hxxps://l[.]facebook[.]com/l[.]php?u=AT2XxCbjVjZEuf4J1iOKOwIql9nXkDd9PylVnza4XOb-u5lt30aevZdScUPu7BGXsjRKrNdZ-sk_KvYnZTDJbAkJ7zfR&h=AT25GomPtk3RrRqn4BxfXCIg2zV_MOA-cKnWfbsr-pivLZ8N26WyNxFunkVrhc2h_-1J3Ruw88o3LRxmPX1oTgR-QlA1vBUlAVFXQxf_ctQFMKHLu0WSyml7b87t3fj8gAA8QiY&__cft__0=AZWODYLpvI9VX1z6NqVUZqJr0MKHlzQDbdsa07yPinEcydKsxtUI25oPZzOvvbKenYgKhMdIHBkmFzr7eyC4H4eEP25CTk6Tum_VLTEpmnkgjnZGdIONPqSvdN9-04XjhuNlG5XIagRtwbUhYbCsTao39N3FHwE_saCKXGkQRZo63KKxG2fDHDUPSQ1CxwsHZ2vxdhZmKJUXdMh3IIUx1vc08G6-Zg-jQSaSGjiuedSKafPclT07VcQByR1NDxTIHGIDWYuMnpEZ1qXpw2jMWNmMMiD1cYE40Lx-0rZuTQk0dYASgNGbRXdDZplH70htLYM&__tn__=H-R

Analysis

max time kernel
1128s
max time network
1133s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://l.facebook.com/l.php?u=AT2XxCbjVjZEuf4J1iOKOwIql9nXkDd9PylVnza4XOb-u5lt30aevZdScUPu7BGXsjRKrNdZ-sk_KvYnZTDJbAkJ7zfR&h=AT25GomPtk3RrRqn4BxfXCIg2zV_MOA-cKnWfbsr-pivLZ8N26WyNxFunkVrhc2h_-1J3Ruw88o3LRxmPX1oTgR-QlA1vBUlAVFXQxf_ctQFMKHLu0WSyml7b87t3fj8gAA8QiY&__cft__0=AZWODYLpvI9VX1z6NqVUZqJr0MKHlzQDbdsa07yPinEcydKsxtUI25oPZzOvvbKenYgKhMdIHBkmFzr7eyC4H4eEP25CTk6Tum_VLTEpmnkgjnZGdIONPqSvdN9-04XjhuNlG5XIagRtwbUhYbCsTao39N3FHwE_saCKXGkQRZo63KKxG2fDHDUPSQ1CxwsHZ2vxdhZmKJUXdMh3IIUx1vc08G6-Zg-jQSaSGjiuedSKafPclT07VcQByR1NDxTIHGIDWYuMnpEZ1qXpw2jMWNmMMiD1cYE40Lx-0rZuTQk0dYASgNGbRXdDZplH70htLYM&__tn__=H-R

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

CNQ.exeDiskCompactionTool.exeBravia.exe

pid process

1704 CNQ.exe
936 DiskCompactionTool.exe
344 Bravia.exe

pid	process
1704	CNQ.exe
936	DiskCompactionTool.exe
344	Bravia.exe

Loads dropped DLL 15 IoCs

Processes:

AlbumPrettyGirl.exeDiskCompactionTool.exeBravia.exe

pid	process
1172	AlbumPrettyGirl.exe
936	DiskCompactionTool.exe
936	DiskCompactionTool.exe
936	DiskCompactionTool.exe
936	DiskCompactionTool.exe
936	DiskCompactionTool.exe
344	Bravia.exe
344	Bravia.exe
344	Bravia.exe
344	Bravia.exe
344	Bravia.exe
344	Bravia.exe
344	Bravia.exe
344	Bravia.exe
344	Bravia.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CNQ.exeDiskCompactionTool.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Speaker2020 = "C:\\Users\\Admin\\AppData\\Roaming\\Canon\\CNQ.exe"	CNQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\BlueStacks_bgp64 = "C:\\Users\\Admin\\AppData\\Roaming\\Bluestack\\DiskCompactionTool.exe"	DiskCompactionTool.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 40996022c701d901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEdata.dat

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\tineye.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	data.dat
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{57A21CA1-6DBA-11ED-9D78-7225AF48583A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10aa3134c701d901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376253237"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\tineye.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a0000000002000000000010660000000100002000000030c86b0602c8c9f444be19c165ca615bb5668f167297b7c55a93667cab17fa7a000000000e8000000002000020000000629b79b10cdb5ad086b31c6035d68aeaf895eb4fd60a9ad19e1af9f3219d764a20000000c3633f0877ae23a4a2e12a385a4dc81e602c794ec529365195eb71e9a4708e00400000002b33aaad48e507cf983215aeeb58d8b6395aae3fbea5a3e03342dfa8bcb28a38b2791da029a3c68dcd729aee655adbc6e628b4b9ac75d962df4188d35faf1d79	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000ffa55ee459091ccad6517c218f15bf37508576bc46ea5adef3177147a2ec062b000000000e8000000002000020000000744460d6a90a798b35362538d6696a69a2e06550db42c0e1b1f475077348a4589000000061ef0e42d7c65588edb26566e1b8c67426ddd7cc44e95645132718b119090e5b6af6565b5055b460289c869ac3969e3cfc8773dd73a7b41aa00985d9c2a2d1fae610de99ca0308a4fa8a35999f046d1bf22d81b350c11cc017b1f36bd733089ce9816a17f8c559025f845ab890c7ee88dfa5e99db1c112bf9e7da106cc1e7a4f220a197acb275620df06acbe7762c0ff40000000a652fa75c13e70f36abb310f9c70301973c7a401bdbc19c258850c2a23eb7af55c30486e2781a39d0c592ef837f5d6af568346f0a273ecebd708ae13aefffc8c	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

CNQ.exe

pid process

1704 CNQ.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

CNQ.exeDiskCompactionTool.exe

description pid process

Token: SeDebugPrivilege 1704 CNQ.exe
Token: SeDebugPrivilege 936 DiskCompactionTool.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

1204 iexplore.exe
1204 iexplore.exe
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

iexplore.exeIEXPLORE.EXEdata.dat

pid process

1204 iexplore.exe
1204 iexplore.exe
1384 IEXPLORE.EXE
1384 IEXPLORE.EXE
916 data.dat
916 data.dat
1384 IEXPLORE.EXE
1384 IEXPLORE.EXE
1204 iexplore.exe

pid	process
1704	CNQ.exe

description	pid	process
Token: SeDebugPrivilege	1704	CNQ.exe
Token: SeDebugPrivilege	936	DiskCompactionTool.exe

pid	process
1204	iexplore.exe
1204	iexplore.exe

pid	process
1204	iexplore.exe
1204	iexplore.exe
1384	IEXPLORE.EXE
1384	IEXPLORE.EXE
916	data.dat
916	data.dat
1384	IEXPLORE.EXE
1384	IEXPLORE.EXE
1204	iexplore.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

iexplore.exeAlbumPrettyGirl.exeCNQ.exeDiskCompactionTool.exe

description	pid	process	target process
PID 1204 wrote to memory of 1384	1204	iexplore.exe	IEXPLORE.EXE
PID 1204 wrote to memory of 1384	1204	iexplore.exe	IEXPLORE.EXE
PID 1204 wrote to memory of 1384	1204	iexplore.exe	IEXPLORE.EXE
PID 1204 wrote to memory of 1384	1204	iexplore.exe	IEXPLORE.EXE
PID 1172 wrote to memory of 916	1172	AlbumPrettyGirl.exe	data.dat
PID 1172 wrote to memory of 916	1172	AlbumPrettyGirl.exe	data.dat
PID 1172 wrote to memory of 916	1172	AlbumPrettyGirl.exe	data.dat
PID 1172 wrote to memory of 916	1172	AlbumPrettyGirl.exe	data.dat
PID 1172 wrote to memory of 1704	1172	AlbumPrettyGirl.exe	CNQ.exe
PID 1172 wrote to memory of 1704	1172	AlbumPrettyGirl.exe	CNQ.exe
PID 1172 wrote to memory of 1704	1172	AlbumPrettyGirl.exe	CNQ.exe
PID 1704 wrote to memory of 936	1704	CNQ.exe	DiskCompactionTool.exe
PID 1704 wrote to memory of 936	1704	CNQ.exe	DiskCompactionTool.exe
PID 1704 wrote to memory of 936	1704	CNQ.exe	DiskCompactionTool.exe
PID 1704 wrote to memory of 936	1704	CNQ.exe	DiskCompactionTool.exe
PID 936 wrote to memory of 344	936	DiskCompactionTool.exe	Bravia.exe
PID 936 wrote to memory of 344	936	DiskCompactionTool.exe	Bravia.exe
PID 936 wrote to memory of 344	936	DiskCompactionTool.exe	Bravia.exe
PID 936 wrote to memory of 344	936	DiskCompactionTool.exe	Bravia.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://l.facebook.com/l.php?u=AT2XxCbjVjZEuf4J1iOKOwIql9nXkDd9PylVnza4XOb-u5lt30aevZdScUPu7BGXsjRKrNdZ-sk_KvYnZTDJbAkJ7zfR&h=AT25GomPtk3RrRqn4BxfXCIg2zV_MOA-cKnWfbsr-pivLZ8N26WyNxFunkVrhc2h_-1J3Ruw88o3LRxmPX1oTgR-QlA1vBUlAVFXQxf_ctQFMKHLu0WSyml7b87t3fj8gAA8QiY&__cft__0=AZWODYLpvI9VX1z6NqVUZqJr0MKHlzQDbdsa07yPinEcydKsxtUI25oPZzOvvbKenYgKhMdIHBkmFzr7eyC4H4eEP25CTk6Tum_VLTEpmnkgjnZGdIONPqSvdN9-04XjhuNlG5XIagRtwbUhYbCsTao39N3FHwE_saCKXGkQRZo63KKxG2fDHDUPSQ1CxwsHZ2vxdhZmKJUXdMh3IIUx1vc08G6-Zg-jQSaSGjiuedSKafPclT07VcQByR1NDxTIHGIDWYuMnpEZ1qXpw2jMWNmMMiD1cYE40Lx-0rZuTQk0dYASgNGbRXdDZplH70htLYM&__tn__=H-R
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1204

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1204 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1384

C:\Users\Admin\Documents\AlbumPrettyGirl\AlbumPrettyGirl.exe
"C:\Users\Admin\Documents\AlbumPrettyGirl\AlbumPrettyGirl.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1172

C:\Users\Admin\Documents\AlbumPrettyGirl\data.dat
"C:\Users\Admin\Documents\AlbumPrettyGirl\data.dat"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:916

C:\Users\Admin\AppData\Roaming\Canon\CNQ.exe
"C:\Users\Admin\AppData\Roaming\Canon\CNQ.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Roaming\Bluestack\DiskCompactionTool.exe
"C:\Users\Admin\AppData\Roaming\Bluestack\DiskCompactionTool.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936

C:\Users\Admin\AppData\Roaming\Bravia\Bravia.exe
"C:\Users\Admin\AppData\Roaming\Bravia\Bravia.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
Filesize
1KB

MD5
fe56e8724f14ce1f3b7aefb4a62b0c16

SHA1
bdac2e002becfc2b8ffca0973540fa2851d21ebd

SHA256
3d06f4d78345d522e29652ada389e858ed290fcf2b3b783b1009f0525d55c7a4

SHA512
a5c18aeb916a3d1c68289c1b54a2e2269834bc8cd0df3702e98a4d0d480d74ff1cb663b184de89938f1d9c357d05e075ad27cd2f4bc09e02cd213c1fffb27950

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
Filesize
446B

MD5
fcebcbc03ae826be646d10019ecc5184

SHA1
1881c11e897aac59cf401e6ce19b5f4c8fbf6bfd

SHA256
3ec53b9575407a2819afaf14016533a844813944e8695f49131bf475b820bc28

SHA512
af370e61beffb16285d4ee894468f0ddc45850be3feb4afc1ffa1c7ae06c2552893d348f1a3fe26110e05abf99b84c70de4d4ef934f77903121199f1f33d44c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
c44bc9e5fe84c964e42b37cb7ec9f3f0

SHA1
c4ae91ff09bab65ad48e060f338864a8288318dc

SHA256
42863a9c56b0c50d235c1adcce6c3d864c1b77c278bde023fddedea4f4a2b6d2

SHA512
32f576a10821fcc8a3d6fab76af570e6418dd50f3d42480b4b583981e8debec8fc3fdf2f1d66d018db2d28d546f9ffbb47fa2c768c76f8dcc8c8791f2d2f20c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat
Filesize
26KB

MD5
a94c19afaada5edfbe91474f1c62c9cd

SHA1
8625dbf142c978ed0dc5f020800196ac3ff459fe

SHA256
6fbfb379505e1b3a7c80df6bc67a1ff5e6527f77bfcc048b5499a98bb03fab09

SHA512
f601e5910d3d7cca89d18bdabcc86c7537ff8860819bb54f99318f4a93ab6d3ff60764b18a71b107f96ca7b6b924cf88e52181c0089ad2a9ea172095720535a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat
Filesize
12KB

MD5
a5537a2a51f4a61180ff96b76f4f88c4

SHA1
cba4e3ad080156ab376a76186bdc98eef95a55ce

SHA256
c2d74ef120ee513e7a8496527946598adaef79fc471cad578262c4a92e895977

SHA512
d2484f30ec202536e24d3b149a99cb39f243c229613f99ee09b801b3a6eb1fa69e7308e890c610404c702c98b0d61d2855ccdc66cc26dd780aa654e58cd43bc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat
Filesize
12KB

MD5
a5537a2a51f4a61180ff96b76f4f88c4

SHA1
cba4e3ad080156ab376a76186bdc98eef95a55ce

SHA256
c2d74ef120ee513e7a8496527946598adaef79fc471cad578262c4a92e895977

SHA512
d2484f30ec202536e24d3b149a99cb39f243c229613f99ee09b801b3a6eb1fa69e7308e890c610404c702c98b0d61d2855ccdc66cc26dd780aa654e58cd43bc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\AlbumPrettyGirl.zip.tcvqmd5.partial
Filesize
8.6MB

MD5
f4d796851e7cc41d79d459032ebfd82f

SHA1
6f5f26f9b44b7903695e4e129bbb09c40b101dd5

SHA256
4b1a069b648770cb53d5e45fe1a47dd3ad3982c811134aaaf7284e4a94a06253

SHA512
b89c28bf818b8011a7e440e399baf99062187a107490a1e8086606006aa361b3a0db3a4cd996710bf168892218c9ed5cb75f2689fded719f1e22cb122b56bf80

Download Submit
C:\Users\Admin\AppData\Roaming\Bluestack\ComponentToolkit.dll
Filesize
102KB

MD5
e18cf4b28e38fa3c9b71d646cd3efccb

SHA1
27c68164ec35b59c3e3f6b372f1145fa969d189e

SHA256
da203abb85e4e9a03f7c04e4a29dac4113deeed0a059e61fd74ffeb1f63c7843

SHA512
2fec8ba5025496ffacf2c27e6c4596be8a9b25f01c152b27b5b655378bccb6024fc50ea2488b20482fe68033e75a1a212bcb75501d9091974169f48d52544e2a

Download Submit
C:\Users\Admin\AppData\Roaming\Bluestack\DiskCompactionTool.exe
Filesize
1.4MB

MD5
53f5ca6d6d81f5bff1a4c1987e0dbc08

SHA1
71a0514643e7af48bdf78a59b73a7d9e9bf723a3

SHA256
9214231d48270199f1239631e5ff54910794ec2b1f610d9d4c996f90775d33fb

SHA512
3a04b3cf08ddf1a2328fb7987ed3fe69bc66368c97527aacfa6748b3496cdf47cf8c0b149b2e382414850fc31710f005b3ecb035cbd5a321744b95cd9bdea0ea

Download Submit
C:\Users\Admin\AppData\Roaming\Bluestack\DiskCompactionTool.exe
Filesize
1.4MB

MD5
53f5ca6d6d81f5bff1a4c1987e0dbc08

SHA1
71a0514643e7af48bdf78a59b73a7d9e9bf723a3

SHA256
9214231d48270199f1239631e5ff54910794ec2b1f610d9d4c996f90775d33fb

SHA512
3a04b3cf08ddf1a2328fb7987ed3fe69bc66368c97527aacfa6748b3496cdf47cf8c0b149b2e382414850fc31710f005b3ecb035cbd5a321744b95cd9bdea0ea

Download Submit
C:\Users\Admin\AppData\Roaming\Bluestack\DiskCompactionTool.exe.config
Filesize
310B

MD5
51796bbea926cafbb9309bca14132614

SHA1
b63ca71497366ba78360aa0ed717d8224e0bad9b

SHA256
b7e23432ac3b5552efe231cba78b34023ac94d6fecb2e7ffc37aceb0be4cdf40

SHA512
6c8483810cb6cd474002d21b69eed8c8c1886dd9901319a48f453825c04d23787d07a5a9ed4b3a896b0605eed1ffbcaf1a6a445f2f9f01a1818241d9fa585c1c

Download Submit
C:\Users\Admin\AppData\Roaming\Bluestack\InstantKeyLibrary.dll
Filesize
216KB

MD5
b3793d28a9215fee6ae576c54f7944e0

SHA1
50fbf806825896b90c632033adb7c69aed900ff6

SHA256
c40b504a3684d642b20d5309e45ee08dc25941c3e5b0108a315c236cf137f7e1

SHA512
f44efa281cf62908202a7dcc88d42bdfdc536adc40d500819f862bf766b8113551fd3285d6f42638c55fc4339589743bb941fb3e323951d45318d6be904f2e3b

Download Submit
C:\Users\Admin\AppData\Roaming\Bluestack\versionid.txt
Filesize
39B

MD5
6f465808e4f3b0fa8aa84f40db522f88

SHA1
5fdddbeed4d87b0cab40168f4405f31ad0ff380d

SHA256
1640baef9d1807880f2f7379cd1b20cd6630a8e4ff153d8cde0bcebf5421bf07

SHA512
b63a856de33582a9f1532913b208b0430943647eb0494e46680624cecc5a8e3409f8b293282a332637b3f676f5b507c09dea456d37df68ed8e67133142d0d4e5

Download Submit
C:\Users\Admin\AppData\Roaming\Bravia\Bravia.exe
Filesize
381KB

MD5
2131ffbb5613cc2f40d7394a2ecb71d7

SHA1
39d208df29c3aeedd7fa263f7fb58539d01f4c55

SHA256
c5e76fd1b882cd417d6ce3ebaff6977b2ad3e8444919dfef76055dd61d0f0397

SHA512
5ec6c0c4bdb794075c18d4a1228558c0bef3e9cd3389e9a832b3123a5f2314c1b6948e0765bc029c7ee5138481367ddaad347db251e5269675f3bf765c4f4b0c

Download Submit
C:\Users\Admin\AppData\Roaming\Bravia\Bravia.exe
Filesize
381KB

MD5
2131ffbb5613cc2f40d7394a2ecb71d7

SHA1
39d208df29c3aeedd7fa263f7fb58539d01f4c55

SHA256
c5e76fd1b882cd417d6ce3ebaff6977b2ad3e8444919dfef76055dd61d0f0397

SHA512
5ec6c0c4bdb794075c18d4a1228558c0bef3e9cd3389e9a832b3123a5f2314c1b6948e0765bc029c7ee5138481367ddaad347db251e5269675f3bf765c4f4b0c

Download Submit
C:\Users\Admin\AppData\Roaming\Bravia\CNQMUTIL.dll
Filesize
47KB

MD5
2d9d03835cf97a60c9be76f25c4f1712

SHA1
fed5453859a40e60ec1f24f9070376ffcef4759a

SHA256
276aa0bd110db59d7dd17b6fb256b9d52a358d95da10799bd138c27ba3f5afb2

SHA512
cd6cea9942852c449bdc2b9b3e71d26640dc079d09a947617d09d4ae4a4fb1e8faac1edce24c0bfb2888459e5e3bb9739c922a8023b33e99bc6fe67bb854818c

Download Submit
C:\Users\Admin\AppData\Roaming\Bravia\Newtonsoft.Json.dll
Filesize
562KB

MD5
486015a44a273c6c554a27b3d498365c

SHA1
cb08f5d7240dfcdcd77de754259b36c0d9a2a034

SHA256
6a168461c721fd14163751f7839fb8d67483cb5831f1b2b1ab3e96a68b82d384

SHA512
1578ed43e815017c269d2a37bb9cdc16d51209bfa6bdb7276ad67cbb39955708826973ac7f48c795e6a1361e7d2a14b14b6cea02ee9ecf396a4b02313aada1d6

Download Submit
C:\Users\Admin\AppData\Roaming\Bravia\System.Data.SQLite.dll
Filesize
400KB

MD5
68020ba2277a7d9e470c1dddb9e96e2c

SHA1
923d6797b7d955adf8844fffb8238efa44101b2c

SHA256
05dbf2927d669740902b5b9b403befb8d855b07a16afbb2cedab7a8c90f1833a

SHA512
e3643e053effc753a9dc3728c58eaceb43bca40016f457f70109b0370deaf9aec56f9817b88398b7c076b2c69993043a2fa8fa0e544b6b1e19ec906c8c8cef59

Download Submit
C:\Users\Admin\AppData\Roaming\Bravia\x86\SQLite.Interop.dll
Filesize
1.3MB

MD5
730e57d00a8699352cfb15ec1159afd0

SHA1
3ce30190d1f64dcb4572f0dd0efc065d58407dd9

SHA256
29f4c07e9c5b265976967d8afe435b0e74bb6169c20090d856fbcc42a4bf48f0

SHA512
b5bbc861884d4ce0a0846688d493f7a84b97076849ab81fdf3631a525dd99a12c7156a9d43b3019f91a912ab102669b651c5f6c2967142c29d2b41e76aefd3df

Download Submit
C:\Users\Admin\AppData\Roaming\Canon\CNQ.exe
Filesize
11KB

MD5
549c1d520428afe6d3a631903a4ed879

SHA1
4c9808d9a792abbf356412875a0196a28a97d455

SHA256
3b49b8f4ef2fc22d22217c024112e3418db80c195f7c930b4f2689b341055698

SHA512
ba7c6076f3d4421fed22d55f4cd97cf0707e337cbe8cab8d4e9f57ebceb1ebbc1ce2a7579e99b01b4db9ab401ae26432ba68673b471bbf039a0f7cc8f0758718

Download Submit
C:\Users\Admin\AppData\Roaming\Canon\CNQ.exe
Filesize
11KB

MD5
549c1d520428afe6d3a631903a4ed879

SHA1
4c9808d9a792abbf356412875a0196a28a97d455

SHA256
3b49b8f4ef2fc22d22217c024112e3418db80c195f7c930b4f2689b341055698

SHA512
ba7c6076f3d4421fed22d55f4cd97cf0707e337cbe8cab8d4e9f57ebceb1ebbc1ce2a7579e99b01b4db9ab401ae26432ba68673b471bbf039a0f7cc8f0758718

Download Submit
C:\Users\Admin\AppData\Roaming\Canon\SystemMetadataCollector.dll
Filesize
203KB

MD5
a8f8e831f6ebf39b5ae3628c023ac343

SHA1
a4dc651d2afe1cfbc1822afc656163a5dafd194a

SHA256
f6705eb9940ca16a161297efa0b19c8eb198be26fe7b83305a9f1a0c02a41fcf

SHA512
25574a2a998336e3d113dee2b1496dc5fc4beb4167dadeb2a2f29674513a001046f8ea296a03561b79734b760a0afd1082010ccd79f229ca421cb1af0f40b4b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BFN9Z8QB.txt
Filesize
608B

MD5
c1db87c09f9ea758f67cf8df18a3b74d

SHA1
540c6f578a61726cd67614c5ad48d4df1c0bdb37

SHA256
b103dfb36385c11c7e9dd2593c339662b43e637be52df634e24a7f1c62c87285

SHA512
bd3ca0c186be3bde150f0c793092073cd36eb51e7f492552e9080044afae0f7e93330390d77a2469e5b02476cccb8083c7636ac6bc721ee76e42d637709e5938

Download Submit
\Users\Admin\AppData\Roaming\Bluestack\ComponentToolkit.dll
Filesize
102KB

MD5
e18cf4b28e38fa3c9b71d646cd3efccb

SHA1
27c68164ec35b59c3e3f6b372f1145fa969d189e

SHA256
da203abb85e4e9a03f7c04e4a29dac4113deeed0a059e61fd74ffeb1f63c7843

SHA512
2fec8ba5025496ffacf2c27e6c4596be8a9b25f01c152b27b5b655378bccb6024fc50ea2488b20482fe68033e75a1a212bcb75501d9091974169f48d52544e2a

Download Submit
\Users\Admin\AppData\Roaming\Bluestack\ComponentToolkit.dll
Filesize
102KB

MD5
e18cf4b28e38fa3c9b71d646cd3efccb

SHA1
27c68164ec35b59c3e3f6b372f1145fa969d189e

SHA256
da203abb85e4e9a03f7c04e4a29dac4113deeed0a059e61fd74ffeb1f63c7843

SHA512
2fec8ba5025496ffacf2c27e6c4596be8a9b25f01c152b27b5b655378bccb6024fc50ea2488b20482fe68033e75a1a212bcb75501d9091974169f48d52544e2a

Download Submit
\Users\Admin\AppData\Roaming\Bluestack\InstantKeyLibrary.dll
Filesize
216KB

MD5
b3793d28a9215fee6ae576c54f7944e0

SHA1
50fbf806825896b90c632033adb7c69aed900ff6

SHA256
c40b504a3684d642b20d5309e45ee08dc25941c3e5b0108a315c236cf137f7e1

SHA512
f44efa281cf62908202a7dcc88d42bdfdc536adc40d500819f862bf766b8113551fd3285d6f42638c55fc4339589743bb941fb3e323951d45318d6be904f2e3b

Download Submit
\Users\Admin\AppData\Roaming\Bluestack\InstantKeyLibrary.dll
Filesize
216KB

MD5
b3793d28a9215fee6ae576c54f7944e0

SHA1
50fbf806825896b90c632033adb7c69aed900ff6

SHA256
c40b504a3684d642b20d5309e45ee08dc25941c3e5b0108a315c236cf137f7e1

SHA512
f44efa281cf62908202a7dcc88d42bdfdc536adc40d500819f862bf766b8113551fd3285d6f42638c55fc4339589743bb941fb3e323951d45318d6be904f2e3b

Download Submit
\Users\Admin\AppData\Roaming\Bravia\Bravia.exe
Filesize
381KB

MD5
2131ffbb5613cc2f40d7394a2ecb71d7

SHA1
39d208df29c3aeedd7fa263f7fb58539d01f4c55

SHA256
c5e76fd1b882cd417d6ce3ebaff6977b2ad3e8444919dfef76055dd61d0f0397

SHA512
5ec6c0c4bdb794075c18d4a1228558c0bef3e9cd3389e9a832b3123a5f2314c1b6948e0765bc029c7ee5138481367ddaad347db251e5269675f3bf765c4f4b0c

Download Submit
\Users\Admin\AppData\Roaming\Bravia\CNQMUTIL.dll
Filesize
47KB

MD5
2d9d03835cf97a60c9be76f25c4f1712

SHA1
fed5453859a40e60ec1f24f9070376ffcef4759a

SHA256
276aa0bd110db59d7dd17b6fb256b9d52a358d95da10799bd138c27ba3f5afb2

SHA512
cd6cea9942852c449bdc2b9b3e71d26640dc079d09a947617d09d4ae4a4fb1e8faac1edce24c0bfb2888459e5e3bb9739c922a8023b33e99bc6fe67bb854818c

Download Submit
\Users\Admin\AppData\Roaming\Bravia\CNQMUTIL.dll
Filesize
47KB

MD5
2d9d03835cf97a60c9be76f25c4f1712

SHA1
fed5453859a40e60ec1f24f9070376ffcef4759a

SHA256
276aa0bd110db59d7dd17b6fb256b9d52a358d95da10799bd138c27ba3f5afb2

SHA512
cd6cea9942852c449bdc2b9b3e71d26640dc079d09a947617d09d4ae4a4fb1e8faac1edce24c0bfb2888459e5e3bb9739c922a8023b33e99bc6fe67bb854818c

Download Submit
\Users\Admin\AppData\Roaming\Bravia\Newtonsoft.Json.dll
Filesize
562KB

MD5
486015a44a273c6c554a27b3d498365c

SHA1
cb08f5d7240dfcdcd77de754259b36c0d9a2a034

SHA256
6a168461c721fd14163751f7839fb8d67483cb5831f1b2b1ab3e96a68b82d384

SHA512
1578ed43e815017c269d2a37bb9cdc16d51209bfa6bdb7276ad67cbb39955708826973ac7f48c795e6a1361e7d2a14b14b6cea02ee9ecf396a4b02313aada1d6

Download Submit
\Users\Admin\AppData\Roaming\Bravia\Newtonsoft.Json.dll
Filesize
562KB

MD5
486015a44a273c6c554a27b3d498365c

SHA1
cb08f5d7240dfcdcd77de754259b36c0d9a2a034

SHA256
6a168461c721fd14163751f7839fb8d67483cb5831f1b2b1ab3e96a68b82d384

SHA512
1578ed43e815017c269d2a37bb9cdc16d51209bfa6bdb7276ad67cbb39955708826973ac7f48c795e6a1361e7d2a14b14b6cea02ee9ecf396a4b02313aada1d6

Download Submit
\Users\Admin\AppData\Roaming\Bravia\Newtonsoft.Json.dll
Filesize
562KB

MD5
486015a44a273c6c554a27b3d498365c

SHA1
cb08f5d7240dfcdcd77de754259b36c0d9a2a034

SHA256
6a168461c721fd14163751f7839fb8d67483cb5831f1b2b1ab3e96a68b82d384

SHA512
1578ed43e815017c269d2a37bb9cdc16d51209bfa6bdb7276ad67cbb39955708826973ac7f48c795e6a1361e7d2a14b14b6cea02ee9ecf396a4b02313aada1d6

Download Submit
\Users\Admin\AppData\Roaming\Bravia\Newtonsoft.Json.dll
Filesize
562KB

MD5
486015a44a273c6c554a27b3d498365c

SHA1
cb08f5d7240dfcdcd77de754259b36c0d9a2a034

SHA256
6a168461c721fd14163751f7839fb8d67483cb5831f1b2b1ab3e96a68b82d384

SHA512
1578ed43e815017c269d2a37bb9cdc16d51209bfa6bdb7276ad67cbb39955708826973ac7f48c795e6a1361e7d2a14b14b6cea02ee9ecf396a4b02313aada1d6

Download Submit
\Users\Admin\AppData\Roaming\Bravia\System.Data.SQLite.dll
Filesize
400KB

MD5
68020ba2277a7d9e470c1dddb9e96e2c

SHA1
923d6797b7d955adf8844fffb8238efa44101b2c

SHA256
05dbf2927d669740902b5b9b403befb8d855b07a16afbb2cedab7a8c90f1833a

SHA512
e3643e053effc753a9dc3728c58eaceb43bca40016f457f70109b0370deaf9aec56f9817b88398b7c076b2c69993043a2fa8fa0e544b6b1e19ec906c8c8cef59

Download Submit
\Users\Admin\AppData\Roaming\Bravia\System.Data.SQLite.dll
Filesize
400KB

MD5
68020ba2277a7d9e470c1dddb9e96e2c

SHA1
923d6797b7d955adf8844fffb8238efa44101b2c

SHA256
05dbf2927d669740902b5b9b403befb8d855b07a16afbb2cedab7a8c90f1833a

SHA512
e3643e053effc753a9dc3728c58eaceb43bca40016f457f70109b0370deaf9aec56f9817b88398b7c076b2c69993043a2fa8fa0e544b6b1e19ec906c8c8cef59

Download Submit
\Users\Admin\AppData\Roaming\Bravia\x86\SQLite.Interop.dll
Filesize
1.3MB

MD5
730e57d00a8699352cfb15ec1159afd0

SHA1
3ce30190d1f64dcb4572f0dd0efc065d58407dd9

SHA256
29f4c07e9c5b265976967d8afe435b0e74bb6169c20090d856fbcc42a4bf48f0

SHA512
b5bbc861884d4ce0a0846688d493f7a84b97076849ab81fdf3631a525dd99a12c7156a9d43b3019f91a912ab102669b651c5f6c2967142c29d2b41e76aefd3df

Download Submit
\Users\Admin\AppData\Roaming\Canon\CNQ.exe
Filesize
11KB

MD5
549c1d520428afe6d3a631903a4ed879

SHA1
4c9808d9a792abbf356412875a0196a28a97d455

SHA256
3b49b8f4ef2fc22d22217c024112e3418db80c195f7c930b4f2689b341055698

SHA512
ba7c6076f3d4421fed22d55f4cd97cf0707e337cbe8cab8d4e9f57ebceb1ebbc1ce2a7579e99b01b4db9ab401ae26432ba68673b471bbf039a0f7cc8f0758718

Download Submit
memory/344-115-0x0000000000870000-0x0000000000890000-memory.dmp

Filesize
128KB

Download
memory/344-95-0x0000000001060000-0x00000000010C2000-memory.dmp

Filesize
392KB

Download
memory/344-92-0x0000000000000000-mapping.dmp

Download
memory/344-99-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download
memory/344-109-0x00000000006B0000-0x0000000000716000-memory.dmp

Filesize
408KB

Download
memory/344-103-0x0000000000760000-0x00000000007F2000-memory.dmp

Filesize
584KB

Download
memory/916-58-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/916-57-0x0000000000000000-mapping.dmp

Download
memory/936-83-0x0000000000310000-0x000000000034C000-memory.dmp

Filesize
240KB

Download
memory/936-75-0x0000000000000000-mapping.dmp

Download
memory/936-79-0x00000000010D0000-0x0000000001242000-memory.dmp

Filesize
1.4MB

Download
memory/936-88-0x0000000000470000-0x0000000000490000-memory.dmp

Filesize
128KB

Download
memory/1172-56-0x0000000000590000-0x00000000005E4000-memory.dmp

Filesize
336KB

Download
memory/1172-55-0x0000000000EE0000-0x0000000000F08000-memory.dmp

Filesize
160KB

Download
memory/1704-74-0x0000000000150000-0x000000000018A000-memory.dmp

Filesize
232KB

Download
memory/1704-72-0x000000013F100000-0x000000013F106000-memory.dmp

Filesize
24KB

Download
memory/1704-69-0x0000000000000000-mapping.dmp

Download