vidar | hxxps://www[.]dropbox[.]com/s/zj7cz5633tszjk3/Zafiro%20EA%20MFF%20v1[.]13%20%2B%20Zafiro%20EA%20FTMO%20v1[.]13[.]zip?dl=0

max time kernel
712s
max time network
715s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2023 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.dropbox.com/s/zj7cz5633tszjk3/Zafiro%20EA%20MFF%20v1.13%20%2B%20Zafiro%20EA%20FTMO%20v1.13.zip?dl=0

Score

10^/10

vidar 2ca19830ec2c67b5159166c89d3ebb74 discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

4.2

Botnet

2ca19830ec2c67b5159166c89d3ebb74

https://steamcommunity.com/profiles/76561199511129510

https://t.me/rechnungsbetrag

Attributes

profile_id_v2
2ca19830ec2c67b5159166c89d3ebb74
user_agent
Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.38 Safari/537.36 Brave/75

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Blocklisted process makes network request 8 IoCs

flow	pid	Process
219	5732	cmd.exe
220	5732	cmd.exe
350	5848	cmd.exe
351	5848	cmd.exe
388	1044	cmd.exe
389	1044	cmd.exe
396	2136	cmd.exe
397	2136	cmd.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	cmd.exe

Loads dropped DLL 64 IoCs

pid	Process
3800	Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
3800	Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
5056	zalupaonline.exe
5056	zalupaonline.exe
4776	zalupaonline.exe
4776	zalupaonline.exe
6032	zalupaonline.exe
6032	zalupaonline.exe
3024	zalupaonline.exe
3024	zalupaonline.exe
5348	zalupaonline.exe
5348	zalupaonline.exe
5164	Process not Found
5164	Process not Found
5136	zalupaonline.exe
5136	zalupaonline.exe
6000	zalupaonline.exe
6000	zalupaonline.exe
6060	zalupaonline.exe
6060	zalupaonline.exe
5520	zalupaonline.exe
5520	zalupaonline.exe
5600	zalupaonline.exe
5600	zalupaonline.exe
2196	zalupaonline.exe
2196	zalupaonline.exe
5732	cmd.exe
5732	cmd.exe
5372	zalupaonline.exe
5372	zalupaonline.exe
5300	zalupaonline.exe
5300	zalupaonline.exe
3128	zalupaonline.exe
3128	zalupaonline.exe
5752	zalupaonline.exe
5752	zalupaonline.exe
5284	zalupaonline.exe
5284	zalupaonline.exe
5916	zalupaonline.exe
5916	zalupaonline.exe
5512	zalupaonline.exe
5512	zalupaonline.exe
5644	zalupaonline.exe
5644	zalupaonline.exe
5648	zalupaonline.exe
5648	zalupaonline.exe
5216	zalupaonline.exe
5216	zalupaonline.exe
5596	zalupaonline.exe
5596	zalupaonline.exe
5152	snouden.exe
5152	snouden.exe
3024	snouden.exe
3024	snouden.exe
6136	snouden.exe
6136	snouden.exe
4116	snouden.exe
4116	snouden.exe
1524	snouden.exe
1524	snouden.exe
1288	snouden.exe
1288	snouden.exe
5828	snouden.exe
5828	snouden.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 13 IoCs

pid	pid_target	Process	procid_target
3152	5532	WerFault.exe	112
556	5292	WerFault.exe	151
4696	4668	WerFault.exe	236
5328	5336	WerFault.exe	243
5212	232	WerFault.exe	271
544	4100	WerFault.exe	132
5768	5988	WerFault.exe	268
5924	4592	WerFault.exe	136
3184	4668	WerFault.exe	269
5340	3900	WerFault.exe	278
1820	948	WerFault.exe	275
5344	4264	WerFault.exe	283
5824	4776	WerFault.exe	260

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalupaonline.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalupaonline.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalupaonline.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cmd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalupaonline.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalupaonline.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalupaonline.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	snouden.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	snouden.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalupaonline.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cmd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	snouden.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalupaonline.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalupaonline.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalupaonline.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cmd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalupaonline.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalupaonline.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	snouden.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalupaonline.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalupaonline.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	snouden.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalupaonline.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	snouden.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalupaonline.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalupaonline.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	snouden.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalupaonline.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalupaonline.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalupaonline.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	snouden.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalupaonline.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalupaonline.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalupaonline.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalupaonline.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalupaonline.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	snouden.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	snouden.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalupaonline.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalupaonline.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	snouden.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalupaonline.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalupaonline.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalupaonline.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cmd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalupaonline.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	snouden.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	snouden.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalupaonline.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalupaonline.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalupaonline.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	snouden.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalupaonline.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	snouden.exe

Delays execution with timeout.exe 63 IoCs

evasion

pid	Process
1424	timeout.exe
3164	timeout.exe
976	timeout.exe
5272	timeout.exe
5312	timeout.exe
5196	timeout.exe
4252	timeout.exe
5444	timeout.exe
2640	timeout.exe
2408	timeout.exe
5772	timeout.exe
1020	timeout.exe
5840	timeout.exe
568	timeout.exe
1244	timeout.exe
5404	timeout.exe
1396	timeout.exe
4956	timeout.exe
1520	timeout.exe
4672	timeout.exe
4424	timeout.exe
1664	timeout.exe
5916	timeout.exe
4596	timeout.exe
4480	timeout.exe
5808	timeout.exe
5304	timeout.exe
5332	timeout.exe
1788	timeout.exe
812	timeout.exe
1932	timeout.exe
5632	timeout.exe
5460	timeout.exe
4916	timeout.exe
5656	timeout.exe
6028	timeout.exe
2272	timeout.exe
5728	timeout.exe
4620	timeout.exe
5648	timeout.exe
6024	timeout.exe
1376	timeout.exe
1940	timeout.exe
4252	timeout.exe
5144	timeout.exe
5004	timeout.exe
3320	timeout.exe
4160	timeout.exe
5304	timeout.exe
2456	timeout.exe
4604	timeout.exe
6116	timeout.exe
688	timeout.exe
1540	timeout.exe
4816	timeout.exe
1396	timeout.exe
3188	timeout.exe
6004	timeout.exe
5460	timeout.exe
6132	timeout.exe
5756	timeout.exe
4596	timeout.exe
5144	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	firefox.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13(1).zip:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
5068	NOTEPAD.EXE
452	NOTEPAD.EXE
4820	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3800	Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
3800	Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
5056	zalupaonline.exe
5056	zalupaonline.exe
4776	zalupaonline.exe
4776	zalupaonline.exe
6032	zalupaonline.exe
6032	zalupaonline.exe
3024	zalupaonline.exe
3024	zalupaonline.exe
5348	zalupaonline.exe
5348	zalupaonline.exe
5164	Process not Found
5164	Process not Found
5136	zalupaonline.exe
5136	zalupaonline.exe
6000	zalupaonline.exe
6000	zalupaonline.exe
5888	AcroRd32.exe
5888	AcroRd32.exe
5888	AcroRd32.exe
5888	AcroRd32.exe
5888	AcroRd32.exe
5888	AcroRd32.exe
5888	AcroRd32.exe
5888	AcroRd32.exe
5888	AcroRd32.exe
5888	AcroRd32.exe
5888	AcroRd32.exe
5888	AcroRd32.exe
5888	AcroRd32.exe
5888	AcroRd32.exe
5888	AcroRd32.exe
5888	AcroRd32.exe
5888	AcroRd32.exe
5888	AcroRd32.exe
5888	AcroRd32.exe
5888	AcroRd32.exe
6060	zalupaonline.exe
6060	zalupaonline.exe
5520	zalupaonline.exe
5520	zalupaonline.exe
5600	zalupaonline.exe
5600	zalupaonline.exe
2196	zalupaonline.exe
2196	zalupaonline.exe
5732	cmd.exe
5732	cmd.exe
5372	zalupaonline.exe
5372	zalupaonline.exe
5300	zalupaonline.exe
5300	zalupaonline.exe
3128	zalupaonline.exe
3128	zalupaonline.exe
5752	zalupaonline.exe
5752	zalupaonline.exe
5284	zalupaonline.exe
5284	zalupaonline.exe
5916	zalupaonline.exe
5916	zalupaonline.exe
5512	zalupaonline.exe
5512	zalupaonline.exe
5644	zalupaonline.exe
5644	zalupaonline.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3404	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	3484	firefox.exe
Token: SeDebugPrivilege	3484	firefox.exe
Token: SeDebugPrivilege	3484	firefox.exe
Token: SeDebugPrivilege	3484	firefox.exe
Token: SeDebugPrivilege	3484	firefox.exe
Token: SeDebugPrivilege	3484	firefox.exe
Token: SeDebugPrivilege	3484	firefox.exe
Token: SeDebugPrivilege	3484	firefox.exe
Token: SeDebugPrivilege	3484	firefox.exe
Token: SeDebugPrivilege	5860	powershell.exe
Token: SeDebugPrivilege	3484	firefox.exe
Token: SeDebugPrivilege	3484	firefox.exe
Token: SeCreateGlobalPrivilege	3568	dwm.exe
Token: SeChangeNotifyPrivilege	3568	dwm.exe
Token: 33	3568	dwm.exe
Token: SeIncBasePriorityPrivilege	3568	dwm.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
3484	firefox.exe
3484	firefox.exe
3484	firefox.exe
3484	firefox.exe
5888	AcroRd32.exe
4820	NOTEPAD.EXE

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3484	firefox.exe
3484	firefox.exe
3484	firefox.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3484	firefox.exe
3484	firefox.exe
3484	firefox.exe
3484	firefox.exe
3484	firefox.exe
3484	firefox.exe
3484	firefox.exe
3484	firefox.exe
3484	firefox.exe
3484	firefox.exe
5888	AcroRd32.exe
5888	AcroRd32.exe
4620	AcroRd32.exe
5888	AcroRd32.exe
5888	AcroRd32.exe
648	AcroRd32.exe
6036	AcroRd32.exe
5888	AcroRd32.exe
5888	AcroRd32.exe
5888	AcroRd32.exe
5888	AcroRd32.exe
5888	AcroRd32.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe
3404	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 3484	4424	firefox.exe	84
PID 4424 wrote to memory of 3484	4424	firefox.exe	84
PID 4424 wrote to memory of 3484	4424	firefox.exe	84
PID 4424 wrote to memory of 3484	4424	firefox.exe	84
PID 4424 wrote to memory of 3484	4424	firefox.exe	84
PID 4424 wrote to memory of 3484	4424	firefox.exe	84
PID 4424 wrote to memory of 3484	4424	firefox.exe	84
PID 4424 wrote to memory of 3484	4424	firefox.exe	84
PID 4424 wrote to memory of 3484	4424	firefox.exe	84
PID 4424 wrote to memory of 3484	4424	firefox.exe	84
PID 4424 wrote to memory of 3484	4424	firefox.exe	84
PID 3484 wrote to memory of 3916	3484	firefox.exe	85
PID 3484 wrote to memory of 3916	3484	firefox.exe	85
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1096	3484	firefox.exe	86
PID 3484 wrote to memory of 1680	3484	firefox.exe	87
PID 3484 wrote to memory of 1680	3484	firefox.exe	87
PID 3484 wrote to memory of 1680	3484	firefox.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.dropbox.com/s/zj7cz5633tszjk3/Zafiro%20EA%20MFF%20v1.13%20%2B%20Zafiro%20EA%20FTMO%20v1.13.zip?dl=0
1⤵
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.dropbox.com/s/zj7cz5633tszjk3/Zafiro%20EA%20MFF%20v1.13%20%2B%20Zafiro%20EA%20FTMO%20v1.13.zip?dl=0
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3484.0.1382992310\1835973812" -parentBuildID 20221007134813 -prefsHandle 1840 -prefMapHandle 1832 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9eefa0f5-608c-4670-ae53-de8f93238710} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" 1936 21c7fdec558 gpu
    3⤵
    PID:3916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3484.1.840809588\1934242641" -parentBuildID 20221007134813 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 21706 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {66e3b548-0324-4907-807f-e12a670217e8} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" 2424 21c73577b58 socket
    3⤵
    PID:1096
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3484.2.545997396\575567260" -childID 1 -isForBrowser -prefsHandle 3200 -prefMapHandle 3044 -prefsLen 21854 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48e26ed8-da42-4d46-a61d-2398a3262da5} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" 3280 21c042e5a58 tab
    3⤵
    PID:1680
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3484.3.40924532\967155455" -childID 2 -isForBrowser -prefsHandle 3980 -prefMapHandle 3976 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7368cf16-92ef-42be-9389-f0e541d7bc6f} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" 3992 21c056d5b58 tab
    3⤵
    PID:4932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3484.6.1779333788\1318392093" -childID 5 -isForBrowser -prefsHandle 4448 -prefMapHandle 4528 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {26a409c5-d4ef-40fc-abd8-ac031c9241e4} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" 4232 21c06afc358 tab
    3⤵
    PID:2208
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3484.5.1173262947\1301745762" -childID 4 -isForBrowser -prefsHandle 4880 -prefMapHandle 4884 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f845c5d1-0410-4b9c-9683-8800f8f50798} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" 4632 21c0651ce58 tab
    3⤵
    PID:1596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3484.4.945551572\499437089" -childID 3 -isForBrowser -prefsHandle 4580 -prefMapHandle 4576 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9489386c-0fd5-4013-bf0f-7aed4668a187} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" 4716 21c0651b358 tab
    3⤵
    PID:4768
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3484.7.29061483\1970403058" -parentBuildID 20221007134813 -prefsHandle 5684 -prefMapHandle 5668 -prefsLen 26753 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2baeb2e4-0686-4cfd-9b27-3922bad734cc} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" 5704 21c73567b58 rdd
    3⤵
    PID:4196
- - C:\Program Files\Mozilla Firefox\plugin-container.exe
    "C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel="3484.8.1989734655\618712314" "C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1" -appDir "C:\Program Files\Mozilla Firefox\browser" - {144515fa-0428-4612-afb0-589983ccdff4} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" 5888 21c0807b258 gmplugin
    3⤵
    PID:2416
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3484.9.2074703937\530428445" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 6036 -prefMapHandle 5888 -prefsLen 26753 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c45231b3-d997-4a71-bd43-423a7091e931} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" 6024 21c068b6558 utility
    3⤵
    PID:4228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3484.10.1314587942\1282980480" -childID 6 -isForBrowser -prefsHandle 6148 -prefMapHandle 6180 -prefsLen 26753 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7b65275-fea7-4598-99fa-272685167f89} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" 6192 21c07d26158 tab
    3⤵
    PID:4416

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4740

C:\Users\Admin\AppData\Local\Temp\Temp1_Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.zip\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.zip\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3800
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Temp1_Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.zip\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe" & exit
  2⤵
  PID:5692
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:5756

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
PID:5532
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5532 -s 1608
  2⤵
  - Program crash
  PID:3152

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5600
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\zalupaonline.exe" & exit
  2⤵
  PID:6116
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:5808

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
- Loads dropped DLL
PID:5648
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\zalupaonline.exe" & exit
  2⤵
  PID:5600
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:2408

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
- Checks processor information in registry
PID:5780
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  PID:1328
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:5144

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5916
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\zalupaonline.exe" & exit
  2⤵
  PID:6140
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:6024

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3024
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\zalupaonline.exe" & exit
  2⤵
  PID:1936
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:6028

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5752
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\zalupaonline.exe" & exit
  2⤵
  PID:5400
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:1396

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:6000
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\zalupaonline.exe" & exit
  2⤵
  PID:1592
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:5144

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
PID:5732
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\zalupaonline.exe" & exit
  2⤵
  PID:3724
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:6004

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:6032
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\zalupaonline.exe" & exit
  2⤵
  PID:5324
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:6116

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:6060
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\zalupaonline.exe" & exit
  2⤵
  PID:5816
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:3188

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5284
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\zalupaonline.exe" & exit
  2⤵
  PID:1932
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:5444

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3128
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\zalupaonline.exe" & exit
  2⤵
  PID:4976
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:6132

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2196
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\zalupaonline.exe" & exit
  2⤵
  PID:1584
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:5404

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
PID:5164
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\zalupaonline.exe" & exit
  2⤵
  PID:2564
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:4596

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5056
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\zalupaonline.exe" & exit
  2⤵
  PID:5488
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:5272

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4776
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\zalupaonline.exe" & exit
  2⤵
  PID:5452
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:4816

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5300
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\zalupaonline.exe" & exit
  2⤵
  PID:1664
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:688

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5348
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\zalupaonline.exe" & exit
  2⤵
  PID:3016
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:5312

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5372
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\zalupaonline.exe" & exit
  2⤵
  PID:3892
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:5460

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
PID:4100
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 1600
  2⤵
  - Program crash
  PID:544

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
PID:5452

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
PID:3304
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  PID:1140
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:4160

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
- Checks processor information in registry
PID:5384
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  PID:5768
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:3164

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
PID:4592
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 1564
  2⤵
  - Program crash
  PID:5924

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
- Checks processor information in registry
PID:5676
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  PID:5580
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:5916

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
- Loads dropped DLL
PID:5216
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:5732
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:1520

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
PID:1004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  PID:5848
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:4252

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5644
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\zalupaonline.exe" & exit
  2⤵
  PID:4916
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:4956

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
PID:6092

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
PID:1328

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
PID:5708

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
PID:1520

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
- Checks processor information in registry
PID:5408
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  PID:2456
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:5332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5532 -ip 5532
1⤵
PID:5516

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5520
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\zalupaonline.exe" & exit
  2⤵
  PID:3320
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3800
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:1932

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5512
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\zalupaonline.exe" & exit
  2⤵
  PID:3284
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:1424

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
PID:5292
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 484
  2⤵
  - Program crash
  PID:556

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5136
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\zalupaonline.exe" & exit
  2⤵
  PID:5312
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:2272

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
- Checks processor information in registry
PID:6104
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  PID:5564
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:4916

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\IDTemplates\ENU\AdobeID.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5888
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  PID:5264
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8F312A5889AF88FB12FE3F0FA8127157 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4824
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=49F85C251E203095DF7E06A892847F7E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=49F85C251E203095DF7E06A892847F7E --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:5220
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=576C6A404D360A62DD253C0F1F47F10E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=576C6A404D360A62DD253C0F1F47F10E --renderer-client-id=4 --mojo-platform-channel-handle=2180 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1540
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5910B1FABEC06138A2E597BCC1715939 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5910B1FABEC06138A2E597BCC1715939 --renderer-client-id=5 --mojo-platform-channel-handle=2300 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3408
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9E00F92A870FDC30A67A2BD06D2155DD --mojo-platform-channel-handle=2932 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3800
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=33F3808B7E5D0950136D53CF048F881B --mojo-platform-channel-handle=1980 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:5304
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=11FE9F9A5C631522AC96210E0943DD32 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4336

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\IDTemplates\ENU\DefaultID.pdf"
1⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:4620

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\IDTemplates\ENU\AdobeID.pdf"
1⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:648

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\IDTemplates\ENU\DefaultID.pdf"
1⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:6036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5920

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3404
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\IDTemplates\DEU\AdobeID.pdf
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5292 -ip 5292
1⤵
PID:5340

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
PID:812
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  PID:3668
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:5460

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
PID:5596
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  PID:5640
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:5004

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
PID:4668
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1604
  2⤵
  - Program crash
  PID:4696

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
- Checks processor information in registry
PID:6028
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  PID:1352
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:4480

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
- Checks processor information in registry
PID:6080
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  PID:688
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:1664

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
- Checks processor information in registry
PID:5236
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  PID:5200
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:1540

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
- Checks processor information in registry
PID:3044
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  PID:4236
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:568

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
PID:5336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5336 -s 1616
  2⤵
  - Program crash
  PID:5328

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
- Checks processor information in registry
PID:5208
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  PID:3796
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:5304

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
PID:680
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Checks processor information in registry
  PID:1044
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:976

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
PID:5712
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  PID:2160
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:1244

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
PID:996
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  PID:5988
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:4424

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
- Checks processor information in registry
PID:2628
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  PID:5172
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:5648

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
PID:2136
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  PID:3984
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5304
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:1788

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
PID:5320
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  PID:5364
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:5196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 4668 -ip 4668
1⤵
PID:5544

C:\Users\Admin\Desktop\zalupaonline.exe
"C:\Users\Admin\Desktop\zalupaonline.exe"
1⤵
- Checks processor information in registry
PID:1212
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  PID:2828
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:4672

C:\Users\Admin\Desktop\snouden.exe
"C:\Users\Admin\Desktop\snouden.exe"
1⤵
- Loads dropped DLL
PID:1524
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  PID:5540
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:5304

C:\Users\Admin\Desktop\snouden.exe
"C:\Users\Admin\Desktop\snouden.exe"
1⤵
PID:4776
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 1588
  2⤵
  - Program crash
  PID:5824

C:\Users\Admin\Desktop\snouden.exe
"C:\Users\Admin\Desktop\snouden.exe"
1⤵
PID:5848
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  PID:4476
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:5728

C:\Users\Admin\Desktop\snouden.exe
"C:\Users\Admin\Desktop\snouden.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
PID:6136
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  PID:1364
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:1376

C:\Users\Admin\Desktop\snouden.exe
"C:\Users\Admin\Desktop\snouden.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
PID:5828
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  PID:2124
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:2640

C:\Users\Admin\Desktop\snouden.exe
"C:\Users\Admin\Desktop\snouden.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
PID:4116
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  PID:4604
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:3320

C:\Users\Admin\Desktop\snouden.exe
"C:\Users\Admin\Desktop\snouden.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
PID:5152
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  PID:1140
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:1396

C:\Users\Admin\Desktop\snouden.exe
"C:\Users\Admin\Desktop\snouden.exe"
1⤵
PID:5988
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5988 -s 1596
  2⤵
  - Program crash
  PID:5768

C:\Users\Admin\Desktop\snouden.exe
"C:\Users\Admin\Desktop\snouden.exe"
1⤵
PID:4668
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1572
  2⤵
  - Program crash
  PID:3184

C:\Users\Admin\Desktop\snouden.exe
"C:\Users\Admin\Desktop\snouden.exe"
1⤵
PID:5068
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  PID:3300
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:4252

C:\Users\Admin\Desktop\snouden.exe
"C:\Users\Admin\Desktop\snouden.exe"
1⤵
PID:232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 1564
  2⤵
  - Program crash
  PID:5212

C:\Users\Admin\Desktop\snouden.exe
"C:\Users\Admin\Desktop\snouden.exe"
1⤵
- Checks processor information in registry
PID:4200
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  PID:1920
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:4620

C:\Users\Admin\Desktop\snouden.exe
"C:\Users\Admin\Desktop\snouden.exe"
1⤵
PID:3384
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  PID:3128
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:5632

C:\Users\Admin\Desktop\snouden.exe
"C:\Users\Admin\Desktop\snouden.exe"
1⤵
- Loads dropped DLL
PID:1288
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  PID:6100
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:1020

C:\Users\Admin\Desktop\snouden.exe
"C:\Users\Admin\Desktop\snouden.exe"
1⤵
PID:948
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 1592
  2⤵
  - Program crash
  PID:1820

C:\Users\Admin\Desktop\snouden.exe
"C:\Users\Admin\Desktop\snouden.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
PID:3024
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  PID:5604
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:5772

C:\Users\Admin\Desktop\snouden.exe
"C:\Users\Admin\Desktop\snouden.exe"
1⤵
- Checks processor information in registry
PID:5536
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  PID:516
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:5840

C:\Users\Admin\Desktop\snouden.exe
"C:\Users\Admin\Desktop\snouden.exe"
1⤵
PID:3900
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 1564
  2⤵
  - Program crash
  PID:5340

C:\Users\Admin\Desktop\snouden.exe
"C:\Users\Admin\Desktop\snouden.exe"
1⤵
- Checks processor information in registry
PID:5760
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  PID:1508
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:5656

C:\Users\Admin\Desktop\snouden.exe
"C:\Users\Admin\Desktop\snouden.exe"
1⤵
- Checks processor information in registry
PID:5816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Checks processor information in registry
  PID:2136
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:812

C:\Users\Admin\Desktop\snouden.exe
"C:\Users\Admin\Desktop\snouden.exe"
1⤵
PID:1044
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  PID:4576
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:1940

C:\Users\Admin\Desktop\snouden.exe
"C:\Users\Admin\Desktop\snouden.exe"
1⤵
- Checks processor information in registry
PID:5812
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  PID:684
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:2456

C:\Users\Admin\Desktop\snouden.exe
"C:\Users\Admin\Desktop\snouden.exe"
1⤵
PID:4264
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1592
  2⤵
  - Program crash
  PID:5344

C:\Users\Admin\Desktop\snouden.exe
"C:\Users\Admin\Desktop\snouden.exe"
1⤵
- Checks processor information in registry
PID:2132
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  PID:1708
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:4596

C:\Users\Admin\Desktop\snouden.exe
"C:\Users\Admin\Desktop\snouden.exe"
1⤵
PID:2296
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Desktop\snouden.exe" & exit
  2⤵
  PID:4296
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:4604

C:\Users\Admin\Desktop\snouden.exe
"C:\Users\Admin\Desktop\snouden.exe"
1⤵
PID:5544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5336 -ip 5336
1⤵
PID:5172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 232 -ip 232
1⤵
PID:5736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4100 -ip 4100
1⤵
PID:1088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5988 -ip 5988
1⤵
PID:5260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4592 -ip 4592
1⤵
PID:5344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4668 -ip 4668
1⤵
PID:6056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3900 -ip 3900
1⤵
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 948 -ip 948
1⤵
PID:5696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4264 -ip 4264
1⤵
PID:5504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4776 -ip 4776
1⤵
PID:4976

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\run.cmd
1⤵
- Opens file in notepad (likely ransom note)
PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\run.cmd" "
1⤵
PID:4692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\run.cmd" "
1⤵
PID:1936

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\run.cmd"
1⤵
PID:3652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\run.cmd""
  2⤵
  PID:6040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\run.cmd""
  2⤵
  PID:5220

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\run.cmd
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:4820

C:\Users\Admin\Desktop\ssssss.exe
"C:\Users\Admin\Desktop\ssssss.exe"
1⤵
PID:3176

C:\Users\Admin\Desktop\ssssss.exe
"C:\Users\Admin\Desktop\ssssss.exe"
1⤵
PID:3492

C:\Users\Admin\Desktop\ssssss.exe
"C:\Users\Admin\Desktop\ssssss.exe"
1⤵
PID:5780

C:\Users\Admin\Desktop\ssssss.exe
"C:\Users\Admin\Desktop\ssssss.exe"
1⤵
PID:1072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
PID:3852

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\02339253834069252628486773

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\ProgramData\50313481452516006703494248

Filesize
512KB

MD5
2005a0147238fbde6fb1d8291ebb18f6

SHA1
290a2dd7fc79ce767abd59228d127a69eca3d0b6

SHA256
6de86601b524a0db7e82c6fde31f5dd10d42d6dafa36a296050d0daaf1e7b2e4

SHA512
e8df6090c178fa3e4cf1388b78ee178c2f0fa50b5998a97bacd10412754d7f13002a62a05d2a345d2f4e95a111c052fde11fc89e3b3a85dc4c86ce3f4f9adbb5

Download Submit
C:\ProgramData\63692900637084924352481843

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\ProgramData\77786603606953750940207169

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
c1166691edde0e7d25d85b7a9e793919

SHA1
0386d27f822da4cf521156e31433f93253069ec2

SHA256
94c36b4c914fe3873c9232f9bb512f0005233afb609d29f7b8732875f6fa1ca0

SHA512
0103881ed540c4c1995c68bd5f4704a16beacd6243106f8c9aef759adadef59dbb7f526a00841de71c0d978ac6e73d6e4b268fbfe5c2ae27d61914a74c36a277

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
1KB

MD5
965e643d41d2bc128e3bcd222b366534

SHA1
a580ba9f4551dcb826fd64df155e84441ab3d38f

SHA256
646fe5ec9d6610c10506e3010199e474439ff35d4ea3b978b8b0aa768f3c94b0

SHA512
410f71e75046b52ec5f22aa49660f75f75593b79c050c8ce8eed9e7e7d00b6938f2f784a1007be9618c8bb30b15fb1ee855845ef91303f2c69e7b09299fe3153

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\70C71DBB8B7D2BBCA12DF82826D851E0_278EAB15C57802B8465F5CA2986E9B30

Filesize
1KB

MD5
fc9db7199a674e2dfebc7e727d99a9d9

SHA1
fc5223fb3a5aac2efc351a2e88bd21da775e011c

SHA256
6ed39986a4c889fde041b1a1a765a9c9010afbbea45be0ae01b0e54008e7a8a1

SHA512
518b5b1b8438387dd48c98b141221b33fca64cf1407e007c04f395607c6eb59d3df203290015e40b87767dd4c9f66c50de5b94b8e841808cbecfc48dea085d4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
1KB

MD5
dc9cff177000842f2a6012e44187a7ac

SHA1
d21b0e775cc8da0aa8ff411a9fca7d824d9c9d9e

SHA256
42ec597f23785bd1abab286493d81952a9484684bca351c01e711cca2fae0d40

SHA512
7631b223d6af02e592630e758fa368bc1fd6895f9f0bbe611bffd9df73bcfb7c8c0b0b03f87c727809e24174c88b7b40648da45426dce33e36576b4490a6b652

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
450B

MD5
e1c257d0d959f7c70d396aefec758339

SHA1
c9dc82aabd35af9532e4b4d8a2456c1b0852515e

SHA256
81928743354a97b111ecf9b24dcb556d8ffd7b3bf870ab806faf5fcdc08677b4

SHA512
8edd22b0b9d326c56e279efd731dae0f162666816fc4efed173d7ee9c0f3dc36d41afecc2612d4935a05a6a022ff744d6e054b22d5b252ea1617a59bacc5b609

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\70C71DBB8B7D2BBCA12DF82826D851E0_278EAB15C57802B8465F5CA2986E9B30

Filesize
474B

MD5
627156b28f18592dbdbbd9b2a8cbef01

SHA1
1f9f108ce215dd8440e09e6a17e728896a062b00

SHA256
bd684443be4e189c281194fbb66b19b298771ba68383cb5efb7075a3ddeb714f

SHA512
af6a82050796dde27dfc3f383991bd853012f82736b22ff546832adac2a390e0f117199d9c2cd8fb9460c9a17888406e3788f69d83ae3e3c60a0177310eb11e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
458B

MD5
d0604f41aeab0bb36948899c65af92ab

SHA1
9b4b45be6a89d2ed8a3d56176621f9e9501670ae

SHA256
27e9df0cbc1e8fedf05ae04aff3cc50104a77f1f2f879b9696ffc19b145e5b10

SHA512
d0e0d1793f756a2e3677c3b0aa0b40eabaf024f3a3740d38e2d6eba2dfaa939ecd613aa0919478d8fba2b73decc3efda02d764c1b83f7da42a7247d4e9d488d0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\activity-stream.discovery_stream.json.tmp

Filesize
144KB

MD5
11731f209e70be459c2c2c8c4d4f0f7d

SHA1
bf673c070086c2fcf56f6331fa4aa444a933ab3a

SHA256
fbd6bd29903520b1559f28ab8646b4a94d5587bef6b8fea9a4ac21e1bd37709b

SHA512
e698133952dc252186202edf376f8c31adc3b9ccd47775d1095f2c224e8bafa9388465549ff900230ac1281302a32f44d25ec0b54638cb175c7c179e75630195

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\doomed\13370

Filesize
54KB

MD5
4d940622140fd281d6259b1061893ac9

SHA1
1645a71cc5552150d7fdf767188d4782ef6ed3f5

SHA256
badb1ef52c1b8411cfe31c9ba00a2256ea5dd7f7a8266d12b1e55fe3a5c649c5

SHA512
6bc1f81d80272add13d0669db63ddc20108a714a88744b46e347b9c6be8eed8365186809e4a84434e1c9af060f5f4b7407f6f8b6c5f849e7bbe97e6af6f2431b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\doomed\17309

Filesize
51KB

MD5
02b53d4cdd61704a06b6eb213bb3ef20

SHA1
3bd87ac501be5935f8cad575da3d93268c0a54a3

SHA256
a28524d6b28d4ac784213eb9fbaa754f1b64801c5583d8699c9f2424d0f4ecca

SHA512
760c40a2f78f3613e6955849c5dcfbf2db83934c33fef61f844c8647c80f04d60db2f6335022af78c368179fd67bece2e5abbeed35af95cc9909018db27f1673

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\entries\58D46C4012E4AD3623A4EA72BB3C1CDD25B3FF87

Filesize
14KB

MD5
8653aab57ccf66b833df96fd70d40a73

SHA1
7b267316086c1b1fb948bb91391d71613fcf7b99

SHA256
145c98325d2f41c8d7abc54c2aceb605722cc9635d2dec08890b2e24e2aac914

SHA512
ad1dfdcbb5517924b30a4701dd7c8d2548e22c43d02c1368cb15b1c721cfc8d5777b207d61350be278723b0629b03afe478b141f2c1029de3d6afeb84ca0545a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u0xil10l.sb2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
12KB

MD5
978605dc0bcb5690aa5331e7901d4765

SHA1
b3fb332de57e9af02edd4a19f55f9957ff93718f

SHA256
920b5f1c1b6ba82899af6883e001d6a26bc522756f0167a71b79ae85b30f2917

SHA512
322cba84a1336a47903b1a9ade1d91984656118ef48ccdb42d9bcb6fcfcdcfdf484a8bd6a516c334f8ed75c3a19f9b743e344b03cacadc20b1de8836b4e3f35e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
12KB

MD5
71afad77c99257fd48187cd473482f70

SHA1
8e4abb105ef3d54e5368a60089e12529e9a20d88

SHA256
29223ec891e4bb895b84f05b7a9f0a71bb621c8e39ce86afa4881e573075e8cc

SHA512
f39337a0f98a2d3b1a7557eba3ff06ea6fdb9be276ba9d84ff90bd00d212035df51790c067d9b5f1fe12a0ba882be7eb0a7febc6c8258a1433574cae754a3104

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\cookies.sqlite

Filesize
512KB

MD5
2005a0147238fbde6fb1d8291ebb18f6

SHA1
290a2dd7fc79ce767abd59228d127a69eca3d0b6

SHA256
6de86601b524a0db7e82c6fde31f5dd10d42d6dafa36a296050d0daaf1e7b2e4

SHA512
e8df6090c178fa3e4cf1388b78ee178c2f0fa50b5998a97bacd10412754d7f13002a62a05d2a345d2f4e95a111c052fde11fc89e3b3a85dc4c86ce3f4f9adbb5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

Filesize
6KB

MD5
b597b37bfd9607e503ac7c12fd016e0d

SHA1
4041c119968a788c1f49e6e4800994995f095456

SHA256
6a8b5c9fdc97e1fabe66be9c646df13728b0b4f5b0a2d8b4a8fb9810c42ab2d6

SHA512
baaeaf04fff452dfc371aa31ea3ec49f37ada2cd3e3511a5b6b61adc7d370e709bab05478289a5b0be78b2bb28964dd5843b41f256ca657e13476caa6c4509c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

Filesize
6KB

MD5
3032ebb2e85a2987039dc6f8d54c826d

SHA1
0898270256dfcabbccb4bba26654233307462b3e

SHA256
f495f638f50cd955b59fb9e91ea33fc7aca81182ae4387dc9e64bdfc3997f392

SHA512
31d7674d66b9547eac45fbe81688aa0111a303d638fde785e8f75df8a51961ab67265dbb489a82f2247c74ff0e826ac4c959f6ca4aefe32df190a271fe1d4b37

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

Filesize
6KB

MD5
2e20a8b5d8d2d250f3cccd10107afb0d

SHA1
b9e2d5602ac2aaef76da654f5024ddada471561b

SHA256
b7086d848a8a0569b90a3cafe064b285d64a08aeeb2d441497a85d82cc44bbaf

SHA512
68d33bfe20a503215d9d50c5df05da0508701287175ec38dc19c8250ab250c6b29535300c6e363d7d0bb0d0f88a357f4e81c08bbcab4057696a93e2e1f073e28

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

Filesize
6KB

MD5
f876ae86a3e91e15b9f88861217ea8b8

SHA1
1d812d54a830709e0bde93f76472e07e70965170

SHA256
43bace2921a61d364cf6615b7feb3e345bb268bd4480a3d5e52594e79d7f1b5a

SHA512
3d47e238395ce1224f75173697685d1cf38163755f8293811cc4e0d152e1e58cfab19b1c945abb6c9aa3835aa618dbdfeea08d80c2b179fe911bb05b20e4686f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

Filesize
7KB

MD5
393b7fd8019803e03ffeaf10487c2d13

SHA1
2cc6f552b77e34ca62f20812d945d9fd784de0b5

SHA256
781de30fe059ee7bde408932e9f0d11da94feb0fdb665506dda7c68598428349

SHA512
66ae5c434b0cc177ff5402e2c4e7e29e053d9665de456f84bc1ff027a2d69fc8733ac9f8a98976046402eedf92282564f2a25cb1b79799a9249b62dd105acf64

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

Filesize
7KB

MD5
1d7ba588c0a47aeec50ed8a28e0cbaa2

SHA1
37c48412095d15e449e0b144fcc768d602ad94a6

SHA256
fd3ef367d11faad013bfd0e90d371a130153c989b47aab86b11482bc9532e168

SHA512
f63eb3805951c79ca927522374e0780bb3c0d4e57175670f01c9e8d3c46d815c61fdb932fb21a20433e420cd58b0394f94e131e03f8f24cbb3f7b96587eda905

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

Filesize
9KB

MD5
dd93077504914697d045db169f613a0e

SHA1
f3ca35d73a9e1450a3cb408f093bb5ecf557449d

SHA256
7f6f84083a39427827f7f124a48bb5e25bf971cf9a02106dfbd0232ff9e19b51

SHA512
7e79a1e51a657e163410e17ca66cb0b435f3aac463b021a3e8f0e41925894ac037795e11656df42e2c258299b3b1347109bb8bbe33d39411f4b31b80298c89c4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

Filesize
10KB

MD5
3ed4c55ccd2c5a8f157c0478e7032d83

SHA1
f30a55d2360ddf80e2292b738dc5577fc4d812ee

SHA256
b8b46dd9740a8b4e736340ddec5d70c2e5066e8b74b9d69d9547ecc8c9b19354

SHA512
35d0efd8301f4e35a0a4e7da61f980a3a7f7b48363f19c3d21120521bd195b37c5cd04e19da5c08fc718f098f44ef8655b3dacd295170eac42b33f58cbf08202

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

Filesize
10KB

MD5
07ff74b32142c6ff954a7f8ae56e4ccf

SHA1
ce0d1ead0abbd2a73b12247c8ea5efd1bb4d59dd

SHA256
ac376bbe3cb83010bb04ac2753618caaaf20904872c9afbaed027f4fb1e8f86f

SHA512
c697d715083534cbb2864c1a19412b343cf15442744ca11dd22d577e49cd06dbb3d4a5a2b28b259a34f11e556ac65e8eeaae57546178f98dc957853c1f1eeb16

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

Filesize
10KB

MD5
630cd1530c51eae12dcc290edb4dd109

SHA1
b21e7b43ede22123e913ff7ec7b05b25644c8f12

SHA256
b1a6c767a651fe7220813ec5fb4e3ba06805ff03254bc856565d69fe9e90f8f2

SHA512
8f6bfe04737890e21e94ab2e1e464d5b60cd366701557d9e9b54525283ad75cfb50f7e6c7d247d31fa9865a1bb64ee1c47f2d73e0702d33f09478a8c15b7f314

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

Filesize
6KB

MD5
7a38a264698c51844009b01bdd829843

SHA1
655764487e94f2aedb0211eec2c2a99b579489a8

SHA256
a67c37e3638140484bfc8535f0ce2d551c2cdc392d956608546fde18fff418ae

SHA512
400464958570d87e2e6e723ab9910d8e60a786244a2d92a89a0c52af0b47c64927f6e1a91f74a0cdb8f355443865917b18cddeb8f9a64ac422dfa009ef3c7348

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

Filesize
7KB

MD5
b59d600e4698145bde50407ab5eebe53

SHA1
1836690049022ab62adde0461b460ed7d6b2ef28

SHA256
9e56d33151c822a7dbfda381b4e53976410fc8b2671900f10aa2cc8255c1aeaa

SHA512
1f270b8da1c0cb46537d2deac21df3116984a88784f602496437b8523a4f98694c9e1cc5a829c933afc506edd2560bcfb2893303d9f73b87822caa1ff501c028

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs.js

Filesize
6KB

MD5
f73e52d124620d05267ba934f3b312d3

SHA1
34121aa291d9f88b3e8e3a2fa37cb1c06cac2d30

SHA256
fc898a91ae8ce9d241c586f5dee2e60450dcdc5a31f1a7015d6dc2f4fefe4ac7

SHA512
4ef67626a2ba584817d707c71ddf7e7ce75a780921c3fcdfa8a03de0de9303c4b548ce3c3b493f1c4876d511271978bcd3cdbc2d1003b23c2459847180045d46

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
413abd49fba2ee9d36fc92257727b588

SHA1
e768ca09087320ed22d564908c15355f4195e30e

SHA256
56ed2132b6f7feb7bba7263fded7866b582e7000cf1f20ff5c5ee97a9384cd25

SHA512
fc9d18d9ce36bfbaadba6bf14f9e1a9d484e9c528acca0969ecb8b14f7473f4ff1c0f00c274f3c03dca86735b40b93ed2e9ebe10c64778a181be621df71c1505

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
2c73cd8dc2867acae141ee2bb72bc017

SHA1
76e7b78392536865ec06d5004098d577fc7c1dc3

SHA256
01ba7a1f43d1bd858ff074df4510b0d340554b37b543401e05badc05c0e7abb2

SHA512
ddd1393cc85ae360eaa8f9bf381b747689575e02455c5ba8903f8c3f3a5c5aeffeb294452642c97c56100255aafab878e058ea72d78af12e7e92837d1c168fe8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\storage\default\https+++www.dropbox.com\idb\2146889975aspceixrMte.sqlite

Filesize
48KB

MD5
905fe934dec8f9f947d51cde84106943

SHA1
18c6329fc7b2123cb4165023249246765a97b1a0

SHA256
91d22f29b5711a47b987ce7470118f22d0c3bd286bfc2a68620a109d5cae17c1

SHA512
34b4e134f93b133665a3b3fe985f855659893923cbd530737399839da1f712d267dbb70ddca4a4c5e208e2667c918e89b4c354816d8adc3b6dd5f91f7d2e926d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\storage\default\https+++www.dropbox.com\idb\2243825010udneus.sqlite

Filesize
48KB

MD5
ea3865817f14992e16c9e2bacd3a9eb2

SHA1
7b9788b7b5290b8213ed51c896ae1cde35d37ad4

SHA256
2f3c5c921f452c7443fd245cda9dfc7ea499788e28ce5f033dc692e48444a25c

SHA512
0f7d7e0c1562e0a133ed2fe8e7f751d78e7821807394b133f2f9b2aa7f27cb135cc2e6ec7a438f2d7d01063fb3d741517d5ebd8b4814aa0a0c874e859a12f90e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
456KB

MD5
a558aa3a38607d174808611c833439a3

SHA1
d63f4dde2362b04313b510b2a6d840e47cc870d2

SHA256
c7cf5b8b04a2cbeb11bd03c2f88c6b16b18675238b935ee2c198e53e994c5128

SHA512
74f6e46a2033e823d27f91da1bcaad308b6de337d84853dd082984dd6c3a6eb140b69a1ff62c424b2c4727c46da827d56e3f0975b189545f6e31f462f69e6ab8

Download Submit
C:\Users\Admin\Downloads\Zafiro EA MFF v1.UwLHqJNI.13 + Zafiro EA FTMO v1.13.zip.part

Filesize
47KB

MD5
26f4a86a7c19e7011eda9ddfe0640218

SHA1
7cbc57a75b2fb01275729c43b57da75cd1701aaf

SHA256
a41dab1a1481510fdbb3fca98500471baf2fa3df2fa21c618e8532e789232a67

SHA512
02f17aaa35dd6e14474b84bc0e983c0e69ff6c61e3cb2a244505007e828e91b06932e57229a8bf183157298a501799b22b400c0f966feb49dceef82b6937c11e

Download Submit
memory/2196-1402-0x0000000000710000-0x0000000000E61000-memory.dmp

Filesize
7.3MB

Download
memory/2416-509-0x00007FFD7A900000-0x00007FFD7B900000-memory.dmp

Filesize
16.0MB

Download
memory/3800-1073-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3800-1036-0x0000000000D30000-0x0000000001481000-memory.dmp

Filesize
7.3MB

Download
memory/5136-1411-0x0000000000710000-0x0000000000E61000-memory.dmp

Filesize
7.3MB

Download
memory/5284-1343-0x0000000000710000-0x0000000000E61000-memory.dmp

Filesize
7.3MB

Download
memory/5532-1330-0x0000000000710000-0x0000000000E61000-memory.dmp

Filesize
7.3MB

Download
memory/5600-1344-0x0000000000710000-0x0000000000E61000-memory.dmp

Filesize
7.3MB

Download
memory/5648-1352-0x0000000000710000-0x0000000000E61000-memory.dmp

Filesize
7.3MB

Download
memory/5732-1345-0x0000000000710000-0x0000000000E61000-memory.dmp

Filesize
7.3MB

Download
memory/5752-1346-0x0000000000710000-0x0000000000E61000-memory.dmp

Filesize
7.3MB

Download
memory/5780-1356-0x0000000000710000-0x0000000000E61000-memory.dmp

Filesize
7.3MB

Download
memory/5860-8312-0x0000029BB48C0000-0x0000029BB48D0000-memory.dmp

Filesize
64KB

Download
memory/5860-8334-0x0000029BB48C0000-0x0000029BB48D0000-memory.dmp

Filesize
64KB

Download
memory/5860-8129-0x0000029BB48C0000-0x0000029BB48D0000-memory.dmp

Filesize
64KB

Download
memory/5860-8145-0x0000029BB4830000-0x0000029BB4874000-memory.dmp

Filesize
272KB

Download
memory/5860-8151-0x0000029BB4D90000-0x0000029BB4E06000-memory.dmp

Filesize
472KB

Download
memory/5860-8153-0x0000029BB48C0000-0x0000029BB48D0000-memory.dmp

Filesize
64KB

Download
memory/5860-8135-0x0000029BB4790000-0x0000029BB47B2000-memory.dmp

Filesize
136KB

Download
memory/5860-9198-0x0000029BB4880000-0x0000029BB489E000-memory.dmp

Filesize
120KB

Download
memory/5860-8152-0x0000029BB48C0000-0x0000029BB48D0000-memory.dmp

Filesize
64KB

Download
memory/5860-8335-0x0000029BB48C0000-0x0000029BB48D0000-memory.dmp

Filesize
64KB

Download
memory/5916-1347-0x0000000000710000-0x0000000000E61000-memory.dmp

Filesize
7.3MB

Download
memory/6000-1382-0x0000000000710000-0x0000000000E61000-memory.dmp

Filesize
7.3MB

Download
memory/6032-1383-0x0000000000710000-0x0000000000E61000-memory.dmp

Filesize
7.3MB

Download
memory/6060-1390-0x0000000000710000-0x0000000000E61000-memory.dmp

Filesize
7.3MB

Download
memory/6104-1409-0x0000000000710000-0x0000000000E61000-memory.dmp

Filesize
7.3MB

Download