvcr100.dll	LLaptop.exe
File opened for modification	C:\Program Files (x86)\Locate Laptop\awesomium.log	awesomium_process.exe
File created	C:\PROGRA~3\UNI\LL\Report\ssleay32.dll	LLaptop.exe
File created	C:\Program Files (x86)\Activity Reporter\BMP\is-EE6DB.tmp	USPL-AR-S65.tmp
File created	C:\Program Files (x86)\Activity Reporter\BMP\is-3HE9O.tmp	USPL-AR-S65.tmp
File opened for modification	C:\Program Files (x86)\Port Locker\Disk16.dll	USPL-PL-S65.tmp
File created	C:\Program Files\Protegent Total Security\is-0SKTE.tmp	ProtegentTS.tmp
File opened for modification	C:\Program Files\Protegent Total Security\opts.txt	pgxsrv.exe
File created	C:\Program Files (x86)\Activity Reporter\BMP\is-K9QF6.tmp	USPL-AR-S65.tmp
File created	C:\Program Files (x86)\Activity Reporter\BMP\is-03MTL.tmp	USPL-AR-S65.tmp
File created	C:\Program Files (x86)\Activity Reporter\BMP\is-936NO.tmp	USPL-AR-S65.tmp
File opened for modification	C:\Program Files (x86)\Port Locker\Nodisk.exe	USPL-PL-S65.tmp

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Getdisk.exe	USPL-PL-S65.tmp
File opened for modification	C:\Windows\msagent\AgentDPv.dll	INSTALLER.exe
File created	C:\Windows\msagent\SETBD3C.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentSR.dll	INSTALLER.exe
File created	C:\Windows\INF\SETBD4F.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\intl\Agt0409.dll	INSTALLER.exe
File created	C:\Windows\fonts\SETBEFF.tmp	INSTALLER.exe
File created	C:\Windows\is-P20SB.tmp	USPL-PL-S65.tmp
File opened for modification	C:\Windows\msagent\SETBD3B.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETBD3C.tmp	INSTALLER.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	explorer.exe
File created	C:\Windows\unP360.dat	Protegent360.exe
File opened for modification	C:\Windows\msagent\AgentPsh.dll	INSTALLER.exe
File created	C:\Windows\help\SETBD51.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgtCtl15.tlb	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\help\tv_enua.hlp	INSTALLER.exe
File created	C:\Windows\unP360.exe	Protegent360.exe
File opened for modification	C:\Windows\msagent\AgentCtl.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETBD39.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETBD3A.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETBD3B.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentSvr.exe	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETBD4E.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETBD50.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentAnm.dll	INSTALLER.exe
File opened for modification	C:\Windows\INF\SETBD4F.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\tv_enua.inf	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETBD38.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETBD38.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETBD3A.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\SETBEFC.tmp	INSTALLER.exe
File opened for modification	C:\Windows\fonts\andmoipa.ttf	INSTALLER.exe
File created	C:\Windows\executables.bin	Bonzify.exe
File opened for modification	C:\Windows\msagent\AgentDp2.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentMPx.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\intl\SETBD52.tmp	INSTALLER.exe
File created	C:\Windows\lhsp\help\SETBEFE.tmp	INSTALLER.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe	explorer.exe
File created	C:\Windows\msagent\SETBD53.tmp	INSTALLER.exe
File created	C:\Windows\lhsp\tv\SETBEFD.tmp	INSTALLER.exe
File opened for modification	C:\Windows\fonts\SETBEFF.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETBD3D.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETBD3E.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETBD50.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\SETBEFD.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\help\SETBEFE.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\SETBF10.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETBD39.tmp	INSTALLER.exe
File opened for modification	C:\Windows\help\Agt0409.hlp	INSTALLER.exe
File created	C:\Windows\msagent\intl\SETBD52.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETBD53.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\tvenuax.dll	INSTALLER.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	ProtegentTS.tmp
File created	C:\Windows\msagent\chars\Bonzi.acs	Bonzify.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	INSTALLER.exe
File opened for modification	C:\Windows\INF\agtinst.inf	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETBD3D.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETBD3E.tmp	INSTALLER.exe
File created	C:\Windows\INF\SETBF10.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETBD4E.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\mslwvtts.dll	INSTALLER.exe
File created	C:\Windows\lhsp\tv\SETBEFC.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\tv_enua.dll	INSTALLER.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 9 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\Bonzify(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Bonzify(4).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Bonzify(6).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Bonzify.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\P360Setup.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Bonzify(2).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Bonzify(3).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Bonzify(5).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\PAVSetup (1).exe:Zone.Identifier	firefox.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PAVSetup (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AReporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	proserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	USPL-PL-S65.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pgisgui.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Proserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Proserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bonzify.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LLStartUp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pgxsrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	USPL-PL-S65.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LLaptop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LLaptop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ActivateAll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ProtegentTS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	USPL-AR-S65.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	USPL-LL-S65.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LLStartUp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ProtegentTS.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	USPL-AR-S65.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	awesomium_process.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	USPL-P360-S65.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runonce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Protegent360.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentSvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	USPL-SBE-S65.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ActivateAll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	USPL-P360-S65.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LLStartUp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pgisgui.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	awesomium_process.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pgxsrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LLActivate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	USPL-SBE-S65.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LLStartUp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentSvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	USPL-LL-S65.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LLStartUp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	awesomium_process.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pgisgui.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	proserv.exe

Checks processor information in registry 2 TTPs 26 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	awesomium_process.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	awesomium_process.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	LLStartUp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	awesomium_process.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	LLStartUp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	LLStartUp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	awesomium_process.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	awesomium_process.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	LLStartUp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	awesomium_process.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	LLStartUp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	LLStartUp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	LLStartUp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	LLStartUp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	awesomium_process.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	LLStartUp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	LLStartUp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	awesomium_process.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3640	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 54 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	P360Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{06BD4151-7828-11EF-A045-62CAC36041A9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	PAVSetup (1).exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{106911E9-7828-11EF-A045-62CAC36041A9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe

Modifies data under HKEY_USERS 30 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8B75BE14-5AA9-4B67-AF64-62B4A5508612}\WpadDecisionReason = "1"	pgxsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	LLStartUp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	pgxsrv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	pgxsrv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	pgxsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	pgxsrv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	pgxsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	pgxsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	pgxsrv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8B75BE14-5AA9-4B67-AF64-62B4A5508612}\WpadNetworkName = "Network 3"	pgxsrv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8B75BE14-5AA9-4B67-AF64-62B4A5508612}\WpadDecision = "0"	pgxsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8B75BE14-5AA9-4B67-AF64-62B4A5508612}\5e-75-fd-b2-36-29	pgxsrv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-75-fd-b2-36-29\WpadDecision = "0"	pgxsrv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	pgxsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	pgxsrv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	pgxsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8B75BE14-5AA9-4B67-AF64-62B4A5508612}	pgxsrv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	pgxsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	pgxsrv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	pgxsrv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	pgxsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	pgxsrv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8B75BE14-5AA9-4B67-AF64-62B4A5508612}\WpadDecisionTime = 8810afbf320cdb01	pgxsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-75-fd-b2-36-29	pgxsrv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-75-fd-b2-36-29\WpadDecisionReason = "1"	pgxsrv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	pgxsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	LLStartUp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	pgxsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	pgxsrv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-75-fd-b2-36-29\WpadDecisionTime = 8810afbf320cdb01	pgxsrv.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0913412-3B44-11D1-ACBA-00C04FD97575}\ProxyStubClsid32	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A7B93C8D-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LocateLaptop\UwBlAHQAdABpAG4AZwBzAA[[\TgBvAE4AZQB0AFMAdABhAHIAdABUAGkAbQBlAA[[ = "MAA["	USPL-LL-S65.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UAAzADYAMAA=\InstallType = "15"	Protegent360.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LocateLaptop	LLStartUp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}\2.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1DAB85C3-803A-11D0-AC63-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D0ECB27-9968-11D0-AC6E-00C04FD97575}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UG9ydExvY2tlcg==\IdleF = "Checked"	USPL-PL-S65.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8B77181C-D3EF-11D1-8500-00C04FA34A14}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D45FD300-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C87-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A7B93C8B-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UG9ydExvY2tlcg==\UHJvZHVjdFJlY29yZA==	USPL-PL-S65.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UAAzADYAMAA=\CPInstallingLocation = "C:\\P360\\"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\ = "Microsoft Agent Control 2.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D45FD31D-5C6E-11D1-9EC1-00C04FD7081F}\ = "AgentNotifySink Custom Proxy Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0FA9F4D5-A173-11D1-AA62-00C04FA34D72}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AROutlook.ARAddon\CurVer\ = "AROutlook.ARAddon.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UG9ydExvY2tlcg==\Permission IEEE 1394 port = "Enable"	USPL-PL-S65.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UG9ydExvY2tlcg==\Email\FTP Username	USPL-PL-S65.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BD1-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D45FD31E-5C6E-11D1-9EC1-00C04FD7081F}\ = "AgentCharacter Custom Proxy Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C8D-7B81-11D0-AC5F-00C04FD97575}\ = "IAgentBalloon"	AgentSvr.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2	pgisgui.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A7B93CA0-7B81-11D0-AC5F-00C04FD97575}\ = "IAgentAudioOutputPropertiesEx"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C8B-7B81-11D0-AC5F-00C04FD97575}	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\ProgID\ = "Agent.Control.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BDB-7DE6-11D0-91FE-00C04FD701A5}\ = "IAgentCtlAudioObject"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D0ECB27-9968-11D0-AC6E-00C04FD97575}\TypeLib\Version = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C85-7B81-11D0-AC5F-00C04FD97575}\TypeLib	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A7B93C87-7B81-11D0-AC5F-00C04FD97575}\ = "IAgentSpeechInputProperties"	AgentSvr.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08C75162-3C9C-11D1-91FE-00C04FD701A5}\ProxyStubClsid32	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UG9ydExvY2tlcg==\Email\No Days = "1"	USPL-PL-S65.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	pgisgui.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5BE8BD9-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5BE8BD3-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PgDefSuite.Srv\CLSID\ = "{678F8F37-F91E-4E49-B032-BD21AB39D16B}"	pgxsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B700399C-0359-4161-96CE-6E009704D33E}\1.0\ = "AROutlookLib"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{53C2041B-D0C4-4D96-BDDB-74A551CAADD1}\ = "IARAddon"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5BE8BE8-7DE6-11D0-91FE-00C04FD701A5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{822DB1C0-8879-11D1-9EC6-00C04FD7081F}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08C75162-3C9C-11D1-91FE-00C04FD701A5}	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SysBoost\DtWpOpt\Strength = "1"	USPL-SBE-S65.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0913410-3B44-11D1-ACBA-00C04FD97575}\ = "IAgentCtlCommandEx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B8F2846E-CE36-11D0-AC83-00C04FD97575}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UAAzADYAMAA=\Configure	Protegent360.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BDB-7DE6-11D0-91FE-00C04FD701A5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BDD-7DE6-11D0-91FE-00C04FD701A5}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D45FD300-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A7B93C91-7B81-11D0-AC5F-00C04FD97575}\ = "IAgent"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6BA90C00-3910-11D1-ACB3-00C04FD97575}\ = "IAgentCommandsEx"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53C2041B-D0C4-4D96-BDDB-74A551CAADD1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UAAzADYAMAA=\TABMAGEAcAB0AG8AcAA= = "Install"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LocateLaptop\UwBlAHQAdABpAG4AZwBzAA[[	LLStartUp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C83-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48D12BA0-5B77-11D1-9EC1-00C04FD7081F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C8D-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A7711E77-B997-11CF-A6BB-0080C7B2D693}\1.0\0	pgxsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{875878F7-DEAA-4971-B321-5D5046F2B39E}\TypeLib\Version = "1.0"	pgxsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UG9ydExvY2tlcg==\U2V0UGFzc3dvcmQ= = "FALSE"	USPL-PL-S65.tmp

NTFS ADS 9 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\PAVSetup (1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Bonzify(3).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Bonzify(6).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Bonzify.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\P360Setup.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Bonzify(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Bonzify(2).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Bonzify(4).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Bonzify(5).exe:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4368	NOTEPAD.EXE

Runs net.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
3724	MEMZ.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3520	USPL-P360-S65.tmp
3520	USPL-P360-S65.tmp
2300	ProtegentTS.tmp
2300	ProtegentTS.tmp
2300	ProtegentTS.tmp
2300	ProtegentTS.tmp
2300	ProtegentTS.tmp
2300	ProtegentTS.tmp
2300	ProtegentTS.tmp
2300	ProtegentTS.tmp
2300	ProtegentTS.tmp
2300	ProtegentTS.tmp
2300	ProtegentTS.tmp
2300	ProtegentTS.tmp
2300	ProtegentTS.tmp
2300	ProtegentTS.tmp
2300	ProtegentTS.tmp
2300	ProtegentTS.tmp
2300	ProtegentTS.tmp
2300	ProtegentTS.tmp
2300	ProtegentTS.tmp
2300	ProtegentTS.tmp
2300	ProtegentTS.tmp
2300	ProtegentTS.tmp
2300	ProtegentTS.tmp
2300	ProtegentTS.tmp
2300	ProtegentTS.tmp
2300	ProtegentTS.tmp
2152	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe
2152	pgxsrv.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3656	Setup.exe
2576	LLStartUp.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	firefox.exe
Token: SeDebugPrivilege	1672	firefox.exe
Token: SeDebugPrivilege	3520	USPL-P360-S65.tmp
Token: SeDebugPrivilege	3520	USPL-P360-S65.tmp
Token: SeDebugPrivilege	3520	USPL-P360-S65.tmp
Token: SeDebugPrivilege	3520	USPL-P360-S65.tmp
Token: SeDebugPrivilege	3520	USPL-P360-S65.tmp
Token: SeDebugPrivilege	3520	USPL-P360-S65.tmp
Token: SeDebugPrivilege	3520	USPL-P360-S65.tmp
Token: SeDebugPrivilege	3520	USPL-P360-S65.tmp
Token: SeDebugPrivilege	3520	USPL-P360-S65.tmp
Token: SeDebugPrivilege	3520	USPL-P360-S65.tmp
Token: SeDebugPrivilege	3520	USPL-P360-S65.tmp
Token: SeDebugPrivilege	3520	USPL-P360-S65.tmp
Token: SeDebugPrivilege	3520	USPL-P360-S65.tmp
Token: SeDebugPrivilege	3520	USPL-P360-S65.tmp
Token: SeDebugPrivilege	3520	USPL-P360-S65.tmp
Token: SeDebugPrivilege	3520	USPL-P360-S65.tmp
Token: SeDebugPrivilege	3520	USPL-P360-S65.tmp
Token: SeDebugPrivilege	3520	USPL-P360-S65.tmp
Token: SeDebugPrivilege	3520	USPL-P360-S65.tmp
Token: SeDebugPrivilege	3520	USPL-P360-S65.tmp
Token: SeDebugPrivilege	3520	USPL-P360-S65.tmp
Token: SeDebugPrivilege	3520	USPL-P360-S65.tmp
Token: SeDebugPrivilege	3520	USPL-P360-S65.tmp
Token: SeDebugPrivilege	3520	USPL-P360-S65.tmp
Token: SeDebugPrivilege	3520	USPL-P360-S65.tmp
Token: SeIncreaseQuotaPrivilege	2300	ProtegentTS.tmp
Token: SeSecurityPrivilege	2300	ProtegentTS.tmp
Token: SeTakeOwnershipPrivilege	2300	ProtegentTS.tmp
Token: SeLoadDriverPrivilege	2300	ProtegentTS.tmp
Token: SeSystemProfilePrivilege	2300	ProtegentTS.tmp
Token: SeSystemtimePrivilege	2300	ProtegentTS.tmp
Token: SeProfSingleProcessPrivilege	2300	ProtegentTS.tmp
Token: SeIncBasePriorityPrivilege	2300	ProtegentTS.tmp
Token: SeCreatePagefilePrivilege	2300	ProtegentTS.tmp
Token: SeBackupPrivilege	2300	ProtegentTS.tmp
Token: SeRestorePrivilege	2300	ProtegentTS.tmp
Token: SeShutdownPrivilege	2300	ProtegentTS.tmp
Token: SeDebugPrivilege	2300	ProtegentTS.tmp
Token: SeSystemEnvironmentPrivilege	2300	ProtegentTS.tmp
Token: SeChangeNotifyPrivilege	2300	ProtegentTS.tmp
Token: SeRemoteShutdownPrivilege	2300	ProtegentTS.tmp
Token: SeUndockPrivilege	2300	ProtegentTS.tmp
Token: SeManageVolumePrivilege	2300	ProtegentTS.tmp
Token: SeImpersonatePrivilege	2300	ProtegentTS.tmp
Token: SeCreateGlobalPrivilege	2300	ProtegentTS.tmp
Token: 33	2300	ProtegentTS.tmp
Token: 34	2300	ProtegentTS.tmp
Token: 35	2300	ProtegentTS.tmp
Token: SeIncreaseQuotaPrivilege	2300	ProtegentTS.tmp
Token: SeSecurityPrivilege	2300	ProtegentTS.tmp
Token: SeTakeOwnershipPrivilege	2300	ProtegentTS.tmp
Token: SeLoadDriverPrivilege	2300	ProtegentTS.tmp
Token: SeSystemProfilePrivilege	2300	ProtegentTS.tmp
Token: SeSystemtimePrivilege	2300	ProtegentTS.tmp
Token: SeProfSingleProcessPrivilege	2300	ProtegentTS.tmp
Token: SeIncBasePriorityPrivilege	2300	ProtegentTS.tmp
Token: SeCreatePagefilePrivilege	2300	ProtegentTS.tmp
Token: SeBackupPrivilege	2300	ProtegentTS.tmp
Token: SeRestorePrivilege	2300	ProtegentTS.tmp
Token: SeShutdownPrivilege	2300	ProtegentTS.tmp
Token: SeDebugPrivilege	2300	ProtegentTS.tmp
Token: SeSystemEnvironmentPrivilege	2300	ProtegentTS.tmp

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
3520	USPL-P360-S65.tmp
2300	ProtegentTS.tmp
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1944	USPL-AR-S65.tmp
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe
1312	pgisgui.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
3368	PAVSetup (1).exe
3368	PAVSetup (1).exe
3880	Setup.exe
3964	Setup.exe
3964	Setup.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
2180	P360Setup.exe
2180	P360Setup.exe
3656	Setup.exe
3656	Setup.exe
3656	Setup.exe
1312	pgisgui.exe
2936	LLActivate.exe
3600	Setup.exe
3600	Setup.exe
3600	Setup.exe
4580	LLActivate.exe
1524	Protegent360.exe
1524	Protegent360.exe
3856	ActivateAll.exe
4768	ActivateAll.exe
4704	Protegent360.exe
4704	Protegent360.exe
1312	pgisgui.exe
1672	firefox.exe
1672	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 1672	540	firefox.exe	31
PID 540 wrote to memory of 1672	540	firefox.exe	31
PID 540 wrote to memory of 1672	540	firefox.exe	31
PID 540 wrote to memory of 1672	540	firefox.exe	31
PID 540 wrote to memory of 1672	540	firefox.exe	31
PID 540 wrote to memory of 1672	540	firefox.exe	31
PID 540 wrote to memory of 1672	540	firefox.exe	31
PID 540 wrote to memory of 1672	540	firefox.exe	31
PID 540 wrote to memory of 1672	540	firefox.exe	31
PID 540 wrote to memory of 1672	540	firefox.exe	31
PID 540 wrote to memory of 1672	540	firefox.exe	31
PID 540 wrote to memory of 1672	540	firefox.exe	31
PID 1672 wrote to memory of 2744	1672	firefox.exe	32
PID 1672 wrote to memory of 2744	1672	firefox.exe	32
PID 1672 wrote to memory of 2744	1672	firefox.exe	32
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 2780	1672	firefox.exe	33
PID 1672 wrote to memory of 324	1672	firefox.exe	34
PID 1672 wrote to memory of 324	1672	firefox.exe	34
PID 1672 wrote to memory of 324	1672	firefox.exe	34
PID 1672 wrote to memory of 324	1672	firefox.exe	34
PID 1672 wrote to memory of 324	1672	firefox.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://web.archive.org/"
1⤵
- Suspicious use of WriteProcessMemory
PID:540
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://web.archive.org/
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1672.0.1630220782\1391894389" -parentBuildID 20221007134813 -prefsHandle 1272 -prefMapHandle 1156 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {febebf5b-7ab9-4a0f-a83e-740fee79def9} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" 1384 105efa58 gpu
    3⤵
    PID:2744
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1672.1.1097050920\1463879722" -parentBuildID 20221007134813 -prefsHandle 1536 -prefMapHandle 1532 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {91241887-0476-43f0-a1f6-808be597c039} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" 1548 f4eb258 socket
    3⤵
    PID:2780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1672.2.99149562\1885337897" -childID 1 -isForBrowser -prefsHandle 2004 -prefMapHandle 2000 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 712 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd795215-61fd-4b86-91ca-4238bbb6aa9c} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" 1916 10563c58 tab
    3⤵
    PID:324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1672.3.1539442933\485115675" -childID 2 -isForBrowser -prefsHandle 2756 -prefMapHandle 2752 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 712 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {96055538-a6c6-4047-99fa-333671d67d55} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" 2768 1c930458 tab
    3⤵
    PID:856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1672.4.231152504\201144618" -childID 3 -isForBrowser -prefsHandle 3676 -prefMapHandle 3668 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 712 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {915ada11-5b77-4feb-937a-01ea7b1d7a83} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" 3688 1e6f6f58 tab
    3⤵
    PID:1804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1672.5.216420302\117933926" -childID 4 -isForBrowser -prefsHandle 3788 -prefMapHandle 3792 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 712 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {94b6cc6f-cd7a-4410-b5c9-d8ff9158f7aa} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" 2652 1e703558 tab
    3⤵
    PID:2236
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1672.6.2100376922\1459230314" -childID 5 -isForBrowser -prefsHandle 3976 -prefMapHandle 3980 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 712 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f0e9d81-5d68-4873-be25-2f36f3fd19ca} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" 3960 1e706b58 tab
    3⤵
    PID:2220
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1672.7.2055431087\965728921" -childID 6 -isForBrowser -prefsHandle 984 -prefMapHandle 3508 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 712 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f6580de-eb1d-4b69-b410-8096af28564d} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" 4168 18905558 tab
    3⤵
    PID:992
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1672.8.1186484988\965773939" -childID 7 -isForBrowser -prefsHandle 3584 -prefMapHandle 3572 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 712 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e59771d-eb04-47a9-ac1b-68a6c107bc69} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" 4348 21782b58 tab
    3⤵
    PID:1328
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1672.9.126876249\215277785" -childID 8 -isForBrowser -prefsHandle 4128 -prefMapHandle 4052 -prefsLen 27487 -prefMapSize 233444 -jsInitHandle 712 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {86be0928-094f-4295-a609-dc603f3acf81} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" 3828 e69e58 tab
    3⤵
    PID:2476
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1672.10.1420493543\160545262" -childID 9 -isForBrowser -prefsHandle 8500 -prefMapHandle 2924 -prefsLen 27536 -prefMapSize 233444 -jsInitHandle 712 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b2d7381-6099-4dd1-a05e-ed870a9928f5} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" 8484 13161458 tab
    3⤵
    PID:1148
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1672.11.1886976726\526964568" -childID 10 -isForBrowser -prefsHandle 4516 -prefMapHandle 4460 -prefsLen 27592 -prefMapSize 233444 -jsInitHandle 712 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f90fe1f-baf8-46b0-af34-e48398d294d7} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" 4512 1311c758 tab
    3⤵
    PID:2608
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1672.12.1715177015\144447127" -childID 11 -isForBrowser -prefsHandle 7804 -prefMapHandle 7800 -prefsLen 27592 -prefMapSize 233444 -jsInitHandle 712 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {26b31327-be24-4e4d-8baa-2d297d6b42b6} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" 4564 1362f258 tab
    3⤵
    PID:1912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1672.13.1221797192\898814379" -childID 12 -isForBrowser -prefsHandle 2672 -prefMapHandle 2288 -prefsLen 27592 -prefMapSize 233444 -jsInitHandle 712 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {77031cc5-0050-4ce4-a4ab-93ed5a4e6805} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" 4192 1311c158 tab
    3⤵
    PID:3456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1672.14.364868841\809738336" -childID 13 -isForBrowser -prefsHandle 4488 -prefMapHandle 4560 -prefsLen 27601 -prefMapSize 233444 -jsInitHandle 712 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6bba38a5-d1f6-463a-963f-7fae53b3bcd5} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" 7992 134c2f58 tab
    3⤵
    PID:3332
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1672.15.1426600034\701734819" -childID 14 -isForBrowser -prefsHandle 7544 -prefMapHandle 7540 -prefsLen 27601 -prefMapSize 233444 -jsInitHandle 712 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {51f6ba88-8b0a-4556-8902-06b3ee547355} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" 7720 1891bc58 tab
    3⤵
    PID:3232
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1672.16.104348487\1680483904" -childID 15 -isForBrowser -prefsHandle 7916 -prefMapHandle 7900 -prefsLen 27601 -prefMapSize 233444 -jsInitHandle 712 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9269c01e-b9da-460f-ad56-855b022d0b73} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" 1948 1c9df558 tab
    3⤵
    PID:3868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1672.17.1645432625\1541131810" -childID 16 -isForBrowser -prefsHandle 4012 -prefMapHandle 4168 -prefsLen 27672 -prefMapSize 233444 -jsInitHandle 712 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3aca6663-74e8-43d9-ab8a-560b6a354e7a} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" 2276 1b891f58 tab
    3⤵
    PID:2484
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1672.18.752830815\1384210973" -childID 17 -isForBrowser -prefsHandle 7552 -prefMapHandle 7548 -prefsLen 27672 -prefMapSize 233444 -jsInitHandle 712 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {53f3768f-ec7e-4a77-96aa-b42ad7c617eb} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" 7844 1f13fe58 tab
    3⤵
    PID:3936
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1672.19.427882552\1759318703" -childID 18 -isForBrowser -prefsHandle 3720 -prefMapHandle 7676 -prefsLen 27672 -prefMapSize 233444 -jsInitHandle 712 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7e8f1dd-57bd-4d7f-b3a6-597b0d851f4a} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" 7724 1f141658 tab
    3⤵
    PID:3720
- - C:\Users\Admin\Downloads\P360Setup.exe
    "C:\Users\Admin\Downloads\P360Setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops autorun.inf file
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2180
  - - C:\P360\Setup.exe
      "C:\P360\Setup.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:3656
    - - C:\P360\Unistal\PRO_PRD\USPL-P360-S65.exe
        
        C:\P360\Unistal\PRO_PRD\USPL-P360-S65.exe /VERYSILENT /NORESTART /MERGETASKS="desktopicon,quicklaunchicon,fileassoc"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3524
      - C:\Users\Admin\AppData\Local\Temp\is-L5J52.tmp\USPL-P360-S65.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-L5J52.tmp\USPL-P360-S65.tmp" /SL5="$10248,11375037,152064,C:\P360\Unistal\PRO_PRD\USPL-P360-S65.exe" /VERYSILENT /NORESTART /MERGETASKS="desktopicon,quicklaunchicon,fileassoc"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:3520
    - - C:\P360\Unistal\PRO_IS\ProtegentTS.exe
        
        C:\P360\Unistal\PRO_IS\ProtegentTS.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3912
      - C:\Users\Admin\AppData\Local\Temp\is-SSHNB.tmp\ProtegentTS.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-SSHNB.tmp\ProtegentTS.tmp" /SL5="$20248,107050021,56832,C:\P360\Unistal\PRO_IS\ProtegentTS.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Drops file in Drivers directory
        Executes dropped EXE
        Impair Defenses: Safe Mode Boot
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:2300
        
        C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        7⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:3376
        
        C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3556
        
        C:\Program Files\Protegent Total Security\pgxsrv.exe
        
        "C:\Program Files\Protegent Total Security\pgxsrv.exe" -install yes
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3976
        
        C:\Windows\SysWOW64\net.exe
        
        "net.exe" start pgxsrv
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3416
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start pgxsrv
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:944
        
        C:\Windows\system32\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Protegent Total Security\msash.dll"
        7⤵
        Loads dropped DLL
        
        PID:1940
        
        C:\Program Files\Protegent Total Security\pgisgui.exe
        
        "C:\Program Files\Protegent Total Security\pgisgui.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1312
    - - C:\P360\Unistal\PRO_PRD\USPL-AR-S65.exe
        
        C:\P360\Unistal\PRO_PRD\USPL-AR-S65.exe /VERYSILENT /NORESTART
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1068
      - C:\Users\Admin\AppData\Local\Temp\is-V9BIN.tmp\USPL-AR-S65.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-V9BIN.tmp\USPL-AR-S65.tmp" /SL5="$202B4,20086428,390656,C:\P360\Unistal\PRO_PRD\USPL-AR-S65.exe" /VERYSILENT /NORESTART
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:1944
        
        C:\Windows\SysWOW64\pro\AReporter.exe
        
        "C:\Windows\system32\pro\AReporter.exe" -remove
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Windows\SysWOW64\pro\proserv.exe
        
        "C:\Windows\system32\pro\proserv.exe" -remove
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:540
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" "C:\Program Files (x86)\Activity Reporter\AROutlook32" -s
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1704
    - - C:\P360\Unistal\PRO_PRD\USPL-PL-S65.exe
        
        C:\P360\Unistal\PRO_PRD\USPL-PL-S65.exe /VERYSILENT /NORESTART
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1236
      - C:\Users\Admin\AppData\Local\Temp\is-N3CIL.tmp\USPL-PL-S65.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-N3CIL.tmp\USPL-PL-S65.tmp" /SL5="$302B6,6674270,152064,C:\P360\Unistal\PRO_PRD\USPL-PL-S65.exe" /VERYSILENT /NORESTART
        6⤵
        Executes dropped EXE
        Impair Defenses: Safe Mode Boot
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2144
    - - C:\P360\Unistal\PRO_PRD\USPL-LL-S65.exe
        
        C:\P360\Unistal\PRO_PRD\USPL-LL-S65.exe /VERYSILENT /NORESTART
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:300
      - C:\Users\Admin\AppData\Local\Temp\is-H8C9B.tmp\USPL-LL-S65.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-H8C9B.tmp\USPL-LL-S65.tmp" /SL5="$402B6,18567159,67072,C:\P360\Unistal\PRO_PRD\USPL-LL-S65.exe" /VERYSILENT /NORESTART
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3128
        
        C:\Program Files (x86)\Locate Laptop\LLActivate.exe
        
        "C:\Program Files (x86)\Locate Laptop\LLActivate.exe" GetMCInfo
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2936
        
        C:\Windows\SysWOW64\pro\LLaptop.exe
        
        "C:\Windows\system32\pro\LLaptop.exe" -remove
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Windows\SysWOW64\pro\proserv.exe
        
        "C:\Windows\system32\pro\proserv.exe" -remove
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Windows\SysWOW64\pro\LLaptop.exe
        
        "C:\Windows\system32\pro\LLaptop.exe" -install
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:2572
    - - C:\P360\Unistal\PRO_PRD\USPL-SBE-S65.exe
        
        C:\P360\Unistal\PRO_PRD\USPL-SBE-S65.exe /VERYSILENT /NORESTART
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5092
      - C:\Users\Admin\AppData\Local\Temp\is-1TPTV.tmp\USPL-SBE-S65.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-1TPTV.tmp\USPL-SBE-S65.tmp" /SL5="$502B6,7393256,67072,C:\P360\Unistal\PRO_PRD\USPL-SBE-S65.exe" /VERYSILENT /NORESTART
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
    - - C:\P360\Unistal\PRO_PRD\CrashProof\WindowsVista\Setup.exe
        
        /VERYSILENT
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3600
    - - C:\Program Files (x86)\Locate Laptop\LLStartUp.exe
        
        "C:\Program Files (x86)\Locate Laptop\LLStartUp.exe" RegisterLicense
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Modifies registry class
        
        PID:4512
      - C:\Program Files (x86)\Locate Laptop\LLActivate.exe
        
        GetMCInfo
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4580
      - C:\Program Files (x86)\Locate Laptop\awesomium_process.exe
        
        "C:\Program Files (x86)\Locate Laptop\awesomium_process.exe" --type=renderer --enable-logging --log-level=2 --no-sandbox --awesomium-log-path="C:\Program Files (x86)\Locate Laptop\./awesomium.log" --disable-databases --lang --channel=4512.025B1C80.1301367298 /prefetch:3
        6⤵
        Executes dropped EXE
        Checks processor information in registry
        
        PID:4804

C:\Users\Admin\Desktop\PAVSetup (1).exe
"C:\Users\Admin\Desktop\PAVSetup (1).exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3368
- C:\Users\Admin\Desktop\PAV\Setup.exe
  "C:\Users\Admin\Desktop\PAV\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3880
- - C:\Users\Admin\Desktop\PAV\WindowsVista\Setup.exe
    "C:\Users\Admin\Desktop\PAV\WindowsVista\Setup.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3964

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x570
1⤵
PID:1596

C:\Program Files\Protegent Total Security\pgxsrv.exe
"C:\Program Files\Protegent Total Security\pgxsrv.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2152

C:\Windows\SysWOW64\pro\LLaptop.exe
C:\Windows\SysWOW64\pro\LLaptop.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1692
- C:\Windows\SysWOW64\Pro\Proserv.exe
  C:\Windows\system32\Pro\Proserv.exe -install
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4384
- C:\Program Files (x86)\Locate Laptop\LLStartUp.exe
  CheckStolen
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:3600

C:\Windows\SysWOW64\Pro\Proserv.exe
C:\Windows\SysWOW64\Pro\Proserv.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4272

C:\Program Files (x86)\Protegent360\Protegent360.exe
"C:\Program Files (x86)\Protegent360\Protegent360.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1524
- C:\Program Files (x86)\Locate Laptop\LLStartUp.exe
  "C:\Program Files (x86)\Locate Laptop\LLStartUp.exe" RegisterLicense
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:1720
- - C:\Program Files (x86)\Locate Laptop\awesomium_process.exe
    "C:\Program Files (x86)\Locate Laptop\awesomium_process.exe" --type=renderer --enable-logging --log-level=2 --no-sandbox --awesomium-log-path="C:\Program Files (x86)\Locate Laptop\./awesomium.log" --disable-databases --lang --channel=1720.00D60C80.977392979 /prefetch:3
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:3176

C:\Program Files (x86)\Protegent360\ActivateAll.exe
"C:\Program Files (x86)\Protegent360\ActivateAll.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3856

C:\Program Files (x86)\Protegent360\ActivateAll.exe
"C:\Program Files (x86)\Protegent360\ActivateAll.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4768

C:\Program Files (x86)\Protegent360\Protegent360.exe
"C:\Program Files (x86)\Protegent360\Protegent360.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4704
- C:\Program Files (x86)\Locate Laptop\LLStartUp.exe
  "C:\Program Files (x86)\Locate Laptop\LLStartUp.exe" RegisterLicense
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2576
- - C:\Program Files (x86)\Locate Laptop\awesomium_process.exe
    "C:\Program Files (x86)\Locate Laptop\awesomium_process.exe" --type=renderer --enable-logging --log-level=2 --no-sandbox --awesomium-log-path="C:\Program Files (x86)\Locate Laptop\./awesomium.log" --disable-databases --lang --channel=2576.02360C80.381183472 /prefetch:3
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:3452
- C:\Program Files (x86)\Locate Laptop\LLStartUp.exe
  "C:\Program Files (x86)\Locate Laptop\LLStartUp.exe" RegisterLicense
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:4316
- - C:\Program Files (x86)\Locate Laptop\awesomium_process.exe
    "C:\Program Files (x86)\Locate Laptop\awesomium_process.exe" --type=renderer --enable-logging --log-level=2 --no-sandbox --awesomium-log-path="C:\Program Files (x86)\Locate Laptop\./awesomium.log" --disable-databases --lang --channel=4316.02680C80.674911618 /prefetch:3
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:4664

C:\Program Files\Protegent Total Security\pgisgui.exe
"C:\Program Files\Protegent Total Security\pgisgui.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3432

C:\Program Files\Protegent Total Security\pgisgui.exe
"C:\Program Files\Protegent Total Security\pgisgui.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4252

C:\Program Files\Protegent Total Security\pgisgui.exe
"C:\Program Files\Protegent Total Security\pgisgui.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4864

C:\Windows\SysWOW64\Pro\Proserv.exe
C:\Windows\SysWOW64\Pro\Proserv.exe
1⤵
- Executes dropped EXE
PID:4488

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\MEMZ.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:4368

C:\Program Files\Protegent Total Security\pgisgui.exe
"C:\Program Files\Protegent Total Security\pgisgui.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4020

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\MEMZ.bat"
1⤵
PID:4504
- C:\Windows\system32\cscript.exe
  cscript x.js
  2⤵
  PID:4984
- C:\Users\Admin\AppData\Roaming\MEMZ.exe
  "C:\Users\Admin\AppData\Roaming\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:3724
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:4992
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:4968
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:2232
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:4732
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:4532
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    PID:1388
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:4596
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://play.clubpenguin.com/
      4⤵
      Modifies Internet Explorer settings
      PID:1916
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1916 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        
        PID:4460
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=half+life+3+release+date
      4⤵
      Modifies Internet Explorer settings
      PID:3956
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3956 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2900

C:\Users\Admin\Desktop\Bonzify.exe
"C:\Users\Admin\Desktop\Bonzify.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3428
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"
  2⤵
  PID:3388
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im AgentSvr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:3640
- - C:\Windows\SysWOW64\takeown.exe
    takeown /r /d y /f C:\Windows\MsAgent
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:4340
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\MsAgent /c /t /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4972
- C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
  INSTALLER.exe /q
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1012
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\msagent\AgentCtl.dll"
    3⤵
    - Modifies registry class
    PID:4828
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\msagent\AgentDPv.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4680
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\msagent\mslwvtts.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4032
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\msagent\AgentDP2.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2184
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\msagent\AgentMPx.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2016
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\msagent\AgentSR.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4920
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\msagent\AgentPsh.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3700
- - C:\Windows\msagent\AgentSvr.exe
    "C:\Windows\msagent\AgentSvr.exe" /regserver
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4588
- - C:\Windows\SysWOW64\grpconv.exe
    grpconv.exe -o
    3⤵
    PID:3468
- C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
  INSTALLER.exe /q
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:5036
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll
    3⤵
    - System Location Discovery: System Language Discovery
    PID:756
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:3800
- - C:\Windows\SysWOW64\grpconv.exe
    grpconv.exe -o
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3484

C:\Windows\msagent\AgentSvr.exe
C:\Windows\msagent\AgentSvr.exe -Embedding
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3236

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5ac
1⤵
PID:4100

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:4812

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Modifies registry class
PID:4784

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:4068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Component Object Model Hijacking

T1546.015

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Component Object Model Hijacking

T1546.015

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\P360\Bmp\Back.bmp

Filesize
4KB

MD5
cc0e279845c2b35ee84dba0d7160c135

SHA1
b4cb5366510f3fe697fcc3083a67cb27281821ff

SHA256
f5168b806f09c1f01440d00fad378d048e23fcbcb5be076184e2409ab5f23057

SHA512
8de5462997a230cad4128e3f410712dbd45c24ad348562071caeadadb2d079ff0ff72b6f650c943d17846927b3d8cf1ab41aa93e541711b0478f97755f9c043c

Download Submit
C:\P360\Bmp\BackA.bmp

Filesize
4KB

MD5
62c7a817b9f245c36a72fe9de77ceb32

SHA1
d0638870a4b85d5cb2092838444c2de95aa36d0b

SHA256
564576dc1d0d8e000514d1fa5471c29edadc653718645e52794a84cbf8c19c2f

SHA512
076df62f6fece6082e6dc03faf3563db4e2a86cd9ed48933577d5f3942a443b6a97a62541d7815315fedf3e0a9a30b0fe6ccf7762512bfb6afd15e703bf82c2e

Download Submit
C:\P360\Bmp\Cancel.bmp

Filesize
4KB

MD5
efc9f521d8db5ea896712e764aac8129

SHA1
ea477305142598a7bdf81eb121b9887d2f4cef60

SHA256
a50bfa89c88889881e26d3ba9ad95a44ff998c43e07cb22bd83ded9874b192bc

SHA512
043973dd9746d752169a8b21d6ae1d996e9bb85d330f30bdac1af1265263558ca5473df7bfe07c09b95c1cfa326324810883c4611dd3238ff97e19facea36996

Download Submit
C:\P360\Bmp\CancelA.bmp

Filesize
4KB

MD5
bc98be7ca6997e371e2bd24ffe2fbd8e

SHA1
44bd4effb333b5abf8f2a3a328045dca46b24b11

SHA256
678cd42086870129536c49747db4b2d8c0ae74df64af9323cde0ac802767306c

SHA512
4656839de8f1bb9c695ca9304145c7eb7843f3c25ecde41c19bf855dafc37ceade55bd050a8577b9a05936a41c43d2f5cc5f26a4062fd5dddab695bb1412f8e6

Download Submit
C:\P360\Bmp\CancelD.bmp

Filesize
4KB

MD5
52dc09e536d1528d231df6335fc2e665

SHA1
26cb1f59176dbcc0b9a9477bd15d1194350b7db2

SHA256
55b26144f9603b7ded73bd9f2a80f78d938f610daee052e2cfe7e8bcee8f229f

SHA512
521f9fc59627945eb69b226b87dd5df7c60f5d020be484154496ce1da73ca3c02142a442e198f02e22f67555d1a9bc9976036d7b081e533cb1cc0eadce3cebef

Download Submit
C:\P360\Bmp\FinishD.bmp

Filesize
4KB

MD5
96b0220cf81fd2dc0fc3ec99aa5fbef0

SHA1
a0df480ce33fb3b259622f8198d24c5fd18ad521

SHA256
e4ff4793b4df2108fabc470cdfc64203747d898bda52f1cee32e88a1e4f524d2

SHA512
21a426487f5c120741c236efb3e8413c4fecb9a88034f4570322178ada2f046367c6cba156bb5b24ba31ca7819a42a42f6c97ae060b381be57934a3fd3ce6c80

Download Submit
C:\P360\Bmp\MiniB.bmp

Filesize
536B

MD5
86a5d3e8bbd833d066859dfbd8159518

SHA1
d50619a6c55dba8c6ed75daf465be9bc67ea68db

SHA256
ab2c12fb0958f106398c7beba7a397eee0007cdfbb7837bc5d29d1ae6ec9a79d

SHA512
4f2f59c67dadae82c1af0c7f2547c4b4071965cff96515b5def87241af6b88b4a360a814da96b4e7355456c720665dba439545ce77e80949975763012c931b96

Download Submit
C:\P360\Bmp\MiniR.bmp

Filesize
536B

MD5
fff5a72b3bb22dcba3a1b799d74a65c7

SHA1
d27a92e53916794206577abbb2048c2a7b46e350

SHA256
76671f86a10e92cd97d63d2cf35a42cd476c7da06b958f7cbf6866429430437e

SHA512
3f50412aebb0efe23a35149e4954253d2e5df035f67af5b8c3460eb6c802672439e05d9c500dd59894a547f2272eacb3e9bbc663b6cac902ad352a50374e6f9c

Download Submit
C:\P360\Bmp\Next.bmp

Filesize
4KB

MD5
af210acb922aa9af6de042198855eda3

SHA1
ffbe150976223bf6f7ef9bcd6b564e24fed2ae8c

SHA256
5931687f09cd0884d2bcb096979626104c670f4148317a8bb09003e0d411b62a

SHA512
76402b52414aa0a56b12c921b477d2230c8962861c068a8647a0371148999a678b134e8455586685cff8e04c17f906674ac636daa7b856f9651178ee9944d531

Download Submit
C:\P360\Bmp\NextA.bmp

Filesize
4KB

MD5
156e824dabbbe4212defff948068c938

SHA1
173976b07e7185490107dccb8ead7ef7448fbc2f

SHA256
f68e61f2e5b8de9e9824a4f0731bbf97b1920c88218b9557511c93234e0edda1

SHA512
9d097585bb730564f3b0cc92cfd5b194945ce514b4ca7e646386ffbb82d25e31fd188ef7d02f6596955a4c1c9060b59c1702ff67b33d8888c3e86f1f95a17627

Download Submit
C:\P360\Bmp\NextD.bmp

Filesize
4KB

MD5
8ea8c28318279fa3745b2aeda93291e6

SHA1
d3a06efcc285b5b2648e6c0881c30eb2633306f3

SHA256
fc0645a1fde5b31e301361b95e5e4c82b8a57a95581b05630a0b7288a1b87975

SHA512
63c42425b7ef85415b695ba602b40922cc9e977e76ed46a3e3a161c87f1d320f016a171a5b3910d35a35f31523b6a824ba50af954a8940863beb4a3b4e4a05c0

Download Submit
C:\P360\Bmp\Product.bmp

Filesize
473KB

MD5
4f1ea654aa9f93ca1541b979d618b03c

SHA1
f9abeed127b0da4b556c33917cf135fe6e317f7a

SHA256
5e13352d1363713fc4af906e751e75468039b7aa807a2cbcd49498a3b4ac288a

SHA512
69cc2ce2a0c7b268e8a8074fa0736105c17c259a4ebff37560b213a3785de27b634d6775c3a4eb5852c185fdb4f28bde0e9c8a5bb68f206c7dc03bef328fded4

Download Submit
C:\P360\Bmp\ProductIntallation.bmp

Filesize
473KB

MD5
79336ff12ab97322878f9348ca5fac1d

SHA1
cadb659c93c8549eb77c7d3ac751ac3a78be7403

SHA256
8eb1717494347de1b61a0d21d038d906bac9d83cb44e9155a76c422cee53f0be

SHA512
9561a8a35a6143a6b9c5ee3979e5142818f1b37aa8ef93c9eff1f5f54afb926edf9bb2200e1f28153de83aa6a898319361fd47aa204d3c522f2282a86df0668b

Download Submit
C:\P360\Bmp\Productb.bmp

Filesize
473KB

MD5
195ca274c68681b4da6e564956099d65

SHA1
0946c8cc7043091b02d54c49229ced6dac22c7ba

SHA256
423527c095007f9b4fdb02662121eac57442235ca9e9ffb258211da5406bb211

SHA512
bd4893041feb11514be17f9c7aae73e47e5047dcbc6f7ae0aab9232070e8f4d6106b457f7c045b188f56e5c23c8c403b1160a1fc23d4a93468decdac90106426

Download Submit
C:\P360\Bmp\closeB.bmp

Filesize
536B

MD5
54170e3fe3db14e29b0914beafba30a1

SHA1
244dab05e1c0033b399e093e78b577e54c3b1e33

SHA256
ecbe53cce21b700c94cae2f3deef26dfa2c8ddb73fa52d3dd8e3527b66998f61

SHA512
f92eebc65eda40565cb4251f09ab429d856e45318d40b4c2e634d1a9e318c076c809b03641173850b1169fbbbd08b935a5c2a5d06a46d4684924395fafaa1bc9

Download Submit
C:\P360\Bmp\closeR.bmp

Filesize
536B

MD5
21cdebd86b24541f24750811316b1d02

SHA1
c9ad6b93508817b79224250ca43c3178013f88bc

SHA256
7cd7c0a1d19005ad88f76fab6696bc9d890243578159b076f91d1f606a959b8b

SHA512
9bbd5f42b838009b7a20c4a7c5c56ef2db5753d00c74474b15d634e221e08dde799ce7385fd574d4f48e2920919e56ef7d235558bd2e63887f4c1876216a33a0

Download Submit
C:\P360\Bmp\helpB.bmp

Filesize
536B

MD5
44e5b084a8e045601968a0edc4643dd6

SHA1
d3531ad4ec2cce855b5890b8b44af65420cf3b43

SHA256
b0bd4eac45c95c5ebf4188f9be00ee4c56100453ac43d397994d37b1703294bb

SHA512
60d0e71b76b4329e9da6a4c8898da784ced9cbbafb07fdd2c41ecac38ed7873a6201fbbfb77a1cc141f54f913ba21951d5379381e57bd9a0df92f7b1abaf9823

Download Submit
C:\P360\Bmp\helpR.bmp

Filesize
536B

MD5
acc4fdbf40f20e8e3cec40db8cdbcaee

SHA1
4a9643b5966366f5418a4a224d2e15f878c39e61

SHA256
a78c7161626a2c1797026e673f28c7a38f001b8735f11652271e25538c91f0c3

SHA512
f6e045dc1a317e89e09328e6e0c380fea687fe54c46cf87bd2ce5a7fee955603b15eb404fdf1b5bf966bb0b864aa33f734c5b1f512fc378dc1bca7e2457cec58

Download Submit
C:\P360\Unistal\PRO_PRD\CrashProof\WindowsVista\BMP\CommonUnistal.bmp

Filesize
65KB

MD5
f3cf37016021d51a381b3212acee7477

SHA1
b6f1ddd879af8e153166ed1f2d1ecafbe9b35f3b

SHA256
5f11918771967d38f65df5d31249d18b56980077ed5938eeac64cf61cf25b605

SHA512
e3150aeaacdbe7ef2a983e85123a5fe7f07b3b7d8e3e6112b02b1dc59c8aa9ef8b889891df3dc461250f88bbe6e9968a3ba4f8965803f59af93b487a108eea7a

Download Submit
C:\P360\Unistal\PRO_PRD\CrashProof\WindowsVista\Common Files\CommonFilesexists.dat

Filesize
488B

MD5
3c1f3f686af8dc81bc988cdf0e6f838e

SHA1
8fadfb27c507f299ecc971e3fdef0c8eadcf5f1e

SHA256
52f65b6de647f0419511ae49783dca46865e1e7a77efb64dfee7bbd895e5c478

SHA512
2f4c71a1236f3876427048e07c9d9e110b5afa112560b27e38f8a972a8bc15067835ace69a3bf1eb80fb2788aa459450d05684de09a3d5c2e2a3873bd8cf9f03

Download Submit
C:\P360\Unistal\PRO_PRD\CrashProof\WindowsVista\Common Files\IdleTrac.dll

Filesize
24KB

MD5
c6032765bbfa12c06c5ecbb879c01cf7

SHA1
3fea1e2b865386638d41597a885a914681cd4a5f

SHA256
54b425e6cbd1dbafac15d76d34fe392b21f2ecef9184832f9743d475cbb62ef2

SHA512
5b7f4df0ecf4a3616e217ac890b36f69fee7c97b9cc107bf34148e9c666d4fecfb9787dd5db7706d553c7c380d8261e4763d8af36e08bd91fdb8aecc14a051e4

Download Submit
C:\P360\Unistal\PRO_PRD\CrashProof\WindowsVista\Common Files\ReadmeCrashProof.chm

Filesize
695KB

MD5
1887ec4b3a80e74a6bbee0bcbc5e03a6

SHA1
c486d19038c1bdc98354fc6a7e64514a68f4dcb8

SHA256
87abcd318d9f1c232e9df75dec2576656c34384b78e9c62e682bf225fa48ba74

SHA512
1b4bf78a0b487507236117529ed6aff4f2b7668f12c93ccae61c64581402088e5cdb32c32ea2e32ac3be988c4e83939ba992a7eb3c92491ee9e861fa5d2dc0b5

Download Submit
C:\P360\Unistal\PRO_PRD\CrashProof\Windows\BMP\CP\CommonBusiness.bmp

Filesize
65KB

MD5
dcb698fe31d823a36856fb5077320c1c

SHA1
aefe5f7978a57e78cf320b30456e7ee35447c7f7

SHA256
35e74c70298876d5014d9308ec8b246afdc9b9263e582b74d9e8012a12460124

SHA512
539d783d61c9b938fd7eda45befa4ac283cc96a499b9bff42c3f841eca443181aff6134251c7067a7a4ee1a45150c3cda1de342d992c4a57b15f29878dd8448d

Download Submit
C:\P360\Unistal\PRO_PRD\CrashProof\Windows\BMP\Common\ProductHelp.bmp

Filesize
67KB

MD5
0e2e14f65d7d42307d8a65ba8f691cdb

SHA1
e5e6fc3b0a4176be24a5629533ae602b909d1685

SHA256
fdd77fe584917fb1fe5a6763139bdce668acdae9ab7855a6e98df8d47d40135d

SHA512
8b8717937db0d68989a57663536e7f29df9298b78f7f38108177cbe19cdd05bac7f136ea623cbc1c2d5aa952bee0919e42df34cd7688381400b57fd156f37753

Download Submit
C:\P360\Unistal\PRO_PRD\CrashProof\Windows\BMP\UnistalsRescueDiskette.bmp

Filesize
99KB

MD5
32fc66eae8949fc6a6aac6d91e53c155

SHA1
71a05c874c25fd0830834a04f256a4292d66b46a

SHA256
960c09597bbd4f43823da5206ee58b5a2bba21124cde89e6fce2d419ecb16ec3

SHA512
42c87a9b129a45b915798bfe2bcde73edbff50105f6a76eb85426490b4d719e707157bd7da7d3e42616033255a958fa5eb18e3b224bf6017c8ef3119859c0435

Download Submit
C:\P360\Unistal\PRO_PRD\CrashProof\Windows\Common Files\CommonFilesexists.dat

Filesize
502B

MD5
62a03b5b3c521d8c80eaa76a2d16ead2

SHA1
68398b4b98b7a2687d638cf4bf3df3e3a5c1167f

SHA256
db42b7025308893be6deea61bab6699934eb2bb1bb0efeb7e5c68f5bd8ad7efc

SHA512
6d5adce339680edb197e1a6c3ca6437fea0e72a35c653c66355a512f5f2d4d431c1a08cdc8d4a74d56c75c4f061e8f82dd5a8eca57f79ef931b6760d9cf341ed

Download Submit
C:\P360\Unistal\PRO_PRD\CrashProof\Windows\Common Files\Disk16.dll

Filesize
13KB

MD5
9c442f73aecadb01e83643b51aa59e45

SHA1
7687844c1f5fe5aef49f715391dc703ee21fd020

SHA256
01445aa0f8337bdf6ab5f665f24550ad49b3556d3c351807106b838dd3f97d15

SHA512
2db28ab4f93f65259ef1e62fdd52700c22b49be332c08383dca8b3e7aef24b7b0b23519c1e44b0e147014c4d5712bc8c349ed142c4be1afee0f6f11351c32dab

Download Submit
C:\P360\Unistal\PRO_PRD\CrashProof\Windows\Common Files\Disk32.dll

Filesize
196KB

MD5
bb178c74486b3cb71f1d92708c69b9a9

SHA1
06987cd938309630e8e0f3833257b3e8eda5135b

SHA256
4b9832e2ae7e36b7eb17638abecb8505476dfc03c3acb17d9cd299cbd7d4deb1

SHA512
31670e56eefc1dfd2173b1337684f8130b0a963185572562d75bad279b2e4d139d69ffef7ee3c0faf84408af52cc3e43201c270f299be082bc07252d1667eb85

Download Submit
C:\P360\Unistal\PRO_PRD\CrashProof\Windows\Common Files\DiskSerial.DLL

Filesize
84KB

MD5
0fb18f2981f4dd1eef8a1c58836d81e8

SHA1
a04675f1f8032a64193cab6521609e9d9ae055c6

SHA256
a6becbac1e00e355e06611867d13cc0a32163dfd943dc1334ebe0a76d1c0bee9

SHA512
6bbda212efa966cc9e0b63a527e5510e78f78429d64653f6ae4229df4d46d0c10cb84262b8abcc56e2a3b375b3726d7483ebcbdb6befdb5eea1345028e18cf23

Download Submit
C:\P360\Unistal\PRO_PRD\CrashProof\Windows\Common Files\GetDateDiff.dll

Filesize
32KB

MD5
1df790e84c7191f21953e373b66ca58c

SHA1
ba68e34aa8af146b28b322deab9c4abff00f986c

SHA256
804350550334984a82639a9fd25b2800f86baee8aaae2ea514f010d0df1ae899

SHA512
80007369f20fdc1ef9b1dccf4308db2dc2db9e7b601d6f89cdb6ab21d1ffefe604a0f39d0509f531a525723761ff1fafa82cb07d50c09cbcb9a6066ef500bbf0

Download Submit
C:\P360\Unistal\PRO_PRD\CrashProof\Windows\Common Files\HDkey.dll

Filesize
48KB

MD5
36902373af93d0d021f9b27740a603ef

SHA1
26263a80cecd609a04c4ce0e6d02a6dcedf883fb

SHA256
7d003458b921dee2b0a6bb76d2342b427e7b48bfd5b6b683f6e288f6b6d033ae

SHA512
8ad95b56f9637c7a5139205a3f66f17c238ae2a406a9241a565fb1dfb7c937c56d8830486cc469f41dfb6ea4ec587fe521081ba81529fbec536cc99b8cf66473

Download Submit
C:\P360\Unistal\PRO_PRD\CrashProof\Windows\Common Files\IDE21201.VXD

Filesize
4KB

MD5
eebce32039cdd922f541f346b9018ed6

SHA1
9912efb1e4ef894a7972aad10bf97e723554f03f

SHA256
beb6777c5e2fc98feeb07fa5b4e53b0678868bc3e3fbc0cb3b7afa01e1c634db

SHA512
3a18ce93bebd0f9c5cdf786f59672b1c8a6dab583536edd04cdf2bbc8d84b03952c6f28ccbd8d0e53cb821f83126e6872811f10c9965819223b79294aad55f89

Download Submit
C:\P360\Unistal\PRO_PRD\CrashProof\Windows\Common Files\IMAGEDLP.TXT

Filesize
687KB

MD5
b35ea74661c7365b6b72f2ec12840da6

SHA1
7bee6c2cc6079deca63cbd90c0182c964a8c98a4

SHA256
ac0b1096b2845673191187a5bc632693a9360fdf14db0cc2fd459251bcf6c154

SHA512
ed54a07c597bcc7f44e01ce8d98f0f8abf0b562efa34083bac1649404abe7091a35b1c53d00d985a00ec383f84887e67a3cf2f9a2db6497d40a2f9d23eec3759

Download Submit
C:\P360\Unistal\PRO_PRD\CrashProof\Windows\Common Files\Nodisk.exe

Filesize
9KB

MD5
1bf3791932dc4692e76ba256faac0404

SHA1
36a073e6e1982d226699afda526df5c84b00e6ec

SHA256
62c0aaa2914ca9fc6b04064d7649b1cf8bcd29215bb325c895fc935479290f46

SHA512
09c319fbc6d8ad8c033a8f87b1f6144e1fb5abd7172864025692318e0ea2e3d88d35e1d57988f7e6fa2563b624b583b56ee891ca3d65a0cd5c6dd2f8d1a6b2f7

Download Submit
C:\P360\Unistal\PRO_PRD\CrashProof\Windows\Common Files\PSAPI.DLL

Filesize
17KB

MD5
b3d22a483875a61cb2060c7d518effc2

SHA1
d9bf5f0b6c1138281bb45e4cfebec2c4d9753fb2

SHA256
d88ad399f7dc2d4830e7af1be3bfbf45aaf75e309f0b6afd8a9c4025bf19930e

SHA512
3add04e7dc482bb4b1e72306fb55ebdbb1a8fccf5eb2d1513695e9046d754322117c145f7eb1b4785e556c466efec667c70c0a573f24c2e6c141ef324f9287fe

Download Submit
C:\P360\Unistal\PRO_PRD\CrashProof\Windows\Common Files\VDMDBG.DLL

Filesize
22KB

MD5
0ca19ebe38fc164367caf74325a44792

SHA1
2b8cf9667eb15ca53c72bfd139a14acc5507ecd9

SHA256
13d7e0dcb0bdb5ca6da7fc8117c2a9a4186b8446c21a4f9e281bd8dc0533aa8a

SHA512
f81d42cd7bf05df7d0becd474f2ba2a6c3bd0ebb4b55c31518be4092701c74690da034867c7888932756e470a618b39873532be8109af6897bf14c7113906606

Download Submit
C:\P360\Unistal\PRO_PRD\CrashProof\Windows\Common Files\unfixwmi.bat

Filesize
60B

MD5
f98fe63c367a5faf0aea514407fd1b06

SHA1
51c5f731a6c1e3288e545eb64f14d88d3a099368

SHA256
fdbc0dadc5c425e8cbc2570069d83a5dcd0d52f8c056f7989e0bacf8a274a632

SHA512
618ce0fd4d9401108be84508568c1c8dbfc43bdab2292a9eb8b2860f768e0db457889cbe0e6ec2c95e2b72c436b1921682465b13ed5b146e13c02444b26a16c3

Download Submit
C:\P360\Unistal\PRO_PRD\CrashProof\Windows\DLP\Crash Proof Help1.chm

Filesize
14KB

MD5
14140666a29645d7d1e185d68d77641a

SHA1
b32228ccd1e8aa8c762177af1014f3dd80fc8cd2

SHA256
dc53ac2b934136da7bc9fda2ff58393fd4800aebc2cf54eed4279f63dbefd188

SHA512
556eae70b05e4ef346eb600efcbc36c51678738e6246c9717a1fcbe00e5ce8e582f817e78fb934c6bfb73ec03522a6c06372d910e8f6b252aadf9d940a763ffa

Download Submit
C:\P360\Unistal\PRO_PRD\CrashProof\Windows\DLP\Crash Proof Help2.chm

Filesize
10KB

MD5
9676b2452fdef419ac60a14092f1ff02

SHA1
280c12d2e054bad39f5c5ba193cad4af9171d56e

SHA256
7f431c964804a6f9ae467c1867e03d5d6b1d599d72ca899ce4d1a368eee656c4

SHA512
ad357544b7928072e183568bd1c39f9290f39622232feebc9581f1fe9b90b061c27e922a867cf650a6deb759f5ed38604c7e680bc7bca19768845fcaee23a5c1

Download Submit
C:\P360\Unistal\PRO_PRD\CrashProof\Windows\DLP\Crash Proof Help3.chm

Filesize
10KB

MD5
9f991dad92fe8b05ac048727780ebb00

SHA1
74aa6863c2c06d6de64de51e568fd466061a4a70

SHA256
0ad3bb7bb9a27d10e727f1cfeb1895f0638b58145c504cd4e2d37ae7d6204718

SHA512
947197ed08ba20e5e0866bb83cabce4d350846259bdadb6dcadb5cad753449de31274e71d614e47843561069bb82114be4b5143268c4b63908225d8fa9884cde

Download Submit
C:\P360\Unistal\PRO_PRD\CrashProof\Windows\DLP\Crash Proof Help4.chm

Filesize
11KB

MD5
65217af5e116ce99faac19d0a5403300

SHA1
a015208c4f863a34dcb9648415d49f4d6ecadf29

SHA256
1b4ed269e543fe1a6d7f94c8a49c10ea39353231a700cba54e101419cf15440f

SHA512
c639dc13a0bc5b0b47e280240cf11e92268867ed176cbd4bb6b18a40c2f95b40d3a26037498ec9f6ecce08274a44b42ca4bf5f9184d5c9fccfb329c8d08e22c7

Download Submit
C:\P360\Unistal\PRO_PRD\CrashProof\Windows\DLP\Crash Proof Help5.chm

Filesize
11KB

MD5
68d86027ac7e7426c9a2c104c17eba75

SHA1
86ef37693fa8fd27d7dc8ede468f935ed3177a83

SHA256
6e00fb912581cd445ac805809d474480fabb92dba81bef70cab1f7dd33d67117

SHA512
588b4a75599995e5e5c7eabdd49322504b86789a2b694c146ccf0a49e0526d794b077e04cb06d8992b758d9c83b0eeda9fc1f4ed6d9a45e3e7a1463082f6dbc2

Download Submit
C:\P360\Unistal\PRO_PRD\CrashProof\Windows\DLP\DRIVEGE.EXE

Filesize
11KB

MD5
f051664c499bb621272c84f91546f2a7

SHA1
e6690b96f71560bcd2bc76ee73059f2d5da07005

SHA256
a2ade052d6a4379eec95fa8db267b7b307a2b155c1b2a7d33f8bd26604e7a485

SHA512
12ba82b37bdd979f5542227c5be2d66fdaa416450ce8ea8456bbd33831f8c4df600558d11c0869dd55d2a41421a26429cc176d229c473319c9383cc665aa75a4

Download Submit
C:\P360\Unistal\PRO_PRD\CrashProof\Windows\DLP\GetDateDiff.dll

Filesize
32KB

MD5
527e808434b179f3880ee80305627757

SHA1
9d9f88d8dba27c004ee5b643cc02c965d374dfe5

SHA256
aebab1471817db02c69d4f34d46d2a64e91a7526880842c1718ce0af8132a3ad

SHA512
89a6fd3f83f108a44297145f6a96c254dae8ec97d6a8198a7d192a98283c81e74d059285724c6ee1eaee23f7da4b73ccab7987f4072d2fa29c5d3b6f554d6eae

Download Submit
C:\P360\Unistal\PRO_PRD\CrashProof\Windows\DLP\REVIVE.EXE

Filesize
409KB

MD5
c1bba339497bd5b3dc351c9e615d7c98

SHA1
4127f593c2e3bc3aae098e54a2304098ed7cbffb

SHA256
7f0705b534c19f5ee6c3c6bd4696c0c96a60abeedd47639167445825deb2e43e

SHA512
e6d054424c7c5e2b615746f380ca122a459bcf23e740dec51af5d314132c3eb71697d8a51bc662c6060db3eaa03864210c04557d74a137cee4ebc55a557f654c

Download Submit
C:\P360\Unistal\PRO_PRD\USPL-P360-S65.exe

Filesize
11.2MB

MD5
6c2a608f58bc102f344cd9582c98055d

SHA1
9debf48873e34995ac1c37420a267a1d3619cc1e

SHA256
8403dbdefc7e00cf5ff155a150356d8a2657013628f5805f07e7e68987ad8803

SHA512
968447c5c11f46ea55ad8473458e7ffaea966a40f19e4f5a3ce6855a4a9371a734501b62e78e42e783e2492f72b2587052bcc832ca76bae6cf35f62fb6aca427

Download Submit
C:\PROGRA~3\UNI\LL\Report\Hdkey.dll

Filesize
48KB

MD5
86eefe3716960c71bc3500850bccd433

SHA1
6444485845a051d472930ff8f182bb3ab6514a8e

SHA256
04a02e09486f9d93621dc76a67d270f29a483ee4248b82ac4ef71608e83d31cd

SHA512
7137ffc0e999f59663ea6384f736b0c55bb43c0203c54393cfefb7c51b576e19ccb8822eed10067ceead8fabd837a006622eafcfd813eaeaf61ae6c46319f632

Download Submit
C:\PROGRA~3\UNI\LL\Report\libcurl.dll

Filesize
625KB

MD5
e0fa129c9afc903700278283bdaa6456

SHA1
20446d6ac76ccae9e70a1b42b3b79178e5e70327

SHA256
e1cc34199369d59de0487c9512b73846113ee67553da7df95cdd54c1f9b96eb6

SHA512
5d44b417efce685f4f97900a6e2c3037497e9a8b37147b680320e1876a4fba118889fae672878f2215a1ce9b1b641451bd3cb6f3b979a4437cabb6c3658c92bf

Download Submit
C:\PROGRA~3\UNI\LL\Report\libeay32.dll

Filesize
1.6MB

MD5
41fcf7cf7aeea0b7280dcbce914d4bcb

SHA1
63d67a5b769774de2057e346b4dde9edf4d2c2d4

SHA256
1018b24154c60d4276e3c08391dd9ed6a4545611700d85859dfbbbce8a89629e

SHA512
37ec8334d4d87db19120d3074ce0176548b034dd8745b13bc9270780d5e67db1e28b2ed16ef0f770dda39dd5fb402db5ccbca1430fefe2a335399eaae1e44ba1

Download Submit
C:\PROGRA~3\UNI\LL\Report\libidn-11.dll

Filesize
273KB

MD5
56295c7afe3f0542d59d12ca955380db

SHA1
a076c754e77185f8c107b27b13d2307ccc981acf

SHA256
1869c96af7c8f1130490b626f9b2c335f14a7b014035310d2421200e6cd98a81

SHA512
9b81d42aad1c9d2281f06ca565b71a4e1d74d269da7dbe8d11e1200d495cddf80e4e41a99b8b0a9962a57ecaf69076bf93a57c67cadd004febcef84161f29b1f

Download Submit
C:\PROGRA~3\UNI\LL\Report\mfc100u.dll

Filesize
4.2MB

MD5
f3de10aabd5c7a1a186c9966f037d0c0

SHA1
6aaae8331a5377f4025d2d860e5872b842a41df8

SHA256
bc50848aeef466dff4a3d8c386bf0d0ec35b8e5b438031ae885aa5371f2e1a42

SHA512
07d93b8abbf8acfab1d8f0711a37086764000310450ba361e7d5e1369012b3a45fd394460841b0f3cca79acead2080bbe1f029bc36191c133d7ccea182ca84e1

Download Submit
C:\PROGRA~3\UNI\LL\Report\mfc90.dll

Filesize
3.6MB

MD5
361a47591fd31ec99a9794b6541360a6

SHA1
d165daa965e3717f35549596ba8b841e983639f5

SHA256
33aaad746f1873a862cdb8c4ae6002bf3503144681422ee2b5d3742e437d751e

SHA512
e2044d672fc54a3250092236416da6393a4f05bc51bda6a5c38dcd36d5aa986c628e1e18b9b476eba9514059b682c6fa68062c48aa172eac056d7264914d582e

Download Submit
C:\PROGRA~3\UNI\LL\Report\mfc90u.dll

Filesize
3.6MB

MD5
a76104d8d9aba3670fd3cea603d70ada

SHA1
5c6d169767bd9cfa82e51edbc86228eca12b9ae7

SHA256
443fd2e5fce845e3e682f6057081b8209e4b7d1f50e2938f7cfc003f2a6b1a01

SHA512
f6cb86e66b5b7816d0d5bd8dee6fa90415c688cdbfa89a8f44bd7e6c044dbc79b8333d76bb626dd0eb28651f4cda39a6e7fece8b1ff646f8cea5590d4273ac49

Download Submit
C:\PROGRA~3\UNI\LL\Report\mfcm90.dll

Filesize
58KB

MD5
c38774421c7b64d2c23129a200c60f47

SHA1
8ab09a402598f80bebaea7e6eebeb3b879d99a18

SHA256
57b6ff7f254ef62b2e7277ce4438ba21e7b92cdb5066bc6615ada65dc3ce6fd8

SHA512
41766eb38c93e57b88f9cbb1c2fd65c2ae38cf1ec36c4ddb35a6ffb45e03ee9575627fb9c25c0955887853f2bea353ff9e9c6c405673268cb3756499f7e1eb24

Download Submit
C:\PROGRA~3\UNI\LL\Report\mfcm90u.dll

Filesize
58KB

MD5
db59cce916665d8c9a8a87198daede34

SHA1
c5c5985fdd04ad100390bdeb10c39ba1a1a95894

SHA256
fb7beea50b6404f3be9567041f294469195c7378106ef39e85b5b950ebf93eff

SHA512
02c063366138597cfdd139cbd6ff12b5bc206573fe2ef4525f020f46fd0c613a921c20d72eaf3e827ff967f6aa6a12429f08e047b911ee36d1cab72d6a0892df

Download Submit
C:\PROGRA~3\UNI\LL\Report\msvcm90.dll

Filesize
220KB

MD5
7b37f8ec25c9ad853e8126c1d0992201

SHA1
fd87d19fb51010dcdd31ea0c1f14e075132239b0

SHA256
866f51d4416b6a0bfbe8442cc8c1716152e4c3ee3137c375d05185e8171096a7

SHA512
5d3455fdd261c689bc77fd603c09f5272c04a3438449dce7adf816b69686fea03abc2139404be4b21aa62247a479a6968be976b88fd7eb301ee923b92bcf02c8

Download Submit
C:\PROGRA~3\UNI\LL\Report\msvcp100.dll

Filesize
411KB

MD5
bc83108b18756547013ed443b8cdb31b

SHA1
79bcaad3714433e01c7f153b05b781f8d7cb318d

SHA256
b2ad109c15eaa92079582787b7772ba0a2f034f7d075907ff87028df0eaea671

SHA512
6e72b2d40e47567b3e506be474dafa7cacd0b53cd2c2d160c3b5384f2f461fc91bb5fdb614a351f628d4e516b3bbdabc2cc6d4cb4710970146d2938a687dd011

Download Submit
C:\PROGRA~3\UNI\LL\Report\msvcp90.dll

Filesize
559KB

MD5
871f979d70414c900b35e56222932daf

SHA1
dd683e4ad54cab6ba1c7b3ce9c0925db0e1d0e66

SHA256
91fd46d7335c9990a20f215b9f6f53bc59551420a9c99ad8110ae2f9ff7598f0

SHA512
87e1e585a8a5ffc1bbe87d58e4d8de2831d1589526143ca0cf7fb919b4842c81e50b656cb6a44975d707753063171801cb538d6755a573f8a91cc8be996f7fc0

Download Submit
C:\PROGRA~3\UNI\LL\Report\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\PROGRA~3\UNI\LL\Report\msvcr90.dll

Filesize
640KB

MD5
4d03ca609e68f4c90cf66515218017f8

SHA1
545e440940073d5ec49d47fefd421730f8b33efb

SHA256
cf420aced0d810e1d75f6811dd986f2d9fded2fbb8d61fc9a7024520c475febb

SHA512
1b52d09f94bd37850d098ae7222e85e16a4f6df14cfdfc28526cd98b81fb009865fa75774ee4feaa2e5d5861bea27759fe4fb979c902f8ea60afa8c3e1f723fe

Download Submit
C:\PROGRA~3\UNI\LL\Report\ssleay32.dll

Filesize
360KB

MD5
23d502041c9fd43337933d44bca90e12

SHA1
3b2b29914a26b6d3b819c0fbfdb1d31be353603c

SHA256
8d7d5d574de8f5535e41ca4467493aebe987502990b5908de91496f33d902010

SHA512
64bc832a1e75380950d566679e8d63f408967f33bffb3cbd0b2ecd1ae4bf04b3311822a873052a34cb1525a3ed557640582de71da8daec635e950997c9947a7e

Download Submit
C:\PROGRA~3\UNI\LL\Report\zlib1.dll

Filesize
110KB

MD5
e4d7dd0a413519b21621ccb7d1d78fa4

SHA1
b2300402703433109cee85fd9f70e81bf867c319

SHA256
f4b42f671cf34329584afe4193c311dbb2a0396524499a23819467431a2b673d

SHA512
362efff6e94393740ffada25fc5ba19c77ad619fadbf296ca20620383ea54155af70bdff13ce725bb5b758ef2f3347e798dd411e0c8b05ec07ca2739e56a47cc

Download Submit
C:\Program Files (x86)\Activity Reporter\BMP\is-HMPGP.tmp

Filesize
3KB

MD5
ee8b767f359b176599ab59aef3a6d697

SHA1
d899762a752a635116c44f12b10cb21eb87cc3cb

SHA256
f8f4e189eeb7da660bc027d7eaaf1de425f812de62d6762771c2eb39fe46f462

SHA512
affc47679aee6ffcbd7254bee038e876518a625732d6f3f99ff10fa4e052453f51a6596bd80588655f71091114799336e73ee7b3f5b495413518083f19922a97

Download Submit
C:\Program Files (x86)\Activity Reporter\Servlog.txt

Filesize
257B

MD5
933fff6fb5a826eb27dfb8fa6c265d3e

SHA1
4f515c2ce8be0e38aa242d948804d6e1c63d5067

SHA256
ba9d4b79b7007b283c0857cf2c02986480b2fc69578aa54ff25858178a15ee4d

SHA512
174254be951c1ce51db39e54bc58fe4e7d9100a5f3733f290fe24239f75b6c99f355d169d290747e52a6b13c5f06616b809b2e3bccbaf628fc179fb789f724ba

Download Submit
C:\Program Files (x86)\Locate Laptop\LLActivate.exe

Filesize
1.6MB

MD5
1437fdbd55acb7f97c7d70cef9626098

SHA1
8b9ed649f6da2da2a458a703ccd67e8d62fb3d11

SHA256
c577e31469957f1c478e13e0f792a7de0ced94c3c7d16f4e91c0c3b7c29b8197

SHA512
2bd66a41a528a2780614dbb6560ec33db925fd79efeeeb968ac5766a567a567bab539c28aa9b30efa2183cfad6d6e70fc0ee69889e81aae4242b70eb9fc40440

Download Submit
C:\Program Files (x86)\Locate Laptop\STUlog.txt

Filesize
273B

MD5
e1390c84d74b1e4ec366b9eec437d3e7

SHA1
458330939c3f99486cfd47347ecbe63abeefc678

SHA256
73e10f1618013be82ff06675c2aa4f1997257d3fd1b901ffed72b979b019a24f

SHA512
e41af6bfa70ddd34cf4ba40fd3e363ebc8cc3631d12c22c0b6263f8aeaa6aa728a81cf65804c71125f874d0bf6f9e2e5e944eb8e88caf3952f1f43c1264fd047

Download Submit
C:\Program Files (x86)\Locate Laptop\STUlog.txt

Filesize
1KB

MD5
8755cc656ee45f64dd70b791ccc11a82

SHA1
feb3a8c80de044d63b295b716610d672eac78f43

SHA256
278a5c1ad751046a614e613a5f6579e15133af401092d7410d48c30d6f60255b

SHA512
95a6f4bd26fa9fa78da2bcb9997cd78234be3efebb4eaa6d4c30892b6a15c6dcbdc66cc73bb7aa2c4c208fcdb3cbe0d355e0518e49fe1fb317e909e1be2e8385

Download Submit
C:\Program Files (x86)\Locate Laptop\Servlog.txt

Filesize
366B

MD5
13ee274da9cea58f5253ac18910786ce

SHA1
6aad93ec139aa037f71187b436b1808eb77e6830

SHA256
ab467043871a886dd37cbd2a6f9987ce7734b74fb2a7db7a34f1b52e4a0b86c4

SHA512
c7fa02c3ca9863551dc6666255656179b439390336fc1c0ada2661c96b665d4f758aa2e9939892363219f3f7d9c198cb58e78461b30c68d90c1b5496794d93fd

Download Submit
C:\Program Files (x86)\Locate Laptop\Servlog.txt

Filesize
114B

MD5
2f005747adc265a3b5346a95251d7d33

SHA1
e90fb5c763c5ead6ff6a91a270789053d6e64607

SHA256
2950568df1c0ad1cc07837c0301366028506ad2649806a08cdec71dc10511efa

SHA512
55b8a54497c3d0303bb993af0008f01802ec5a39a974077c0ca5ef089f30e45f4fb2d10dff476ba5cbd22ebb438d92a03f3b5d2e643bdf643e63f7833152d664

Download Submit
C:\Program Files (x86)\Locate Laptop\Servlog.txt

Filesize
849B

MD5
172aa9fc639c65ed90866f59bd0d8525

SHA1
087ec8e4ccd8368e232424b8abcd62e4bab6b027

SHA256
3d27a2e9a48c497493fb96213fb552448b53016159d483eebf75378d8beae091

SHA512
1afeeeab5df4637fb4984c569e3c775b4b5ce1cedc76f55cac3757b9c8a7245c0eccf79f11af821dc6e24ea522d951d52adfead46463087ad6b8ad399ed10cdb

Download Submit
C:\Program Files (x86)\Locate Laptop\Servlog.txt

Filesize
1KB

MD5
d6c6031f94928bcad6cacd938fe7d470

SHA1
a1ff6d1cc9aa1a281b3caaed13898a096539039d

SHA256
2cf3ef9f85c050c36fd6d5969338bf9a20497cebbed4a1adefe8a539fcbc5b37

SHA512
e8610dc92b154d40c7e483470aedfc0519f1b9de0cabdc6ac7184f29631a26802327c76624626a58b043f1229ad6ea9c315d7ff518b0fb2cbdd738f864d5e8cb

Download Submit
C:\Program Files (x86)\Locate Laptop\Servlog.txt

Filesize
17KB

MD5
203f6ab8774d8730730b5d786163b527

SHA1
9190c44ebc68b2848283c0292e504dd1a5d9cdbe

SHA256
3f8e6292102ac6b5c1dacddbf7923fe1218d9cf8511a01a55803323a8792bc76

SHA512
fa1bacc15be33da1fb3af1e5cefa56d11d8ca98b74c1252b6606880a27adff930895e85cd7f5ffc22ab13b5b80a7ddc778133a687441dc8d44a6e65b581e0093

Download Submit
C:\Program Files (x86)\Locate Laptop\Servlog.txt

Filesize
6KB

MD5
e19ec5b06f2471d209e6198f65462cb3

SHA1
ce9b26a562c54410b7f95a3d28547105c07d3f14

SHA256
2241a0057cb05fb54b41d55be5cc384ab4372868d2b73d2cba2d9d25c54a11ad

SHA512
41fdf44d7a0ade69797b088c052d725714bbd4fd2a692c9400e3d2e3141da4727dc53a22a7ad78c4ebd257a0f954aeb2e7e007071232defed7b48ec45d0e9a9a

Download Submit
C:\Program Files (x86)\Locate Laptop\Servlog.txt

Filesize
6KB

MD5
ef14d4c8e6ebd2c6a1d4eaa90ae180cb

SHA1
87ab8c9e31f7abc1902267cd389db2f5abe53f50

SHA256
9a267c9c48cf23b6f2bdf5e8ddc9a7c07fde006bf37f46880ceaa57e900efda0

SHA512
764d0101102fd900e6ee48990c86dd241bdb052f0c29a71ae47d8c006d6e5ad466346a50e7366d769d0c7a7545754469b336a1c817b332b637235c4d0fa4ac4b

Download Submit
C:\Program Files\Protegent Total Security\conf.db

Filesize
76KB

MD5
3f5da2c427d82c9c9d20b0b7772345a3

SHA1
30eaae0b07f1c9c49f223ad59dfdc30e9c3ac85b

SHA256
2805a25471e1f1ba18354d4aeffc68374c5b36fe37166b657b1448f7500ae1ed

SHA512
6b236c1c36a21d079f4d1299ea16ed1cd13dd0b551f462d6b96254f77149e3a1c266a238fe73329ee36c7a8b489631660104326e225aaa776004b2bf98c0125f

Download Submit
C:\Program Files\Protegent Total Security\conf.db

Filesize
76KB

MD5
0d3ff8ae3ee10ae5768878bf7f559e1f

SHA1
01f5ba653c686b8e3fe3f8e365e0554f00930323

SHA256
20aedc188fdcfd4784c0bb2baded86976a5c160af34af30f0efe6a46f8878a93

SHA512
8c10ae8b53f299573910943ed0c80a337cf244479ff790e1708847b1997fbb00ab66b1c245aa7847dbf4d883616460c405dab2b2362d49c67c53beeba6659525

Download Submit
C:\Program Files\Protegent Total Security\inst.dll

Filesize
1.1MB

MD5
ea304f098e618b5d70c56266035779d7

SHA1
17e149b9ab174088b51c2164eb74cae42c86f899

SHA256
c9b44ebeafdfcbddce6b260be368d7d646ac1eaecf0daa84dfb817bd905a49ea

SHA512
c1892c9c5e2dbd4f8b88fae9dd10300d27c2af924f27ca0dcd38a7e921a75cac6055651870bf24cb2032880992f8b8ee2e24ee3ad6cc2a121037473c7b984a1e

Download Submit
C:\Program Files\Protegent Total Security\opts.txt

Filesize
71B

MD5
04d25fa9efe6bbaf54ea8e5b3dbedcab

SHA1
5a01c01eb3c20a790acdfabce3d0c15f8941b193

SHA256
845bf70e68c50b94959bda45e5f6f38ed8bee6f5bcc9901177152a660698bf6b

SHA512
8351a93e9b6117ed3a5e269f044886251b23ea5562045a0a27e6642166dcd7d4360606c6a534b14541c702c861d64a9fcf66c3c78b9305c8ae22d92c6afdb85e

Download Submit
C:\Program Files\Protegent Total Security\opts.txt

Filesize
71B

MD5
925a6312fde3d73972968dab17afb550

SHA1
d199fbef0bfe83bd459ebc18fe1b73dd6f4a94d6

SHA256
ca88ade63803c3179302bcc4ebffd7d04de1c1c82311895e70ee144aaed9c1e7

SHA512
78c1f3ff5eb42ba9938645a04162eacb9e472a681d00aac87f271895681761258b79820898a1ffc56ef99ef609112f7499e8929ed4c550c7c380f0db7ba66abd

Download Submit
C:\Program Files\Protegent Total Security\pgisgui.exe

Filesize
11.7MB

MD5
cb645b27d68504e939f393321f8d509c

SHA1
bf2daa21124836d4a82089c0831c9fe326d01008

SHA256
e607c579f7f1569e07062111b7c01d465b35d837ff60ee0ba41f9739c7e3c225

SHA512
48ee51277841bbc0c89ed39377ad1550487bf9e3ec03339b38b2de6d1a65c12f8645004d17f9d5d359be32a42160ec38a28e2d56d6aec7468b739346b6c7153a

Download Submit
C:\Program Files\Protegent Total Security\pgxsrv.exe

Filesize
6.2MB

MD5
ace754f2bef2dab77f609379278541b7

SHA1
09bd3fca4e05a090cf2d413ab88757fb983f824b

SHA256
e4c9eb024364add224e7bedba4ae2757723b835acce67e58cee8647f1b7eb8a7

SHA512
56bc353925f0c81e88323a3e6bbc1078141ba026547e692ac5586489a25f7aee053a43552d8d5b960179416972b025a49b05e236713e83fdcf024d6bfd1520ab

Download Submit
C:\ProgramData\PGHAV.xml

Filesize
190B

MD5
ee3ac1b68d3e4307e4be147ce32e973e

SHA1
7bccf8bf98f00f32e115735cb3bb264151f2f150

SHA256
ea8bf0288039a8a4442fc7319e5bf1d5d24426c4afe34e54b2e51f375d9da002

SHA512
deca514c0c89eb4164a28808edfb9bd31a6da335d937d2f4b8ca5117eb426ecd09607aca1ff13c28be5b1521d62368058a87af241e65f3470e002a4519c0874f

Download Submit
C:\ProgramData\PGUpdateProc\msdbverg.txt

Filesize
10B

MD5
ebdad1350b755456866a2d504fc53d30

SHA1
4bac25d1beea073c018277410189c06224b3af10

SHA256
ae0050fd7fc02dc8154736b3de29ad2aa4d4152e719aed59e476348f3e2100ea

SHA512
197ade89ec3b1869b3f1633375a000761557b742f5c1f4e1d1818e89befead74e73bcc147ab657abc07cd38afc92468649e09cffc19ba33a7692a43a12241ff8

Download Submit
C:\ProgramData\PGUpdateProc\msdbvero.txt

Filesize
10B

MD5
f57501978d221455da27535d56847be2

SHA1
bb344b7a5465f48a24b713d2ee32d39d3cd50c42

SHA256
8a788de7f1b3e354379b9a2b6411b8b7538879af77868fc1ec8df27535235e90

SHA512
ed9fe8d573c9918c7ee1cf309aa98eb08b26ef09bbd6327254133ba9419873f14fd4dcd6c3632c2503861b7571a8f134e770c350a5fac912a38c35131425a48b

Download Submit
C:\UNISTAL\UBSuite\BMP\Aboutus.bmp

Filesize
93KB

MD5
d86c37c765acf567088b94cb5495afe9

SHA1
6080b39a3a6b55d75d67a588e2e9ac678c9b1a99

SHA256
1635b9a532254c3d0658d657b42f4bb72655b8264cb9fb5d7af43d6e0c295ec4

SHA512
5deddaaa12ff8145c910c6b9153745d56e8594ddfb034e20fa20ed5b082b3209651341eda744a17577b85ee7f3b0fcb299e2d577870111638b416bfc0ef8611d

Download Submit
C:\UNISTAL\UBSuite\BMP\CP\SchedulerSettingsHelp.bmp

Filesize
67KB

MD5
4c2df88193cbee1487bc93803d729648

SHA1
6a20f63b9e83ec789d2b5b3c3ef09f8705ae62e4

SHA256
776d0ed3af30ada794bf63094d652bc568b0e8ccb85bb08dd4b0a019eaf379af

SHA512
82218733def1d429814426363c8013aa0f4b7f233a9fad6fb6d51a973100f2d45adecfcf6ec78364b8d532f0fbd54658ec413a06435abbb4667e912a7406412d

Download Submit
C:\UNISTAL\UBSuite\BMP\CP\UnistalsDLP.bmp

Filesize
98KB

MD5
ca64e4b70b33fc3f046c68ac394682a8

SHA1
f591f2136e706191f28d1d5c9748b4e45cdba77e

SHA256
371ba647ba56fef82b02f2dcbd4ab2b488d34e5f808054b0d0effe0bba14dd5e

SHA512
e12a385ace1558d052cd3c5adc891dca78cc3013b96cf90e4efc9769c1d29cdb30cca5be87ca11c9c7a3ac9ca2c7bfe45dd43fe3cc09423b63cf4a8fac7d4a07

Download Submit
C:\UNISTAL\UBSuite\BMP\DlpSettings.BMP

Filesize
19KB

MD5
9a719d8b12e24b70b98bfff51d1963ed

SHA1
63d538985588b113744cd2da320311a44d4ac3a8

SHA256
e1eb38df9ca528dbc45a62f1e1379f69a0e3f50afc6278860eee5e7ef27c7bd8

SHA512
7c9b0d82717f3a591539f3f8c82289ee72c33ac78d6342b698af3457ffdac326c6b506d005b617a12fcdf3cb18d6769c886ded6124ee6745a64e4be32943a47f

Download Submit
C:\UNISTAL\UBSuite\Common Files\DLPSettings.exe

Filesize
388KB

MD5
71c20607bea69cd82609b87cd04d2cd6

SHA1
cb6c0cdf2ee33f5ca1794b7810a8e869931f2f0a

SHA256
1f2a92f45abe7a111bc7982b46f87bae5895ee56d84bdfe3c6a002213763cc40

SHA512
ae2031e08ca24da8dfbd0176751c84220f6455b93c0730ca7c6f7f1a8d3eed7eff442431270b7f9f91bf9e5109884cf7061fbfaef9cf5a83447cd777ed5d6a1d

Download Submit
C:\UNISTAL\UBSuite\Common Files\RescueCD.exe

Filesize
620KB

MD5
d5a8a3a69ff68e862fa22787a5536a5c

SHA1
db73bb5dfb08c769259b8e1e7a733c0ff3be0d30

SHA256
5926e12f5a3efa799ec0cd2790f3e83b5bf4c6be7eb2f6368bfe5d3d7fd95bc0

SHA512
ec4244cca7b6ffa957b2e37793f84ece70a6ebb4d10ffa32b589cb2b67d6090fcd26df325b23685f779a9b93d68299ed615e50ae00b377a84276aa33505141db

Download Submit
C:\UNISTAL\UBSuite\Common Files\RescueCD.iso

Filesize
900KB

MD5
2cb647f93acc7a32529448ed7c5ab87e

SHA1
2e71420402de9bad9910ba4622b9ed9edd8d4ebf

SHA256
f3a9f7fa4c851680cced1e5ad45e3f8153a0b0817279437ebbaacc1becb7339f

SHA512
fa2e838421a823074e954fbe7ade9cfc05013e43008ef343d8ef1c4e87d3f1ff235c969d674d28b8748d363f879b27712b5daa5c249838039ef7153a22705b1b

Download Submit
C:\UNISTAL\UBSuite\DLP\FileRecovery.exe

Filesize
560KB

MD5
77e8e1beef3685c362f091511ca7795d

SHA1
961d1f4bb3a24c24a8786dc8c899f130d911c5c8

SHA256
4bf222cff8794f1ca3e648d058d3bac71b21ff5d09f26a6cdb05749720c819ed

SHA512
2243c0b21c66a840c5c93d35ac734965a84df4d85683eba2f9067cd866f6eabc8e21c90d94b8567df315459acc4ddf6ea5ffa9a2f21a513cc852a9f3695a1c88

Download Submit
C:\UNISTAL\UBSuite\DLP\Lookup.exe

Filesize
84KB

MD5
196ca6bd832298a78d162ff36bfb6d2b

SHA1
9954e862ad00696e28913e9916323d2a65895836

SHA256
8e61f3197d7e695cd28e31c69b74ea3ededd215e63d8eea374a61ffb9a0c7ea9

SHA512
15a7f6f22721a003e9e22983012735e55888acf3a22c4b6168a32c3e4075119cb40d7094e769c103cb76d9f0883263f9649e89178b0602e3fd5e7f2e426c8f15

Download Submit
C:\UNISTAL\UBSuite\FilesexistsCrashProof.dat

Filesize
690B

MD5
a4d5b653e97b3025247f347edd8fa5e7

SHA1
347fa5083da4324418b7abad847083d027964815

SHA256
b6b381b4a4ceb4123a4db31c18657d0b000840cb5ea2491bffb62ea8153c4f19

SHA512
60bf88aa94e8ef1a18ffb36d281c2bdf31b2f10202864399f9157828bfb79aa866c30cc62117113cfab75beb72046a88f4b3c540eb09440f8a83231d7ff80558

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e337a4511e3cefe3c999a63665b6d1a

SHA1
61d0f970b1552fc84c7d3029d82270a61d5f19c6

SHA256
541d7b6585774bd7765489458854003677baf5c7b2cca9b72df3e5242bbcd01b

SHA512
c105ea76cd0e7762346ab28ed2f0c1504bd6a9c12a57d5def0490a12edd899ce49860868d37352d40e30ada7c0adb758bad8140f9cb41456d29ae0e593574d60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a2bc54c0ea87af94e889f2159c278b9

SHA1
901dc9392a9977d003b7f37c1119d892e5cdf371

SHA256
03bc2b1a011d861fcb5405e617b18337b01e57d715413dd4b9121e961fb67c6a

SHA512
6dec2e4ea753afe4f54e4b16819950399ba6ed23606958b9a71d2517dca5b1e7e644d249c9250474eec0e5339e5019a36a780b83cc391a922b284f36d2385079

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
371635328bed3dce0c275ac832f97263

SHA1
bfb38efdf5cf5a511f719bdfc5f24185073942a9

SHA256
d35920058c7d73dd3dc3a2463b471c1667cca7efb09cbc91cf55858c81b66dd6

SHA512
4940497676f381f0b6f8f6be87b56922e46c1b015661552e311ecc6343953eddd8e41cb1451c6a8fa04635bdd59fc672465c9cf1ce4ef9e45db7269e338c202e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98c1429238aa07ab7dd495e4da1c037f

SHA1
60c9d287dcfc823feaf3dd51f7d110d20ffd8a6e

SHA256
a27a4651519da315b2d39a49829b9c66ec2b80a1b61817364cc701cbd8dcea9c

SHA512
52c0812d20d75e4da5e429719e6efcf892bc10b5023040c103c54dcc9c7e7f80dc4262e3b5a5b7b4c037bb5cb6ca0d4709403ebe32b90875f8691e2a08c385db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aacf763cf4caf6b8a4e7448c2f14b0b1

SHA1
3bcbd198d8e843d216ef6147acc84c7fa9386ad7

SHA256
4d8e13594705da3390b2922615e1e7715f1b1879079f9befea1d70f522cbce7c

SHA512
d5750c64d5dd397ad9b5cdb70c577957d271f971b8807743bc9f76a2d88a3a706059b6119be3329cbcaf5ea6820d4e243627e6cbeeaa427bf0fe45cde1471b1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb155d5a7fd079146c1d7eac4ccbc835

SHA1
79f4549f17cb6889f0ba30d4a4cab3f708412bc4

SHA256
621d5690e306dbb40c0fcf76c95c43c28d18de08f57c9f4819cecceaf553ab9c

SHA512
b40f4f5b9c3897f5335def76ec12dad20492be8994a5406035334c7252009a21b37d9536ff3737e9e022fe1e72ec4a0492688744c0f39e5d4031266fdd1ab39e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e28c300e51b4db3a7311cfc1a4ef6db9

SHA1
d2b81bfb957f8b533d9bcee02b5f55768b88b25b

SHA256
59147713c599b4be3eac49feb68ea59a22c479328fc2cb5fb7d901ee1f8b8c83

SHA512
55b7c7a2919d1643388659eb9fe637c37282d6b2eb1ac3b5c973d06052d74f447072d0d00ea3fabaa02676e60d8bb1b35302b7cb386feecdd3736ace60046368

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f46e65f9e743362d78a8639685e830d

SHA1
9e254eaf0fe071c22f3ad66dfebeecd38a6408aa

SHA256
8a76a9067fc6deebdc06eb9ecd33207bb7517787591fdaf0466fcb0719bb7891

SHA512
2d2f205dd0641123415032efb82477297a32a9fb11e22d54d653779e0216b89a6eb57d9488fb7b8e77bc4e59e0b690858bb0b17a972cae1957cfd2fed54f52bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1cff80cf4b302bcb106834cbda8f406f

SHA1
0f5eb8a43b51e516972ef5e570627a6c0d05b902

SHA256
b62d6889539bccd30ba1c612fd1d00f26784f67187dafc713d53fe2a47cf1d72

SHA512
24206043eaa48a78c910b719d99f2e5c3aae9ddab71af732d85da37de998cffebf18b83458078499e891738dde8ff2d8108a74b1fa4fe813b57d4c1213906c8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\recaptcha__en[1].js

Filesize
537KB

MD5
c7be68088b0a823f1a4c1f77c702d1b4

SHA1
05d42d754afd21681c0e815799b88fbe1fbabf4e

SHA256
4943e91f7f53318d481ca07297395abbc52541c2be55d7276ecda152cd7ad9c3

SHA512
cb76505845e7fc0988ade0598e6ea80636713e20209e1260ee4413423b45235f57cb0a33fca7baf223e829835cb76a52244c3197e4c0c166dad9b946b9285222

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y1738IZL\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\activity-stream.discovery_stream.json.tmp

Filesize
35KB

MD5
7819eecf244c9dacd7c0e2060250e4b5

SHA1
e11097267d1331be0d48d653442162d6d80877b4

SHA256
97e274db66bc00fcacf1c2acf4448ccec8aec656ae4e9ad8a70507057ca44947

SHA512
a61ad74409a16eaac3989275cabb6f6d637fe3b9df105685b5b77a6f0c369d296c55228dd4f295fa21004f7f9619811168e7e6972b611ec1fbd931a1b94d3ad6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\cache2\doomed\12393

Filesize
9KB

MD5
80f29a09be16e609d268f72045d600c6

SHA1
b3144f46e077b34f3c3d3196692a35800eb52260

SHA256
85199e806d8f030045ad1ec1deaf022bff198a794e9560a5028dd0305893e598

SHA512
37d97f6aa5fa860a83d4278f1895d23e2a0cbb8a749aeb6adacb98e42289594e3cb5a60ee1bd8fcb3cd232040fd329ffe1840fe4b7469b188f24b3d22ead2339

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\cache2\doomed\13179

Filesize
8KB

MD5
9ff42a293a1b63fd66ffb0733e4df7a2

SHA1
12dc17e4e2489a17fba427e9eabf8827f4b6adda

SHA256
2e300ffabdb1c60ff5736aeb0258c06c77fe82ea101416bd7277229726825c89

SHA512
8dce5f01199bf9b2eed600f700fd47f76c219798abefc417a0ced393d358bd5c78b2b1731df11db551d1c2191fd1a022c621376c07da45f78138b1a4d72f579d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\cache2\doomed\14417

Filesize
9KB

MD5
5fa4ccc751cc5712308529bef51a507f

SHA1
ceb7b85e53514c26e2e0c3cdb504bba654d34c20

SHA256
4381c0b25d5fe09f683d4a8ef7be48204b3b1304d88dd19ff074854d97a4f765

SHA512
c506607fb77a414917a331b50f978fa00d57901dce1d33d3527365a5f868b87bdd7c7415632f975682cb777a2cbaa82dab37ab0142816b2acbce4636e441247d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\cache2\doomed\20925

Filesize
9KB

MD5
3b39f262815a1e8b36baefb85f9bdf39

SHA1
ec4cec4f43965673d306160adef1acfd6f1e453e

SHA256
3ed720244b277dfeca9d8dbb5dce6fd2a4a6af4d75db8efabea44d90cd36c2c3

SHA512
e36fdc61b78a591167aaef944cb5c3d386b1ae5b36da1942e7434792f6409fb1098f8d0f134a6d5b01dc4665587481bd77758f419fbe9fe7cfb21e58b7ed1af4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\cache2\doomed\21905

Filesize
59KB

MD5
dfe0e7f891f553aa039aefbba1c76d3c

SHA1
b3a07761e1ce60757492259503884bdbc6a9228b

SHA256
d02d36d4c4fac41b6e94750777f5eb57e97f5364298d0ea88765c05c5aa92718

SHA512
73cfbe8f1f34bba213dfc8a51100659b70e879586764a45e7f30c94f87f0beae4321cdd86fe2d01ffa0d70a7d10e704862fed3e4b34ae58d06837027c3c1b3d7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\cache2\doomed\23071

Filesize
13KB

MD5
71eaccdebc0051d6eb18a4eba5a821a4

SHA1
1b3326f5be68e916e1a51f44120c14d79ac20f46

SHA256
9fdc0653c78b6791629df52d556ab3e02d59afd11a6fcbaf470def715dd35941

SHA512
57fab9673340835492f6b6071e56343eca62194520d3758a3f2642b078bcbb2b1b405d6902aedb12bde0d817f80d3f2fbae7c3e4516bb998574d914a1a3b4cd9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\cache2\doomed\23520

Filesize
13KB

MD5
f67a4b8f3b3059581f9c0c075ea9d3b3

SHA1
65460ac39ec1295a77cb75238bc1e8e872dccb45

SHA256
df09cf270e20787c7c89711a810192b6c703e5b8c4262c0d37f12452f9ab0814

SHA512
3639ce866e6209e42cbe1ca290e5833fb5cef595e136ba60e731205e822eb3d265bb6523ec582c801b99abaea8281bab72fbd32a69dc46e4d2362cfaffb67685

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\cache2\doomed\24166

Filesize
15KB

MD5
a43782c3b43058ee5e3a612e4833e8f4

SHA1
4712cfb769f688ac0dad5a8964a9f495d73fa6db

SHA256
01507c15f17fef3ef2ab4032109db3137147d09b7f77c304699aa6f286b78202

SHA512
d9bc2295c8ca57a58b603a3cbf0ccf93a63207ec19a3230ebe87b794197b4bc29d8f50bf18530bc60ae32a7ddd8fecd6dbc1c4d58cdf1ab24077d24c97d65ef2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\cache2\doomed\27294

Filesize
9KB

MD5
66fcc5c997c0227c4056af24d2473ea9

SHA1
eea9938da0bf033d76dbef9b0da005ac4ad497ae

SHA256
41b29c09c626ee10f865765aed8bd74fad956dcdfa33c776ab487796ae991278

SHA512
65f959fff71695c297e10e9ac17058f044c26ce90bb2d8b884bc556b141bbe8a03cb22ef6477350c5ba624a11b995e1951cdf09d735ba3f69d4c387fcab3f054

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\cache2\doomed\29603

Filesize
13KB

MD5
058023395366355d30b163d3b3cbd799

SHA1
bf82a1c9934e5011a3c57d1a31c32e32e9b98abb

SHA256
f4d0c15f112b933c859206456ca401a77aa80390a28f1cb3bf37e6786885f9d3

SHA512
e025405b60818356c8418a398e63e1b3802c284d4e712b470cf5e7fb74a550d534ecc110b7a405b3e1b20e2dd775fd3d521ed85165c8cbca1d5d655ad1deccf1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\cache2\doomed\29878

Filesize
9KB

MD5
618a71ed3d108f285460e8b576ef4f0c

SHA1
7dcbb25cbbffebda54f4425cbee7ba7b640a0717

SHA256
40ea09fe17e1e0c437b9f3ec1912bda6cc54cd5c5dcb71f37836db9f90ff5717

SHA512
70fbb697daa97a8588125692d8ee2dd8d4d34e9e01ad611df0da9f4025bd101336567974e6cbbdfd82c39836dfa8690de106e4460c174543fc1eb93ef3a3dbd8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\cache2\doomed\309

Filesize
15KB

MD5
6501a695218e972e7a685d31f03c43d0

SHA1
dea49c2d090e313256039b2c456bbc0417c6d221

SHA256
fd5e94c94c13a541aa525da01c39515ba23fbd4e3cc81104f0ec3498b18a443e

SHA512
3104168a48655f6bfff193180432414bedb6f3028542448f7545c22a959b3961201beca3e716668c31716d28918f0b0aeb2382d729f09b679b57cd70f5fc9389

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\cache2\doomed\7260

Filesize
15KB

MD5
a1d71a08668ac3229aed3ae85a0c28f6

SHA1
b54c97f7fbbfb3cf2336c4445ff5c7f22b8e8448

SHA256
64ce1ff8b39630e4b33e3d5e217b61873bb73e283db0e9c7639b685a74654e5d

SHA512
5fab5abb8c170286fcd25efdbd135dc70454643540e39ea5a4ff6d531839448e75c157c2cec65ad3dccf3aead34a65d5d89aff1ed15d8c0a86396b7510dafba8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\cache2\entries\5309AB1AF99AF2C672F1EB5BA2C3ACAE697CF77F

Filesize
67KB

MD5
932e22a146fc56d8e4845b230ec99f8e

SHA1
8103c60fe37216663b5921ace3b0eeb4b94b777e

SHA256
fdb919b669a045f0c3c4009f2394493531f299f7f1e3568aeab9a88ef7d8bf31

SHA512
e334c8ef0a2084a0abdf31f7220415be1355207da1ea606a251f431ad2e3b54dcf9edf4f24d1a595a0c8ae3116c7f50ef19a897bc6d53822865a806591f9a6b6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\cache2\entries\5DEC88E851B1525C84FB6E075EF537EA79320CE9

Filesize
63KB

MD5
15e3c97a3f7ec0cdf930a0e6fe8d4ec1

SHA1
4024bec6fb0545af74cf39820808cfa5f0a66666

SHA256
ca18ca2d18443d2f1a2ae48299f192afd5121d066af1b010e37219de3753b93b

SHA512
6146476530d05efb01033322ea647bcfc7e85dd879ade087a80155c716ee6a17a78bc33e2370b910ea39e48476e106775778bc8b66287c3d21d05e9b27231c7f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\cache2\entries\6F92348FA1545740F766500E7EC6DA03D871B9EE

Filesize
49KB

MD5
9596aaa15dd27a07cd1da0b5f4216e96

SHA1
6ac08cef45a5b126cdc85b7b3b1c3381c286be59

SHA256
bcf4cb110f1e09e99d4d178afea7baf92ee352360f3739e34ed0536243b188d0

SHA512
4c00aac76498e737d40d13525c1e3e9bb9036ce9bd1fecf94968b646b207ac758237e11a4fa498e9ce295df63f73a75d3c367ea3b47de207f25d3eb7e42a7c26

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\cache2\entries\8D9D13D2F1E22A996B4AB1AB746108030CA8BFA4

Filesize
14KB

MD5
b5ebc9c0ebe86b35d6d76e351f19904a

SHA1
beed5fd1756f8a6a5778f22a23b250b6bdfdfb49

SHA256
d551a9827793f974ab5ce7114dacc1417f80d6a40945c278223e70b27dd9fe80

SHA512
c004248df998360fb9c8a49acc00dd69b8a0cfea3beaf85ce69d9043a8be25580b1b6e8d0494c87767d0a5060cd19fd614048dc146d1a105d72b9f3a17244069

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\cache2\entries\B12C6A7312A96C5EF5FDE881A3D9BA36DCDB163A

Filesize
78KB

MD5
564d517bc9369b7a04cb49a743e386c2

SHA1
4a39e5bcfe451842939a18fca36d09d46aadcdf4

SHA256
75a551aa74b32c470e0cb69405f4706e0fe4eb538fc88affb377575001cfa58b

SHA512
08b4ca476cbd359afc72d7637dac2007f292b574372194b5a1a71a7d3a16c5579576017bc3b4e1d8fc2fdb11fbc620004cde8aa8d7b8b3bcc99a5b2f015c3e01

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\cache2\entries\E10139743ABEA915490D76B043A345637EC0878E

Filesize
104KB

MD5
a9f0a78afaaa699a098ca8fa3b8bea62

SHA1
cda12fb208d28679eb11572e8e6a767588901207

SHA256
d548d5b7be94a7fee99115ecb2d35a2139c4e665c0cf6fb41408d081c468e483

SHA512
ba99f30c00f44b1d3cd4221e44efaa4c62dfc8327e88f1b77a3c9fe67c5c3cd0880c5f3e9b3c072e8e774518923421c25e4e30bd3c09f209959830221a3fd900

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\cache2\entries\E6C22A3DFCD18E3C6145370266896FF76AE3F7EC

Filesize
39KB

MD5
90b7cd60cc01f44d3b98f806ceb5059e

SHA1
da402b20bef5b31af942432e86caa61dbbac3c21

SHA256
7d17d757492ebf17d806d9c1cff0166b9adb03b1744962b1a4930b47db4c9cd1

SHA512
4420ba891dfec8e7b3f6085f31ee4fc5caad1f6308688ea166121a99b92e2d49cc1423b30f2b4d153c78138df0d9317bde664adfb561c8c2a9ae31336a907571

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\cache2\entries\EEF66EC3FA6C5051F87025E37140208CCFD36506

Filesize
62KB

MD5
dd839d4cd2d6e1ba9c1a7d033551f0a3

SHA1
f264699f1aaf6e1925338732996422775174a461

SHA256
ea57d3f0031d0b16af255ef4e2afc0510535f23f74575b9a84b7e1d93a5f1b4c

SHA512
5c145532ecfb62ed5bead8b0f170d08e43a9aa011227fe5e732d6b7f44547b506ce2ecb1c3b9f70fef89d470b056c546434c21ce807a3ef31f55a5e2f8e9cb40

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\jumpListCache\7stn_mMD40o+jkjbDJ1Qiw==.ico

Filesize
25KB

MD5
6b120367fa9e50d6f91f30601ee58bb3

SHA1
9a32726e2496f78ef54f91954836b31b9a0faa50

SHA256
92c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0

SHA512
c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\jumpListCache\fG0UTfdL_innLlehuJldRg==.ico

Filesize
717B

MD5
3f532c1cd7e4e550d8f5ba4cda18f8cf

SHA1
057a26dd03258fef0c79a6e7bb70ed40cdef6b24

SHA256
f85912b2ccb9decf97a2eeedc060a242e24b8f118b14d110925c6ac72a58a7de

SHA512
1b163d6b061013a98505f1375995b770be2206760ad3faabccf6efd9f99d29802b4ead257e8c8eb57ea1eb067ed79931466460bf241d3f94b396eaa9d06935f6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\thumbnails\08729b6be4305a0d704aea849b435ee5.png

Filesize
30KB

MD5
545125c5e67effcbceedc818c6efc603

SHA1
e814eb662766333c85b6f9a95b4fb1208349f1c6

SHA256
e1db431ef1bae1a0956d1ff84882d8e5ce056527a0c78e0de116dae9f249b3ed

SHA512
5f99de5ad683535af4c4ae825e42ad22a56553447d0191daca628991bf4bf819f4c399fe56108c7173d776a0150ce711b7c9782ba482ec9440504c4a8e09564c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab49DE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL

Filesize
73KB

MD5
81e5c8596a7e4e98117f5c5143293020

SHA1
45b7fe0989e2df1b4dfd227f8f3b73b6b7df9081

SHA256
7d126ed85df9705ec4f38bd52a73b621cf64dd87a3e8f9429a569f3f82f74004

SHA512
05b1e9eef13f7c140eb21f6dcb705ee3aaafabe94857aa86252afa4844de231815078a72e63d43725f6074aa5fefe765feb93a6b9cd510ee067291526bb95ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTANM.DLL

Filesize
40KB

MD5
48c00a7493b28139cbf197ccc8d1f9ed

SHA1
a25243b06d4bb83f66b7cd738e79fccf9a02b33b

SHA256
905cb1a15eccaa9b79926ee7cfe3629a6f1c6b24bdd6cea9ccb9ebc9eaa92ff7

SHA512
c0b0a410ded92adc24c0f347a57d37e7465e50310011a9d636c5224d91fbc5d103920ab5ef86f29168e325b189d2f74659f153595df10eef3a9d348bb595d830

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTCTL.DLL

Filesize
160KB

MD5
237e13b95ab37d0141cf0bc585b8db94

SHA1
102c6164c21de1f3e0b7d487dd5dc4c5249e0994

SHA256
d19b6b7c57bcee7239526339e683f62d9c2f9690947d0a446001377f0b56103a

SHA512
9d0a68a806be25d2eeedba8be1acc2542d44ecd8ba4d9d123543d0f7c4732e1e490bad31cad830f788c81395f6b21d5a277c0bed251c9854440a662ac36ac4cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTDP2.DLL

Filesize
60KB

MD5
a334bbf5f5a19b3bdb5b7f1703363981

SHA1
6cb50b15c0e7d9401364c0fafeef65774f5d1a2c

SHA256
c33beaba130f8b740dddb9980fe9012f9322ac6e94f36a6aa6086851c51b98de

SHA512
1fa170f643054c0957ed1257c4d7778976c59748670afa877d625aaa006325404bc17c41b47be2906dd3f1e229870d54eb7aba4a412de5adedbd5387e24abf46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTDPV.DLL

Filesize
64KB

MD5
7c5aefb11e797129c9e90f279fbdf71b

SHA1
cb9d9cbfbebb5aed6810a4e424a295c27520576e

SHA256
394a17150b8774e507b8f368c2c248c10fce50fc43184b744e771f0e79ecafed

SHA512
df59a30704d62fa2d598a5824aa04b4b4298f6192a01d93d437b46c4f907c90a1bad357199c51a62beb87cd724a30af55a619baef9ecf2cba032c5290938022a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTMPX.DLL

Filesize
60KB

MD5
4fbbaac42cf2ecb83543f262973d07c0

SHA1
ab1b302d7cce10443dfc14a2eba528a0431e1718

SHA256
6550582e41fc53b8a7ccdf9ac603216937c6ff2a28e9538610adb7e67d782ab5

SHA512
4146999b4bec85bcd2774ac242cb50797134e5180a3b3df627106cdfa28f61aeea75a7530094a9b408bc9699572cae8cf998108bde51b57a6690d44f0b34b69e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTPSH.DLL

Filesize
36KB

MD5
b4ac608ebf5a8fdefa2d635e83b7c0e8

SHA1
d92a2861d5d1eb67ab434ff2bd0a11029b3bd9a9

SHA256
8414dfe399813b7426c235ba1e625bd2b5635c8140da0d0cfc947f6565fe415f

SHA512
2c42daade24c3ff01c551a223ee183301518357990a9cb2cc2dd7bf411b7059ff8e0bf1d1aee2d268eca58db25902a8048050bdb3cb48ae8be1e4c2631e3d9b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTSR.DLL

Filesize
60KB

MD5
9fafb9d0591f2be4c2a846f63d82d301

SHA1
1df97aa4f3722b6695eac457e207a76a6b7457be

SHA256
e78e74c24d468284639faf9dcfdba855f3e4f00b2f26db6b2c491fa51da8916d

SHA512
ac0d97833beec2010f79cb1fbdb370d3a812042957f4643657e15eed714b9117c18339c737d3fd95011f873cda46ae195a5a67ae40ff2a5bcbee54d1007f110a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTSVR.EXE

Filesize
268KB

MD5
5c91bf20fe3594b81052d131db798575

SHA1
eab3a7a678528b5b2c60d65b61e475f1b2f45baa

SHA256
e8ce546196b6878a8c34da863a6c8a7e34af18fb9b509d4d36763734efa2d175

SHA512
face50db7025e0eb2e67c4f8ec272413d13491f7438287664593636e3c7e3accaef76c3003a299a1c5873d388b618da9eaede5a675c91f4c1f570b640ac605d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT0409.DLL

Filesize
28KB

MD5
0cbf0f4c9e54d12d34cd1a772ba799e1

SHA1
40e55eb54394d17d2d11ca0089b84e97c19634a7

SHA256
6b0b57e5b27d901f4f106b236c58d0b2551b384531a8f3dad6c06ed4261424b1

SHA512
bfdb6e8387ffbba3b07869cb3e1c8ca0b2d3336aa474bd19a35e4e3a3a90427e49b4b45c09d8873d9954d0f42b525ed18070b949c6047f4e4cdb096f9c5ae5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT0409.HLP

Filesize
8KB

MD5
466d35e6a22924dd846a043bc7dd94b8

SHA1
35e5b7439e3d49cb9dc57e7ef895a3cd8d80fb10

SHA256
e4ccf06706e68621bb69add3dd88fed82d30ad8778a55907d33f6d093ac16801

SHA512
23b64ed68a8f1df4d942b5a08a6b6296ec5499a13bb48536e8426d9795771dbcef253be738bf6dc7158a5815f8dcc65feb92fadf89ea8054544bb54fc83aa247

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT20.INF

Filesize
2KB

MD5
e4a499b9e1fe33991dbcfb4e926c8821

SHA1
951d4750b05ea6a63951a7667566467d01cb2d42

SHA256
49e6b848f5a708d161f795157333d7e1c7103455a2f47f50895683ef6a1abe4d

SHA512
a291bb986293197a16f75b2473297286525ac5674c08a92c87b5cc1f0f2e62254ea27d626b30898e7857281bdb502f188c365311c99bda5c2dd76da0c82c554a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGTCTL15.TLB

Filesize
28KB

MD5
f1656b80eaae5e5201dcbfbcd3523691

SHA1
6f93d71c210eb59416e31f12e4cc6a0da48de85b

SHA256
3f8adc1e332dd5c252bbcf92bf6079b38a74d360d94979169206db34e6a24cd2

SHA512
e9c216b9725bd419414155cfdd917f998aa41c463bc46a39e0c025aa030bc02a60c28ac00d03643c24472ffe20b8bbb5447c1a55ff07db3a41d6118b647a0003

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGTINST.INF

Filesize
7KB

MD5
b127d9187c6dbb1b948053c7c9a6811f

SHA1
b3073c8cad22c87dd9b8f76b6ffd0c4d0a2010d9

SHA256
bd1295d19d010d4866c9d6d87877913eee69e279d4d089e5756ba285f3424e00

SHA512
88e447dd4db40e852d77016cfd24e09063490456c1426a779d33d8a06124569e26597bb1e46a3a2bbf78d9bffee46402c41f0ceb44970d92c69002880ddc0476

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSLWVTTS.DLL

Filesize
52KB

MD5
316999655fef30c52c3854751c663996

SHA1
a7862202c3b075bdeb91c5e04fe5ff71907dae59

SHA256
ea4ca740cd60d2c88280ff8115bf354876478ef27e9e676d8b66601b4e900ba0

SHA512
5555673e9863127749fc240f09cf3fb46e2019b459ad198ba1dc356ba321c41e4295b6b2e2d67079421d7e6d2fb33542b81b0c7dae812fe8e1a87ded044edd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Msvcirt.dll

Filesize
76KB

MD5
e7cd26405293ee866fefdd715fc8b5e5

SHA1
6326412d0ea86add8355c76f09dfc5e7942f9c11

SHA256
647f7534aaaedffa93534e4cb9b24bfcf91524828ff0364d88973be58139e255

SHA512
1114c5f275ecebd5be330aa53ba24d2e7d38fc20bb3bdfa1b872288783ea87a7464d2ab032b542989dee6263499e4e93ca378f9a7d2260aebccbba7fe7f53999

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Msvcp50.dll

Filesize
552KB

MD5
497fd4a8f5c4fcdaaac1f761a92a366a

SHA1
81617006e93f8a171b2c47581c1d67fac463dc93

SHA256
91cd76f9fa3b25008decb12c005c194bdf66c8d6526a954de7051bec9aae462a

SHA512
73d11a309d8f1a6624520a0bf56d539cb07adee6d46f2049a86919f5ce3556dc031437f797e3296311fe780a8a11a1a37b4a404de337d009e9ed961f75664a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W95INF16.DLL

Filesize
2KB

MD5
7210d5407a2d2f52e851604666403024

SHA1
242fde2a7c6a3eff245f06813a2e1bdcaa9f16d9

SHA256
337d2fb5252fc532b7bf67476b5979d158ca2ac589e49c6810e2e1afebe296af

SHA512
1755a26fa018429aea00ebcc786bb41b0d6c4d26d56cd3b88d886b0c0773d863094797334e72d770635ed29b98d4c8c7f0ec717a23a22adef705a1ccf46b3f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W95INF32.DLL

Filesize
4KB

MD5
4be7661c89897eaa9b28dae290c3922f

SHA1
4c9d25195093fea7c139167f0c5a40e13f3000f2

SHA256
e5e9f7c8dbd47134815e155ed1c7b261805eda6fddea6fa4ea78e0e4fb4f7fb5

SHA512
2035b0d35a5b72f5ea5d5d0d959e8c36fc7ac37def40fa8653c45a49434cbe5e1c73aaf144cbfbefc5f832e362b63d00fc3157ca8a1627c3c1494c13a308fc7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\andmoipa.ttf

Filesize
29KB

MD5
c3e8aeabd1b692a9a6c5246f8dcaa7c9

SHA1
4567ea5044a3cef9cb803210a70866d83535ed31

SHA256
38ae07eeb7909bda291d302848b8fe5f11849cf0d597f0e5b300bfed465aed4e

SHA512
f74218681bd9d526b68876331b22080f30507898b6a6ebdf173490ca84b696f06f4c97f894cb6052e926b1eee4b28264db1ead28f3bc9f627b4569c1ddcd2d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.dll

Filesize
1.2MB

MD5
ed98e67fa8cc190aad0757cd620e6b77

SHA1
0317b10cdb8ac080ba2919e2c04058f1b6f2f94d

SHA256
e0beb19c3536561f603474e3d5e3c3dff341745d317bc4d1463e2abf182bb18d

SHA512
ec9c3a71ca9324644d4a2d458e9ba86f90deb9137d0a35793e0932c2aa297877ed7f1ab75729fda96690914e047f1336f100b6809cbc7a33baa1391ed588d7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.hlp

Filesize
11KB

MD5
80d09149ca264c93e7d810aac6411d1d

SHA1
96e8ddc1d257097991f9cc9aaf38c77add3d6118

SHA256
382d745e10944b507a8d9c69ae2e4affd4acf045729a19ac143fa8d9613ccb42

SHA512
8813303cd6559e2cc726921838293377e84f9b5902603dac69d93e217ff3153b82b241d51d15808641b5c4fb99613b83912e9deda9d787b4c8ccfbd6afa56bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.inf

Filesize
2KB

MD5
0a250bb34cfa851e3dd1804251c93f25

SHA1
c10e47a593c37dbb7226f65ad490ff65d9c73a34

SHA256
85189df1c141ef5d86c93b1142e65bf03db126d12d24e18b93dd4cc9f3e438ae

SHA512
8e056f4aa718221afab91c4307ff87db611faa51149310d990db296f979842d57c0653cb23d53fea54a69c99c4e5087a2eb37daa794ba62e6f08a8da41255795

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tvenuax.dll

Filesize
40KB

MD5
1587bf2e99abeeae856f33bf98d3512e

SHA1
aa0f2a25fa5fc9edb4124e9aa906a52eb787bea9

SHA256
c9106198ecbd3a9cab8c2feff07f16d6bb1adfa19550148fc96076f0f28a37b0

SHA512
43161c65f2838aa0e8a9be5f3f73d4a6c78ad8605a6503aae16147a73f63fe985b17c17aedc3a4d0010d5216e04800d749b2625182acc84b905c344f0409765a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KillAgent.bat

Filesize
161B

MD5
ea7df060b402326b4305241f21f39736

SHA1
7d58fb4c58e0edb2ddceef4d21581ff9d512fdc2

SHA256
e4edc2cb6317ab19ee1a6327993e9332af35cfbebaff2ac7c3f71d43cfcbe793

SHA512
3147615add5608d0dce7a8b6efbfb19263c51a2e495df72abb67c6db34f5995a27fde55b5af78bbd5a6468b4065942cad4a4d3cb28ab932aad9b0f835aafe4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4A00.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1TPTV.tmp\USPL-SBE-S65.tmp

Filesize
701KB

MD5
25ca0e8e706a309f279a0efbb9924b16

SHA1
98b26cf83708451fbe7e1e4c370cef4641b70526

SHA256
94194ebaf8bda6584fa09ab17ccdf8dbecd299c1f7a9ddc77517bf4bc0b03bcb

SHA512
fe8ab3fef9accc62ac93d3e1ced985b5c42a85c84239466647b4433a8fc0390ce0f5c44e762e3b07c42f8b598765d63366cf09e91d7196204a53d1f07c174fc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EGE14.tmp\_isetup\_setup64.tmp

Filesize
6KB

MD5
526426126ae5d326d0a24706c77d8c5c

SHA1
68baec323767c122f74a269d3aa6d49eb26903db

SHA256
b20a8d88c550981137ed831f2015f5f11517aeb649c29642d9d61dea5ebc37d1

SHA512
a2d824fb08bf0b2b2cc0b5e4af8b13d5bc752ea0d195c6d40fd72aec05360a3569eade1749bdac81cfb075112d0d3cd030d40f629daf7abcc243f9d8dca8bfbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgsecdl.sys

Filesize
34KB

MD5
b1b672f16caf3e170c29c518b8da484c

SHA1
1104b213a03dd4f34437bf0eae52600de2bdef03

SHA256
77b33ce0ce49ab9042995e9b67358d69fa2ae99d9357abd0a4215fdea57278b5

SHA512
5def5e379921b33f6307fa69a3658d42a421d162f61db0c79bca5ffdf121df90f3e5c0cf311c0c5a6755aa3f2d72c8d67b3a8a3e8580a51606c289bb8c85eed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
5KB

MD5
dff2dbf36a07ae58c2896a085df193aa

SHA1
33c1e23ebea04fe61f2adef433b7fc4892f8e27d

SHA256
2f1b3b477ccda492f81d7b60a00729a64744e504c6c8707c530f6e4e675de52a

SHA512
c73f5bbba2482b7459a613e1f1b2a3e49a3558683b1534364eaa9744658ea582e9386f45038b1aa77b9dcd2b792285272f5003c623b3b0f5303d9f8f17e9238a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
21KB

MD5
6de12a24d41818ee24d448a20695fc3c

SHA1
c75b87b47c92540d2945e22c7ba461798fbea1d4

SHA256
b04783a302b1a2c0e3ebf8a80bc44ba9ba90349075bdeb58e8c893ff583c3d46

SHA512
6ebf1bac7e28625bbb96c8239d675bb93fb2b51b5fc486a2815e1239b8a4da9896071d7f2d3a954875eec1c56bd3ba669bea9f982af5c5cf635298cbf6a295cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
668c5b4cb9e5d6ddc9793d890ec18fc9

SHA1
8f016c6c1de088c3b74939bdc2a67708f9e72f0a

SHA256
94e9759c89251eb7adc1ece8f69512bb0b6c300c304c0a93d0c4f58aebd341f7

SHA512
29635792b56689217c36a60cc1f3a3168fe34dee1713cfa95ff7809cd31cedef9833240091fe75fc765de1b58bbdad4d33c8af85daf4151bc2be980aed661c51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BMZZMPTWMX4QPB35KQZO.temp

Filesize
5KB

MD5
ab530c5596b60757f26d5960c075676f

SHA1
42011a3cb16267508185d78131285cb88df0f1ef

SHA256
e04d3df47a0010a0478e497b5ca15223715505258db4231f43414c7840602af8

SHA512
901b027feac1f199ff60edf439f71c7630ad297254fa02a1fbcf63bfc7f496a2d9d4b7e2c8b1f82c04f401aafb98b5cf4279b317b3ffb85ffd0447bf35c5f4a8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
95e45e9c16302d61efcc869c085d811a

SHA1
9fb61efbc328a3f8d3cf20ebe3eee45c629931d4

SHA256
de0a4a3f4c63427d53e36d68b66e52f02f42561454f3d7be96d9a12f1b6ceeca

SHA512
fb1724c1e6a5765b9ff34f83de38b9e8aee8a5eed163f84db1d8eb5e08a052f4a00b6d5356542cd27fc0f2591b48cf3bb436b593bb9301d14fecd80317cef94b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\pending_pings\2806ed77-c956-4572-b9e3-6a4bf2024186

Filesize
12KB

MD5
05648f81693e7c1b14933a1ddeaa4a20

SHA1
2de3d4f21d83166e16dd0f3b38b6efea4b366c5d

SHA256
a0d840babe269ee88d7a17434ad92564f4c368756479285440901bc04b46ec2d

SHA512
f6f9c6953ea1b37c7c9550a5966e5bc57b2b7cdb4df7997a1a5abdecf607d8a928697bfc6367dfe1344406ebb93a6ce2309adf21c04c6e8a86591bb502fcec7c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\pending_pings\664e1b34-b57f-4d92-87f3-e87cd9a93256

Filesize
745B

MD5
2cf10cdfd478a9e6520cfc6d2e1b5e69

SHA1
2d6b6b742c567ef886ae8b5d6e8fa57a2c78b14d

SHA256
99958dc0ebc3d63a469f881500f693009fdbb3ba667c35fdca04e1bd8618baf8

SHA512
f80d2c887ddbbde839cfb1337bec8390092707b799e7d07c1786f5cab7abf40abf6dcaedec298e805df56526976b8112c08243f1e88981ed9e2ad6d747c968f3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\downloads.json.tmp

Filesize
913B

MD5
96af3c57ad86e21af48d0d7d6487cf37

SHA1
35f1fce2d54caea0cf057724f34c2eaa0d96b1f9

SHA256
38463be1fce0c2425137b8097b655d4d222eda380a9c946fa69c742b3582859a

SHA512
0fffae14a4c56b8a150ca04e8f431fee8552da2076ad030f04dad1ea3adff0d37a0808144ddac9d011e85f28632718eb7a30b608c33f9bef67b7d84a23a78760

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\prefs-1.js

Filesize
7KB

MD5
a5b22cf52ed58834828879633b3f81ab

SHA1
06d5c733ba24be02676ca3f4af2ed381e0289159

SHA256
324f035f60ac3c48a3e8c7ab109d5110edc8c2be52ee9375e0c3417346ea9122

SHA512
44308ae16b879af5d0db7492a2aeaf6e7e2e119765414192bf905408fea9437813ac838e77a558d5a24b398c32892ad77f8ba450714206e398dd346374d964d1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\prefs-1.js

Filesize
7KB

MD5
c0a252cb91319f0d7ffc553a6c5b7548

SHA1
37dfebf3f707f437159b0b9e9ea9028161c2a61d

SHA256
18ff9d1d1a083e2ce27126b19acb4b3d620604f01414a04e97d2f5a15a6e4404

SHA512
dff4aeb0cb42121db5765a234be60c5a574bfbc110fbc9f65134a1ba420e4cb778d32e8922da3bf4f839003b69268ce81b034a934f405496ae803c9de77a44df

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\prefs-1.js

Filesize
6KB

MD5
663e17b357dd9fb6ec697457f88b0af6

SHA1
1e8aaa6c0bef0d32afc0e26bae05a19d64cd0261

SHA256
dcb97b1019c75f93409a1cf471408224e08750baa7f2e3ae70b3633ab6669327

SHA512
f448a9548a68b3777728106603261cc386b9036ab23ba6a0f9bc95f610af6232264a43f079c6d60e91cf023e282c3923828e21e10393efe20fea04f53155a740

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\prefs-1.js

Filesize
6KB

MD5
6d1958aadfdb7cd8af4643d60ce5b384

SHA1
9cdb4b9acb229f74a5070e89ec6cebd3d0cb25fe

SHA256
3b5d957d0b76c866e1da5aeed6ecbb2244f46691e9b78447814cf322a0727e49

SHA512
33e9b0e9d37126b67bf80a04e6be1b510de8de4e31df8ab2b9716e0787b453832a424326f01819af5802f6b321071f729a3de7a6b479ada381b0da6392e10bad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
8606b8fb918885fd93dcc7ee0cd00490

SHA1
37ac0b7afa7308bfe8e448888f525f169025c169

SHA256
941e36c28e28c2f983222ae833ba5929e304681b41e057fbf43262643ec01cb7

SHA512
771a62bd7212d96cf4d56d0ad46240285053866cf5fa384dc3ae0cca9fbd2f1ab0b8150d1b3ccdc82ab64749eb5716b04551d17c810d48fca19c29f812df522d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
7ecab880688a6006c935acf94f192db7

SHA1
68ad041a2a7a2177f7425babb1941b1463fabf91

SHA256
d3662408fdd39fc35eda301447b54b8287a6e855d27683a9097779def93ecb2f

SHA512
600cf3da8eeb06e8255ffb16c97ae75c0091dcf26c4cb04afb1fe6c6f4893fd504849f57b5f89119949db13b64d207cfab155fffd15da47e266562850525af36

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
1671795d7b422e221eb83177aa2435fc

SHA1
2fa45c7a7eb71095b41bcfbf785c826e85b5f608

SHA256
aa27164dab6cea1040ff7bfd6cc20954f7188e15e6d1ae158718c5ea61e56ed8

SHA512
e24e7284d7ceaed31d6f1faad717e5b96a02540cc85de1453b8946e6fef7109c2e5da94f9d8276aad1be29f4481832cc6be2ffca2e434dd0b42d2f6141677bb8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
8KB

MD5
918b0017510748eb3248fb3dd906a8dd

SHA1
af429a7f68c891d2fac7264aac0cb36f72bf1a72

SHA256
de38b12e9b1def54198758e6297ef3a5c1007e7c2b73d63e26421e20efad3edd

SHA512
009e9651d4eafcf325c2044209ded11b589bac49c40e9164871dba39983de510ef6f07b8280bceaf719c308448a563590c2741ec236f0155a726b3b29a7498a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
10KB

MD5
6f59af65036178394fbf8f2553168e98

SHA1
52093a64d03cd21624a06e543785d3d68d7b4ab4

SHA256
9d89ff33474313f3f8ae0aaa144da13e151024844bc9c1d3033b2f5fec2bc37b

SHA512
0979ff40c98ef9fba3d25e57088ab17d0f1d5425384a6968bf91598eee223d6feb43af8f434723bd9b84c5131432cea62efe904eb318e2848b5ced3075836dbb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
523659b8584d563b3fd559761051eb51

SHA1
7e7fe9a11bc59d83d3cd37dc7f8d20e70fc1b7f2

SHA256
67991bb32065859bce99b1756b4fb54c8675675be5edf743ba7ba37800005fa0

SHA512
034a5f359dcfea691e16d747ac1b458907930da35b4e575c1606af3b6e541f2844f4b8153b9f4def614b811114cc0919841803710b9d40b90c1521f12abaf2ad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
14KB

MD5
f1abff0cdc38d40493f52027af8ef2d4

SHA1
d4944e974d44104d931e0a55cb87d5c42bcf4ab1

SHA256
9ef3dec97e5d3e406f981dd8ce418bc1732f73f83711f2e60beed36b9cae3f43

SHA512
ceecdd95bd386b4155b309d0a688e9ea94c959e59788ce30d760cc80c2bda5488b6532eaca1e60a994a813bb8e2d9ca516c877ef213dc48768e44d9a3c4bc05d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
8d38a20f04ab94ccafb8dac87e9fc5cc

SHA1
ee97b91bbee6050fa90bf6d43ffa81af15f7fafc

SHA256
37441294871be6dcc8e83ec050f40c55833ef1d69f53617481251ae67a9219f2

SHA512
3f85be38dffb3fae3d5570b11e23a3643972c43248c34a667f230acecc1b691960617b0d6b014391f8fddf0ee2b89367e46c8a63595964e2cb6a0c32136d651b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
14KB

MD5
1a3d90057105d7c516f4752364753aed

SHA1
b966dcbb18534c92d0fcf2a56fbb7e76ea6ccd49

SHA256
f79a8501730dbdfab69aff2def747f03f2ca6ed656eae80505b8a3da01924f57

SHA512
f07642060f1d0873fbfe9b9c37ecd55c507764c157f4e4b31c539c044d7ba36732b0cbfd739b3a5da683406668a108b1d98307557960f30063f74fa3ed7e436c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
eb6bce293c47ff6591a4b9d122ab6586

SHA1
9117dd2c3618de084ea461b1ec95cb4c32bd3f97

SHA256
1afd7bf3e1456dc6660abf26d9b5a9c15fad58ddfcbd71ef4f5bbda85e993472

SHA512
48193c2b443b368d61b046765aca74c904eb3d8788e186fcd2f18a9e5e5d5a3477df4246065c487368d62ff268d1f4bff9ad5c880a0336abda9b254b00d7f07a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
17KB

MD5
c9e0e9d694bbd74a942077b3bac1efd4

SHA1
21784bbdf2d42baf1ac113a9a4bec63f64179b28

SHA256
b3846385e932d9a0fd1ba6299d1574f4264572f009644e95396c280dbc0d6251

SHA512
633f06832bf64ceb682fbef3907e2ab5c5db6ed29930b432e0072c7853217bf792e1161fa7b4a1d81fed134f8952e59f3b8c82fa686941af8c13e8a44ea89857

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
9KB

MD5
4a5d3574848260a2408e440a189796c2

SHA1
d26ab5879a5b10a3c6c0990e11d0e0724be35af9

SHA256
531a8d1737c7bd541598c2d473e2c6a839a2dbbf5a6e5493a19b60798915cd42

SHA512
b8576702e2affc48e6a7e7159b2f2b7d84baa1066d76590c28fa2f30148f3553799e536f986e218831517f046403040b293ed37af9bc6e00a3f309917c0a64c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
21KB

MD5
764a3eb45051e99c8b4643a0056db480

SHA1
a8a3cc0272a38da9baca2474748635418082aa04

SHA256
a3335f844269cb371d24668da7d3391e7923239bf8f45b55f3dada9f1d986ff0

SHA512
fe8b826be9bfe1aa902ef798e4367a2c54702f8d427187844927bbe095a56ca7acca985d33c79b3b35bc7b27a9df32a3191d68d849e0f48da3c84438f5778d21

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
10KB

MD5
7303b717e2c812578c00691ed011bd87

SHA1
60a1f49c6c04e67ac5f94de8da8122ab98a8e05d

SHA256
97c6617dbcf4d78a2ed8dad4f4c22cff2879f78bca2773339175a43736d42ec1

SHA512
75b69cc6b0f6280b3a58f6ef330925b8522f19e5c40893b87edc1827aacf9e14ced3da123a919327ccdb1bd7baad7246a299fe94681a1c05424792bd9ac7ecb5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
21KB

MD5
04495d5adc26ff233647bdb16f6c1d63

SHA1
a8514aab7427156637128c606328d0ceb2f304c9

SHA256
275aafef3a35fc59f2f82e05269222142654e9a8603856fdd932400fee5c34f5

SHA512
49f710cd9dd168726c13be455394a3363823c6aadbb16436251a2973a5409db273e4e4316c8c0263c042d7903137ee3ff1e4e203a05afb0bd0484bdfb4857a54

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
10KB

MD5
da16e4683bfe4eb695276ca5557d5368

SHA1
df003dee0239fae1713115e0cd1cb92153985108

SHA256
33026e46a02700d2df439bf06b40e99679ce4b6da169615793cb5852819c21d2

SHA512
b0313e68d552b7c1270c80b22506d20f3ca88e7294b096bbccfcd1f4b28ca90ad44558e3b6bd7316591477d2bdc498f5bb22933fd8a13877295ea593eb7372aa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
14KB

MD5
45203a2d4f90dfaab3f386e115f62a4b

SHA1
aaa24c844b2f96333d2a416aa73e7a025e6ed182

SHA256
f7c20a639735f7d1899017765325f785221d1b630a437dfa82a6a3a193a0f8ea

SHA512
66f7e6d062adcdc37df561ef7db9cbb7a1e8b8acf933ee84a3b3310a36050009da0ee827ffec407b4d40db4e6822223820da6a0306868989556d9affb74b6be8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
21KB

MD5
eda30742755050eb2ae446864e5b7603

SHA1
24d7e7369715a997f4e4cc2e3d3465f8cc3c4675

SHA256
070b59406520f903947d14ca890701ce59300cc8b75cc1c0d6cbae797563e596

SHA512
a8a275c25adf8e7d2d5774e949dba33ccaab4410b3050fe95e74f4018b717f50f96406782fc9966526625c6a0bb819edbb60ffca427e5d9bd98a42463d4598e4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
15KB

MD5
7630c221ba011653aada078dd4eaa9ec

SHA1
47d70bf3ff66e7b185628ece08ca215899cd1d25

SHA256
1fa96fa5999512c4bd2dc85f56cd7c4460a1f4484551299244d715755088fb51

SHA512
fdd30837d7039dcbb5ee81a6db5e3d996d1809b18cb87c2721dc2b631b4c16557574554e57fb9b1238fbb4b7726dc263281842d9560e69a42a5664e0c0c1d160

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
23KB

MD5
d71ff5610695e78f2c21b1d12aee8ec3

SHA1
ed35a57c80c06f613dfb775055ffc175696a3061

SHA256
e4997bd13f2d370f3e68c13a169793c189ba3345498618da5dcc35b43c82e61a

SHA512
92c3bd210415aca32319242fea66bee1926e9109f2605c0f45ca9442ed5d6e07caf8b13984f6fcea7ccfb219fa0549f123bf969610f273928122481660b0911d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
20KB

MD5
79e3b18b2878e55c7541a6d597bddd87

SHA1
c348b4992281686eddeacd913a91acb2ffbf1e88

SHA256
b29572df5d106b2dde61e456ad1373abf8e4a8ef7dff4811feb3361248c57c54

SHA512
933d3e1abbf0f94e3a51b523fe02e169df3ce820750f882a94b40cc40936deaf1a73f002199df3b8ab38b97de73a5953c972ac6f11cf18aa8f9a0037a062b796

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
23KB

MD5
92fb3eb64654b84c928df1f2a6fe4bac

SHA1
b574352da0e71d0fbd9cd1c4dc74a9b4382ed6a2

SHA256
ada848c8745390484d48dd2b6da9b36c4e92f0a5cbd60b8407823123b7505d1d

SHA512
e30de8f16567b4c8b15eae7897355244f3ba41a8005e728b1710acb9c081d869e3a17dc9422a200e9714f0a19cf107bdd25d5eb5fa8002d839f3ae43565c068c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
21KB

MD5
264b107ca2aeac2a0787627621b484c2

SHA1
43c096418a02d558e0ff47cb4ada2545760f55db

SHA256
376ab17643d8f158f8c08a535c02b160da7d6103124276cce7ccef3ece1be7ef

SHA512
e89c1cac8f741ba80acc00e8292cc86d6dd27ff103b5e9043710aa2318d6a36f93b0c182eb4b8fd81f0416adc8e16959864d73ea6eb1d8c9b10bc4bcbd198064

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
23KB

MD5
af157c2a45307857392f07ad7d37715c

SHA1
ceca09cc3864ba82bed7b478c8ed5f5b410e4fad

SHA256
fdb8a21f1ab025dfd5b1ca08b219b03b57225b68357135d582fff5645a277570

SHA512
de9b443ef194590773fc496e67ab3fa1d250771330deabbbe33c66eeeff493c7f9837db051ea5ff2cba2d905e0f0dea828a5e4e3b1a6ef3670e165fb7d606e03

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
21KB

MD5
7cf96c9cf979056dda5fc75b7f6fadb4

SHA1
48449f944f24ce69d5346c962e622049bbab097e

SHA256
b88287b60f45e82a6239abee408e436d73730809511f7169f9a3b363e5eaae62

SHA512
a9022dbadc96920fabb0b1381fae30783a8ac53629fd96cc0451cf14129f8379efcc4b10f100244265d752db5ce67c5adb5723ab4c41e03ebe28870da7ef6b02

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
21KB

MD5
88c5f0551260a26e1ebc74ee8e250766

SHA1
27f78e7c66de7f221c4755aa321275addcf1dd6e

SHA256
05d02617d9f0a875f89770f01a6d7744eb8d846875435552f76d76968ce9c792

SHA512
9bd7cbdc4b54af83d118c125c55a2a6b9789b007cee42246f3c82155fc5bc0207e977dee725e042610b5fc3c93c3086a793de90e61a073b8f4d6ff96a9baafe5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
23KB

MD5
8a6c82fb697fb15af4849a580ac7667c

SHA1
ac34f956d69b167748e4f481d784b5d59b54156b

SHA256
dae28350fed3ba636e029d0af743a853c150196149320ab9e6a26991372d82e5

SHA512
5c2d743a342fc79ee6721b8c27c585b9c480fbbeae65d655d802c27a9564fb8729131be7fddacc701a53af0888bf6bf81800a0fae74c61106910d551f9ad7470

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
23KB

MD5
0fe096d0dee294b78e214c73bc5ee18c

SHA1
3936562b4c3f22ba48a543cbb4b5434ce3f0c0b1

SHA256
fd12516c370a0b79a1f02891d7af4b3a6b4cbec7f0c73928864d6f858974f938

SHA512
76c0e5458aa6ad79c7d6caa02522f53d78fe55274993851788c913bff84350ffc6096cda22e51af5670c60f9a43e2c262d29515c1fc4395e1e6dd4be7bcf81d1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
23KB

MD5
9939208ce5515a01fb6fb3c79f0bce39

SHA1
4e250faa3b96bf02f412906fdcb876b31c0e49d1

SHA256
990f00c6669101d46d8553f09088bfcffdd7cacbadd941a3353147d1201ccb3b

SHA512
0594d94accdac07844bf4e145c6d42f07aac1ac2925a3c0c9d6c88919846a011b0fd3a016c4898183cb7da36895a81ca0bbb31f9880ed4beb60e9edf16d31a92

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
192KB

MD5
de2c0cb532cf2a7ac6f86af050fbfbb0

SHA1
2916088c14a79db840bcc7024f65b246952b8941

SHA256
90f8c0d4c9a737d0f3fd59ab52f571ec75119c940a9cc50dbe12db52926c8fd1

SHA512
52c7f674c2d3d4667483a3e6e29d490c5ddbab93ab59dcac651b0089f724f38e65d71c9b025b1cc0d1a4ff1bdf69c61ce70adb7940a1f772748e6e19e9b94a6e

Download Submit
C:\Users\Admin\Desktop\PAV\WindowsVista\BMP\Common\AgreementHelp.bmp

Filesize
67KB

MD5
0b49d882fb81ebf533ccbe259cbdcf3f

SHA1
ac27d902ede68b69b0ff1a6fdcf37f5d560cb389

SHA256
cf718a3b5fd3b161fe7d8ab1ebaf8e1e3eb29f50991f92fd3ee407701aa9f844

SHA512
e9e4ebf0edde27ebd1eb74274b7a59e3e185e45c268618faa13d7f5ff46d621d3b0184a7f335db4fbb1de469f4bd5425e401e692da12cb92b9dd562f1b763a3a

Download Submit
C:\Users\Admin\Desktop\PAV\WindowsVista\BMP\Common\ProductHelp.bmp

Filesize
67KB

MD5
28460433633183f45ab536cfc5835cff

SHA1
e463a5d9790de48b6e442314410a15e3a07452f1

SHA256
24b263b68ba31a2d6127eff47f0d1b7d792579539c2203fdd014e662d30d12de

SHA512
8da8aba03bf55f9fe4b0ae054a071e59c5466f2ea54089b5ffff9287d2cdb1f4899aaadd7d78bf32bd0a5ceeb0b8bdb61da6646982a78f5308e0a7d04b67a8d8

Download Submit
C:\Users\Admin\Desktop\PAV\WindowsVista\BMP\KeyNoCommon.bmp

Filesize
65KB

MD5
32b015c5cb274c53137ef21b5d003096

SHA1
216ef9c2cb6deec47ea4067bac419d05b9310907

SHA256
ef9afde8416aa9e433dfb788aef7a89c4d6afed486b455624e37b45d69036ddb

SHA512
ccd0ef99de50a1518dffd9a30a5b6ef5ee296a5c84e875c4f399b43844abf6dd564d51a6d49903f174fb44be6fc6bbe3a247960cec86b3c2b86ed182e6818a7b

Download Submit
C:\Users\Admin\Desktop\PAV\WindowsVista\BMP\Renewal.bmp

Filesize
99KB

MD5
75e7c82def08d68ae8899f8188329b7f

SHA1
604af89f8cc5fc9b367f7648db90bbc0b3b8b2ab

SHA256
4bc667eb5a7f106817a8376c8af1c0543aa5b14daa416bef3513268681c731bc

SHA512
00e7c880f126cbc608a437a24db34c60d952722a919175b5d2d7f5808fe3dc09936ed752101dd2ab3b4ab27d90205f6991f4f98b54e7bcda2f175f98f87deb72

Download Submit
C:\Users\Admin\Desktop\PAV\WindowsVista\Setup.exe

Filesize
646KB

MD5
bf8786d57fb062f8c1f8fa46a6a86462

SHA1
3d50ebb71ef88a59baafd1391c3f1487243590c5

SHA256
832d1d4cfd2ddfb67cc27ffbd35b7195911c43fa4bf893e98016172facbc15fe

SHA512
80457189f5ca4e2ea79ced2d0085a653ea741950886d1bb6a16e3be5fa20def2b68d174cf898526d4aafbee1e240d5dd57fe659c806c20ea6be29da9f515a34a

Download Submit
C:\Users\Admin\Desktop\PAV\Windows\BMP\CP\Commonbmp.bmp

Filesize
65KB

MD5
b77647ed0a9c0a48b999bd021e9c8269

SHA1
57bed6d1c3493e31449388f49cee30444ad077a6

SHA256
6f63abbbae182c411e4264f92f3273197816e5b5416232efb904ce07eb3bf477

SHA512
8aec38eaa2b8bf4d6fa8670933db47941140777986ada9e74cfb747f9f0251542cec5207548543ba162aa30ae69e0e18c57e3a9fbcebce917d3ecc131dd6480f

Download Submit
C:\Users\Admin\Desktop\PAV\Windows\Common Files\FilesexistsCrashProof.dat

Filesize
392B

MD5
ac570b980151c309504b894bc17a3fbc

SHA1
9a266314d27a62dc2d01ea5f358d392b50de7349

SHA256
056e87c1ff780100586e9edef2f26c9dc40d553278b843a6643bc3a79585aef4

SHA512
50c28e19c3b1cc6e6197e90194fcbc312b47d3df33d57f5829db31951f726f2453099b4aefd34e087c43bb22a42d645fa5f1ba8b327f489f41aafd82ae4cfbb7

Download Submit
C:\Users\Admin\Desktop\PAV\Windows\Common Files\ReadmeCrashProof.chm

Filesize
391KB

MD5
ab1c394fa61936d144510ccf09137b18

SHA1
1b832da83e72a71036d29b12d0e348c9b6c0a611

SHA256
4528ff09bd2fbaa2ee346616f9e559f84a2b06987620eb2afce08b062758a018

SHA512
f311e7a2194e4237782ee817fad6754c3438435329aa3b6bd4e940550879d1190881c3bdf67447ba571c8b7fba69dfc7ff1e026381f931b5c40224d6f43e4e10

Download Submit
C:\Users\Admin\Desktop\x

Filesize
4KB

MD5
214f98cb6a54654a4ca5c456f16aed0a

SHA1
2229090d2f6a1814ba648e5b5a5ae26389cba5a0

SHA256
45f18ccd8df88c127304a7855a608661b52b0ca813e87e06d87da15259c45037

SHA512
5f058b05f166e2688df7b3960e135ada25bbcdfbb62a11da3cf9e70c08c51e5589a1e6ca2250318a694d27197f2c5ba1028c443831c43fba2171ca8e072e9873

Download Submit
C:\Users\Admin\Desktop\z.zip

Filesize
8KB

MD5
63ee4412b95d7ad64c54b4ba673470a7

SHA1
1cf423c6c2c6299e68e1927305a3057af9b3ce06

SHA256
44c1857b1c4894b3dfbaccbe04905652e634283dcf6b06c25a74b17021e2a268

SHA512
7ff153826bd5fed0a410f6d15a54787b79eba927d5b573c8a7f23f4ecef7bb223d79fd29fe8c2754fbf5b4c77ab7c41598f2989b6f4c7b2aa2f579ef4af06ee7

Download Submit
C:\Users\Admin\Downloads\Bonzify(5).exe:Zone.Identifier

Filesize
50B

MD5
dce5191790621b5e424478ca69c47f55

SHA1
ae356a67d337afa5933e3e679e84854deeace048

SHA256
86a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8

SHA512
a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641

Download Submit
C:\Users\Admin\Downloads\Bonzify.2lirgtel.exe.part

Filesize
64KB

MD5
152323f9932537510a8b47786483fed8

SHA1
912a2d2fe608c590f651b437119c495afc42fa22

SHA256
dda8e5f8c63d66b469447c38a118ffde07516d396aa90c9c93285a04769028ee

SHA512
d9819228017a14b3431f7f24196327cfca906985746f06da964f7aee84929827dbaae628e932179449c587c21d115b215a00593f046bc52c1cc1415d2414d1d2

Download Submit
C:\Users\Admin\Downloads\P360Setup.DsUx-XbI.exe.part

Filesize
15KB

MD5
386f8b652b46865e19040dac0bba09dc

SHA1
dcc280ad5841936bde8103e6e7edbe4f63f21ed7

SHA256
24bf8fcb5b3f93e4dad4eb5c1813934701094adf1017920e14a9c881c8c993d3

SHA512
7e720bca84289d83185f00a6f1c38db2bdc9f5c750bfcc07a5d8ba6bb91b1e54d525c3282c73947d34d717f088353412c26bee06d18d6fdc088f044c876d09f1

Download Submit
C:\Users\Admin\Downloads\PAVSetup (1).hiPG1LVS.exe.part

Filesize
125KB

MD5
3a908438542329705b7bf3f527a13a85

SHA1
3840c4b5bc2d904d7254b36cff8a9b77ada0b16b

SHA256
aea469b73af8ff41d241ef24370aae85936b2ea61dcf78f4db9e1d243ef88161

SHA512
50d5c767e41a1082f34b4373a8f6a4c5017b9314c43037ccf131fdbc36591a1b9892003bbc48353de9f0f040680b849797cdb8d588c63b16162fe6098813efe7

Download Submit
C:\Windows\Getdisk.exe

Filesize
32KB

MD5
6558e58f92c8adac2878f6ea36cda280

SHA1
0201b979d1d509f013aad388e28d9b6e934ce231

SHA256
cd057c28cbb6955596dd63316611996b8f115c603b2c347d74c2068a4a11c186

SHA512
a98dce73456015a12f99a9de0dc6143c4279f2f06cd631e0482a0f6e0feff0b6b3817fce1272b2ba9b8b4630a32618a98c9bc5a9e0b35933c859311dcb8e5522

Download Submit
C:\Windows\System32\drivers\netfilter2.sys

Filesize
62KB

MD5
cc5bdbe0fa812016b04f6d2329967740

SHA1
6269a6f4d71ed9dd30514bfa8e0302a38af53e73

SHA256
5231e95ee03da58bf89cd3de77aeb5f8b8452a9d776652d2004f93f8b85cdd9d

SHA512
b17b3435712d42ca207a444a1f44fbad201ff88d9d13b4b931380fa65c4557541913e61c89e24b57b13a1d4c31e758f23a0155f8ec4ce33a944a7c8d72927df6

Download Submit
C:\Windows\unP360.exe

Filesize
795KB

MD5
c0ce0ec6a4492bb301d796a67b701301

SHA1
46908de5ef976b970c166b5f5409101543a5b91a

SHA256
19cdc94a9dc7f20a0ec90c39eb4149a83cc224136f4ffde78332de2a468c851d

SHA512
0bdf0f9c82cf21bb5b22edacee393790dc1323f8a3463187bc396486b004272de7f18b3d8c94066761308efdb14e3098889dcc94ae7633c23342a47a36af0875

Download Submit
\P360\Setup.exe

Filesize
2.5MB

MD5
cc7795f85d4066d195fe83560fefc9a1

SHA1
d47620900b0d270f2a5456da4bd7919577a3a313

SHA256
8a621b3c68fcc6cfde03a59644134c5d88b1e3bc41a34b2da82fb951a3962a55

SHA512
c8cdd4c150c920d7beade17c59e87014b5df1813aeb9be1635726227cdf546bb2e4aecb5d8041100f7c8ed3b010569ca725158e8067f95fe09c9cdb52611a7ea

Download Submit
\Program Files (x86)\Protegent360\Protegent360.exe

Filesize
3.8MB

MD5
62b84c8686a122fa78cf6c27430a35c6

SHA1
6c07995ab38cf8204e1d3365a0162e9834a064ec

SHA256
0a6cb36c82ee4af846c1ae1f70887a6a94ea26afdb17b01555527c9776aa1f77

SHA512
35a19933c230ccaf74438305334b48ef10d2486e2d5b7fe23c1d601663b3ab5c7648d6a80b7a72e4c53054c024c2448317b547da800da147ceb9d632a7cbe98f

Download Submit
\Program Files (x86)\Protegent360\Uninstall.exe

Filesize
2.5MB

MD5
57f9e7064a07b7e9654195454970bdd7

SHA1
9646d217a964ab33bf9e8a59c3143290590248be

SHA256
823d849a3463ed18a273be43937fc2dc249f9a1a0633f31dd6cf55fcb58d8259

SHA512
449717aa8e544149b51cacb9e28908ad31690d08266ee94f2b9e195bd1e7ec62978c45206935d0b615d26b732420fc8e3bfa9f2845dfffdc4e5acd7dbe1cc055

Download Submit
\Users\Admin\AppData\Local\Temp\is-FHIBM.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-L5J52.tmp\USPL-P360-S65.tmp

Filesize
784KB

MD5
2945f1b21dc256d8cc182d5d94fb7a8b

SHA1
2839f3bc1629914294766919e9707dee80d61f03

SHA256
2a5f86d74c349133debf43979202c8adce0d0b37eadbbc79231e4f7da8c7fd6e

SHA512
41fa38b4f695044691fec85bce83290c823be41a252573a564815c0cadbbeca6d20cf584127f380d26cc170f096de13b7cfe40d07d1c2269a0515cb02bec70aa

Download Submit
\Users\Admin\AppData\Local\Temp\is-SSHNB.tmp\ProtegentTS.tmp

Filesize
697KB

MD5
6a630cc036fb10b7858235f83b5ef334

SHA1
3f0c68d47c8d801eea56546980ab00db4c861534

SHA256
35c2ff541f7ff0abe01dc2fa761e75e08385dd84ee2bdf73ec43dcaca8081a64

SHA512
9b669c4eca55cb12903b5e96804a48b59dcfcd7765610f6aaab5c8f55a1b84b55ddb715ae413d4197df4dfed4405c32a5c04fb4043a6d35264464ca4a855dec3

Download Submit
\Users\Admin\Desktop\PAV\Setup.exe

Filesize
285KB

MD5
4719ed774afa76d6028dff47b7f598f5

SHA1
d1436ddb767ca049ae3add305e6fe7ed59fe42f9

SHA256
576aaff9d3cc238476d6d66190c8f223fe7c849f271943d455c897a43cf6769a

SHA512
a22e0fb37dadfbd538c0aef7259214b660a6e9537ff7eb3f53b2cfbd00b47611e76a60b370b73290511dff0699d246e4ee9a42f541605b765e5aa6dcd10d49ca

Download Submit
memory/300-4207-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/300-3819-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1068-3183-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1068-3714-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1068-3722-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1236-3723-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1236-3818-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1312-7282-0x0000000005990000-0x0000000005992000-memory.dmp

Filesize
8KB

Download
memory/1692-5801-0x0000000001E30000-0x0000000001E85000-memory.dmp

Filesize
340KB

Download
memory/1720-5131-0x0000000000E90000-0x0000000000F3E000-memory.dmp

Filesize
696KB

Download
memory/1808-4013-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1808-4012-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1944-3715-0x0000000000400000-0x000000000050F000-memory.dmp

Filesize
1.1MB

Download
memory/1944-3721-0x0000000000400000-0x000000000050F000-memory.dmp

Filesize
1.1MB

Download
memory/2144-3817-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2152-3115-0x0000000000C90000-0x0000000000E03000-memory.dmp

Filesize
1.4MB

Download
memory/2152-3113-0x0000000000950000-0x00000000009A7000-memory.dmp

Filesize
348KB

Download
memory/2152-3111-0x0000000000260000-0x00000000002BC000-memory.dmp

Filesize
368KB

Download
memory/2300-3014-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2300-2956-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2300-2958-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2300-2980-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2300-3169-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2576-5528-0x0000000000E90000-0x0000000000F3E000-memory.dmp

Filesize
696KB

Download
memory/3128-4163-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3128-4010-0x0000000003F70000-0x0000000003FC5000-memory.dmp

Filesize
340KB

Download
memory/3520-2937-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/3524-2742-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3524-2938-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3600-10292-0x0000000000B70000-0x0000000000C1E000-memory.dmp

Filesize
696KB

Download
memory/3600-4963-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/3912-2955-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3912-3170-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3912-2942-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3976-3107-0x0000000000820000-0x0000000000993000-memory.dmp

Filesize
1.4MB

Download
memory/3976-3104-0x00000000000F0000-0x000000000014C000-memory.dmp

Filesize
368KB

Download
memory/3976-3105-0x00000000001B0000-0x0000000000207000-memory.dmp

Filesize
348KB

Download
memory/4068-13643-0x0000000074920000-0x0000000074928000-memory.dmp

Filesize
32KB

Download
memory/4272-5826-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4272-10404-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4316-5701-0x00000000000A0000-0x000000000014E000-memory.dmp

Filesize
696KB

Download
memory/4384-4990-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4488-11042-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4512-5012-0x0000000000D10000-0x0000000000DBE000-memory.dmp

Filesize
696KB

Download
memory/4512-5007-0x00000000000C0000-0x00000000000D2000-memory.dmp

Filesize
72KB

Download
memory/4664-5731-0x00000000000F0000-0x0000000000102000-memory.dmp

Filesize
72KB

Download
memory/4784-13533-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/4804-5042-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/5092-4767-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5092-4836-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5112-4835-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download