dcrat | 67b1a7835687bf5851cf29539b2d0ce90ab30d373edfcf9ee54237026c67df33

Resubmissions

04-10-2024 18:01

241004-wl132axhpm 10

22-04-2024 20:52

27-02-2024 22:40

03-01-2024 09:53

29-12-2023 23:48

Analysis

max time kernel
70s
max time network
71s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-02-2024 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

078192e792b12a8d9980f364e110155c.exe
Size

8.7MB
MD5

078192e792b12a8d9980f364e110155c
SHA1

89596e27530eeccd6ad9644aa045e8e0499301a1
SHA256

67b1a7835687bf5851cf29539b2d0ce90ab30d373edfcf9ee54237026c67df33
SHA512

72a2f85f8aa87fed3b84641bfc4ecde195588837da52553871b9aa917b26c073fea973d2e521290ac08ef6907a21677ebf7bb7886ddef3996625cc81855c0bbc
SSDEEP

196608:UYE5OOysmxHcbDvsAKhZcIGijUtw+cs3Ax9stqFiRtHTV3hZF:XE5OOSuszcTtwp1s8gRtHT5J

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

ffdroider

http://186.2.171.3

Extracted

Family

smokeloader

Botnet

pub2

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

raccoon

Version

1.7.3

Botnet

92be0387873e54dd629b9bfa972c3a9a88e6726c

Attributes

url4cnc
https://t.me/gishsunsetman

rc4.plain

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Fabookie payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files.exe	family_fabookie

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3916-140-0x0000000000400000-0x000000000060D000-memory.dmp	family_ffdroider
behavioral1/memory/3916-1265-0x0000000000400000-0x000000000060D000-memory.dmp	family_ffdroider
behavioral1/memory/3916-1970-0x0000000000400000-0x000000000060D000-memory.dmp	family_ffdroider

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4044-178-0x00000000051F0000-0x0000000005B16000-memory.dmp	family_glupteba
behavioral1/memory/4044-184-0x0000000000400000-0x000000000309C000-memory.dmp	family_glupteba
behavioral1/memory/4044-211-0x0000000000400000-0x000000000309C000-memory.dmp	family_glupteba
behavioral1/memory/4044-222-0x00000000051F0000-0x0000000005B16000-memory.dmp	family_glupteba
behavioral1/memory/2484-1264-0x0000000000400000-0x000000000309C000-memory.dmp	family_glupteba
behavioral1/memory/2484-1369-0x0000000000400000-0x000000000309C000-memory.dmp	family_glupteba
behavioral1/memory/2484-1398-0x0000000000400000-0x000000000309C000-memory.dmp	family_glupteba
behavioral1/memory/5936-1445-0x0000000005700000-0x0000000006026000-memory.dmp	family_glupteba
behavioral1/memory/5936-1446-0x0000000000400000-0x000000000309C000-memory.dmp	family_glupteba
behavioral1/memory/5936-1450-0x0000000000400000-0x000000000309C000-memory.dmp	family_glupteba
behavioral1/memory/5936-2011-0x0000000000400000-0x000000000309C000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

Complete.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Complete.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Complete.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Complete.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Complete.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	Complete.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Complete.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Complete.exe

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4888 4808 rUNdlL32.eXe
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	4808	rUNdlL32.eXe

Raccoon Stealer V1 payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5656-1390-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon_v1
behavioral1/memory/5656-1391-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon_v1
behavioral1/memory/5656-1393-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon_v1
behavioral1/memory/5656-1394-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon_v1
behavioral1/memory/5656-1984-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon_v1

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Nirsoft 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4848-128-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/4488-190-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4284 netsh.exe

pid	process
4284	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

078192e792b12a8d9980f364e110155c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	078192e792b12a8d9980f364e110155c.exe

Executes dropped EXE 17 IoCs

Processes:

Files.exeKRSetp.exeInstall.exeBackgroundTaskHost.exeInfo.exeInstall_Files.exepub2.exejamesdirect.exejfiag3g_gg.exeComplete.exemd9_1sjm.exeFolder.exejfiag3g_gg.exeInfo.exejamesdirect.execsrss.exeinjector.exe

pid	process
3912	Files.exe
1128	KRSetp.exe
4284	Install.exe
4552	BackgroundTaskHost.exe
4044	Info.exe
4136	Install_Files.exe
456	pub2.exe
4512	jamesdirect.exe
4848	jfiag3g_gg.exe
1776	Complete.exe
3916	md9_1sjm.exe
1444	Folder.exe
4488	jfiag3g_gg.exe
2484	Info.exe
5656	jamesdirect.exe
5936	csrss.exe
6944	injector.exe

Loads dropped DLL 1 IoCs

Processes:

WerFault.exe

pid process

4648 WerFault.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4648	WerFault.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
behavioral1/memory/4848-128-0x0000000000400000-0x000000000045B000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
behavioral1/memory/4488-190-0x0000000000400000-0x0000000000422000-memory.dmp	upx

VMProtect packed file 7 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe	vmprotect
behavioral1/memory/3916-134-0x0000000000400000-0x000000000060D000-memory.dmp	vmprotect
behavioral1/memory/3916-140-0x0000000000400000-0x000000000060D000-memory.dmp	vmprotect
behavioral1/memory/3916-1265-0x0000000000400000-0x000000000060D000-memory.dmp	vmprotect
behavioral1/memory/3916-1970-0x0000000000400000-0x000000000060D000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Files.exeInfo.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WildStar = "\"C:\\Windows\\rss\\csrss.exe\""	Info.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md9_1sjm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md9_1sjm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe

Drops Chrome extension 1 IoCs

Processes:

netsh.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\manifest.json	netsh.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

45 iplogger.org
49 iplogger.org
54 iplogger.org
27 iplogger.org
29 iplogger.org
34 iplogger.org
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ip-api.com
12 ipinfo.io
14 ipinfo.io
22 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

jamesdirect.exe

description pid process target process

PID 4512 set thread context of 5656 4512 jamesdirect.exe jamesdirect.exe
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

Info.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN Info.exe
Drops file in Windows directory 2 IoCs

Processes:

Info.exe

description ioc process

File opened for modification C:\Windows\rss Info.exe
File created C:\Windows\rss\csrss.exe Info.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4288 4648 WerFault.exe rundll32.exe
4648 456 WerFault.exe pub2.exe

flow	ioc
45	iplogger.org
49	iplogger.org
54	iplogger.org
27	iplogger.org
29	iplogger.org
34	iplogger.org

flow	ioc
7	ip-api.com
12	ipinfo.io
14	ipinfo.io
22	ipinfo.io

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

description	pid	process	target process
PID 4512 set thread context of 5656	4512	jamesdirect.exe	jamesdirect.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	Info.exe

description	ioc	process
File opened for modification	C:\Windows\rss	Info.exe
File created	C:\Windows\rss\csrss.exe	Info.exe

pid	pid_target	process	target process
4288	4648	WerFault.exe	rundll32.exe
4648	456	WerFault.exe	pub2.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

744 schtasks.exe

pid	process
744	schtasks.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exexcopy.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

GoLang User-Agent 4 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description	flow	ioc
HTTP User-Agent header	126	Go-http-client/1.1
HTTP User-Agent header	157	Go-http-client/1.1
HTTP User-Agent header	158	Go-http-client/1.1
HTTP User-Agent header	162	Go-http-client/1.1

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2548 taskkill.exe

pid	process
2548	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

csrss.exeInfo.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	csrss.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exemsedge.exemsedge.exejfiag3g_gg.exeidentity_helper.exeInfo.exe

pid	process
456	pub2.exe
456	pub2.exe
2736	msedge.exe
2736	msedge.exe
1652	msedge.exe
1652	msedge.exe
4488	jfiag3g_gg.exe
4488	jfiag3g_gg.exe
3484	identity_helper.exe
3484	identity_helper.exe
4044	Info.exe
4044	Info.exe
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3508
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

456 pub2.exe

pid	process
3508

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

Processes:

msedge.exechrome.exe

pid	process
1652	msedge.exe
1652	msedge.exe
3944	chrome.exe
3944	chrome.exe
3944	chrome.exe
3944	chrome.exe
3944	chrome.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Install.exeKRSetp.exetaskkill.exeInfo.exechrome.exeInfo.exe

description	pid	process
Token: SeCreateTokenPrivilege	4284	Install.exe
Token: SeAssignPrimaryTokenPrivilege	4284	Install.exe
Token: SeLockMemoryPrivilege	4284	Install.exe
Token: SeIncreaseQuotaPrivilege	4284	Install.exe
Token: SeMachineAccountPrivilege	4284	Install.exe
Token: SeTcbPrivilege	4284	Install.exe
Token: SeSecurityPrivilege	4284	Install.exe
Token: SeTakeOwnershipPrivilege	4284	Install.exe
Token: SeLoadDriverPrivilege	4284	Install.exe
Token: SeSystemProfilePrivilege	4284	Install.exe
Token: SeSystemtimePrivilege	4284	Install.exe
Token: SeProfSingleProcessPrivilege	4284	Install.exe
Token: SeIncBasePriorityPrivilege	4284	Install.exe
Token: SeCreatePagefilePrivilege	4284	Install.exe
Token: SeCreatePermanentPrivilege	4284	Install.exe
Token: SeBackupPrivilege	4284	Install.exe
Token: SeRestorePrivilege	4284	Install.exe
Token: SeShutdownPrivilege	4284	Install.exe
Token: SeDebugPrivilege	4284	Install.exe
Token: SeAuditPrivilege	4284	Install.exe
Token: SeSystemEnvironmentPrivilege	4284	Install.exe
Token: SeChangeNotifyPrivilege	4284	Install.exe
Token: SeRemoteShutdownPrivilege	4284	Install.exe
Token: SeUndockPrivilege	4284	Install.exe
Token: SeSyncAgentPrivilege	4284	Install.exe
Token: SeEnableDelegationPrivilege	4284	Install.exe
Token: SeManageVolumePrivilege	4284	Install.exe
Token: SeImpersonatePrivilege	4284	Install.exe
Token: SeCreateGlobalPrivilege	4284	Install.exe
Token: 31	4284	Install.exe
Token: 32	4284	Install.exe
Token: 33	4284	Install.exe
Token: 34	4284	Install.exe
Token: 35	4284	Install.exe
Token: SeDebugPrivilege	1128	KRSetp.exe
Token: SeDebugPrivilege	2548	taskkill.exe
Token: SeDebugPrivilege	4044	Info.exe
Token: SeImpersonatePrivilege	4044	Info.exe
Token: SeShutdownPrivilege	3508
Token: SeCreatePagefilePrivilege	3508
Token: SeShutdownPrivilege	3508
Token: SeCreatePagefilePrivilege	3508
Token: SeShutdownPrivilege	3508
Token: SeCreatePagefilePrivilege	3508
Token: SeShutdownPrivilege	3944	chrome.exe
Token: SeCreatePagefilePrivilege	3944	chrome.exe
Token: SeShutdownPrivilege	3944	chrome.exe
Token: SeCreatePagefilePrivilege	3944	chrome.exe
Token: SeShutdownPrivilege	3944	chrome.exe
Token: SeCreatePagefilePrivilege	3944	chrome.exe
Token: SeShutdownPrivilege	3508
Token: SeCreatePagefilePrivilege	3508
Token: SeShutdownPrivilege	3508
Token: SeCreatePagefilePrivilege	3508
Token: SeSystemEnvironmentPrivilege	2484	Info.exe
Token: SeShutdownPrivilege	3944	chrome.exe
Token: SeCreatePagefilePrivilege	3944	chrome.exe
Token: SeShutdownPrivilege	3944	chrome.exe
Token: SeCreatePagefilePrivilege	3944	chrome.exe
Token: SeShutdownPrivilege	3508
Token: SeCreatePagefilePrivilege	3508
Token: SeShutdownPrivilege	3508
Token: SeCreatePagefilePrivilege	3508
Token: SeShutdownPrivilege	3944	chrome.exe

Suspicious use of FindShellTrayWindow 30 IoCs

Processes:

msedge.exechrome.exe

pid	process
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
3944	chrome.exe
3944	chrome.exe
3508
3508
1652	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Install_Files.exeComplete.exe

pid process

4136 Install_Files.exe
1776 Complete.exe

pid	process
4136	Install_Files.exe
1776	Complete.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

078192e792b12a8d9980f364e110155c.exeFiles.exeBackgroundTaskHost.exemsedge.exe

description	pid	process	target process
PID 3924 wrote to memory of 3912	3924	078192e792b12a8d9980f364e110155c.exe	Files.exe
PID 3924 wrote to memory of 3912	3924	078192e792b12a8d9980f364e110155c.exe	Files.exe
PID 3924 wrote to memory of 3912	3924	078192e792b12a8d9980f364e110155c.exe	Files.exe
PID 3924 wrote to memory of 1128	3924	078192e792b12a8d9980f364e110155c.exe	KRSetp.exe
PID 3924 wrote to memory of 1128	3924	078192e792b12a8d9980f364e110155c.exe	KRSetp.exe
PID 3924 wrote to memory of 4284	3924	078192e792b12a8d9980f364e110155c.exe	Install.exe
PID 3924 wrote to memory of 4284	3924	078192e792b12a8d9980f364e110155c.exe	Install.exe
PID 3924 wrote to memory of 4284	3924	078192e792b12a8d9980f364e110155c.exe	Install.exe
PID 3924 wrote to memory of 4552	3924	078192e792b12a8d9980f364e110155c.exe	BackgroundTaskHost.exe
PID 3924 wrote to memory of 4552	3924	078192e792b12a8d9980f364e110155c.exe	BackgroundTaskHost.exe
PID 3924 wrote to memory of 4552	3924	078192e792b12a8d9980f364e110155c.exe	BackgroundTaskHost.exe
PID 3924 wrote to memory of 4044	3924	078192e792b12a8d9980f364e110155c.exe	Info.exe
PID 3924 wrote to memory of 4044	3924	078192e792b12a8d9980f364e110155c.exe	Info.exe
PID 3924 wrote to memory of 4044	3924	078192e792b12a8d9980f364e110155c.exe	Info.exe
PID 3924 wrote to memory of 4136	3924	078192e792b12a8d9980f364e110155c.exe	Install_Files.exe
PID 3924 wrote to memory of 4136	3924	078192e792b12a8d9980f364e110155c.exe	Install_Files.exe
PID 3924 wrote to memory of 4136	3924	078192e792b12a8d9980f364e110155c.exe	Install_Files.exe
PID 3924 wrote to memory of 456	3924	078192e792b12a8d9980f364e110155c.exe	pub2.exe
PID 3924 wrote to memory of 456	3924	078192e792b12a8d9980f364e110155c.exe	pub2.exe
PID 3924 wrote to memory of 456	3924	078192e792b12a8d9980f364e110155c.exe	pub2.exe
PID 3924 wrote to memory of 4512	3924	078192e792b12a8d9980f364e110155c.exe	jamesdirect.exe
PID 3924 wrote to memory of 4512	3924	078192e792b12a8d9980f364e110155c.exe	jamesdirect.exe
PID 3924 wrote to memory of 4512	3924	078192e792b12a8d9980f364e110155c.exe	jamesdirect.exe
PID 3912 wrote to memory of 4848	3912	Files.exe	jfiag3g_gg.exe
PID 3912 wrote to memory of 4848	3912	Files.exe	jfiag3g_gg.exe
PID 3912 wrote to memory of 4848	3912	Files.exe	jfiag3g_gg.exe
PID 3924 wrote to memory of 1776	3924	078192e792b12a8d9980f364e110155c.exe	Complete.exe
PID 3924 wrote to memory of 1776	3924	078192e792b12a8d9980f364e110155c.exe	Complete.exe
PID 3924 wrote to memory of 1776	3924	078192e792b12a8d9980f364e110155c.exe	Complete.exe
PID 3924 wrote to memory of 3916	3924	078192e792b12a8d9980f364e110155c.exe	md9_1sjm.exe
PID 3924 wrote to memory of 3916	3924	078192e792b12a8d9980f364e110155c.exe	md9_1sjm.exe
PID 3924 wrote to memory of 3916	3924	078192e792b12a8d9980f364e110155c.exe	md9_1sjm.exe
PID 4552 wrote to memory of 1444	4552	BackgroundTaskHost.exe	Folder.exe
PID 4552 wrote to memory of 1444	4552	BackgroundTaskHost.exe	Folder.exe
PID 4552 wrote to memory of 1444	4552	BackgroundTaskHost.exe	Folder.exe
PID 3924 wrote to memory of 1652	3924	078192e792b12a8d9980f364e110155c.exe	msedge.exe
PID 3924 wrote to memory of 1652	3924	078192e792b12a8d9980f364e110155c.exe	msedge.exe
PID 1652 wrote to memory of 1240	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 1240	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 556	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 556	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 556	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 556	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 556	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 556	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 556	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 556	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 556	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 556	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 556	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 556	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 556	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 556	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 556	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 556	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 556	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 556	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 556	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 556	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 556	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 556	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 556	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 556	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 556	1652	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\078192e792b12a8d9980f364e110155c.exe
"C:\Users\Admin\AppData\Local\Temp\078192e792b12a8d9980f364e110155c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Users\Admin\AppData\Local\Temp\Files.exe
  "C:\Users\Admin\AppData\Local\Temp\Files.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3912
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    PID:4848
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4488
- C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
  "C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1128
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4284
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c taskkill /f /im chrome.exe
    3⤵
    PID:3532
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2548
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
    3⤵
    - Enumerates system info in registry
    PID:5296
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:3944
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffcf0279758,0x7ffcf0279768,0x7ffcf0279778
      4⤵
      PID:5340
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=336 --field-trial-handle=1892,i,13255658468134813305,18105608771101043827,131072 /prefetch:2
      4⤵
      PID:5368
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3624 --field-trial-handle=1892,i,13255658468134813305,18105608771101043827,131072 /prefetch:1
      4⤵
      PID:5760
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3500 --field-trial-handle=1892,i,13255658468134813305,18105608771101043827,131072 /prefetch:1
      4⤵
      PID:5748
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=1892,i,13255658468134813305,18105608771101043827,131072 /prefetch:1
      4⤵
      PID:5632
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1892,i,13255658468134813305,18105608771101043827,131072 /prefetch:1
      4⤵
      PID:5648
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2240 --field-trial-handle=1892,i,13255658468134813305,18105608771101043827,131072 /prefetch:8
      4⤵
      PID:5680
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2140 --field-trial-handle=1892,i,13255658468134813305,18105608771101043827,131072 /prefetch:8
      4⤵
      PID:5428
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4052 --field-trial-handle=1892,i,13255658468134813305,18105608771101043827,131072 /prefetch:1
      4⤵
      PID:4532
- C:\Users\Admin\AppData\Local\Temp\Folder.exe
  "C:\Users\Admin\AppData\Local\Temp\Folder.exe"
  2⤵
  PID:4552
- - C:\Users\Admin\AppData\Local\Temp\Folder.exe
    "C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
    3⤵
    - Executes dropped EXE
    PID:1444
- C:\Users\Admin\AppData\Local\Temp\Info.exe
  "C:\Users\Admin\AppData\Local\Temp\Info.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4044
- - C:\Users\Admin\AppData\Local\Temp\Info.exe
    "C:\Users\Admin\AppData\Local\Temp\Info.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks for VirtualBox DLLs, possible anti-VM trick
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:2484
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:1208
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Drops Chrome extension
        
        PID:4284
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe /94-94
      4⤵
      Executes dropped EXE
      Manipulates WinMonFS driver.
      Modifies data under HKEY_USERS
      PID:5936
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:744
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        Executes dropped EXE
        
        PID:6944
- C:\Users\Admin\AppData\Local\Temp\Install_Files.exe
  "C:\Users\Admin\AppData\Local\Temp\Install_Files.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4136
- C:\Users\Admin\AppData\Local\Temp\pub2.exe
  "C:\Users\Admin\AppData\Local\Temp\pub2.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:456
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:4648
- C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
  "C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4512
- - C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
    C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
    3⤵
    - Executes dropped EXE
    PID:5656
- C:\Users\Admin\AppData\Local\Temp\Complete.exe
  "C:\Users\Admin\AppData\Local\Temp\Complete.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1776
- C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
  "C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1rPS67
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,7522666139007649840,3347739027740747809,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,7522666139007649840,3347739027740747809,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
    3⤵
    PID:3692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,7522666139007649840,3347739027740747809,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
    3⤵
    PID:556
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7522666139007649840,3347739027740747809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
    3⤵
    PID:112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7522666139007649840,3347739027740747809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
    3⤵
    PID:4944
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,7522666139007649840,3347739027740747809,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8
    3⤵
    PID:4256
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,7522666139007649840,3347739027740747809,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,7522666139007649840,3347739027740747809,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4580 /prefetch:8
    3⤵
    PID:5416
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7522666139007649840,3347739027740747809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
    3⤵
    PID:5152
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7522666139007649840,3347739027740747809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
    3⤵
    PID:6120
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7522666139007649840,3347739027740747809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
    3⤵
    PID:1268
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7522666139007649840,3347739027740747809,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
    3⤵
    PID:1752
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7522666139007649840,3347739027740747809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
    3⤵
    PID:5784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7522666139007649840,3347739027740747809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
    3⤵
    PID:6200
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7522666139007649840,3347739027740747809,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
    3⤵
    PID:6208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcee2046f8,0x7ffcee204708,0x7ffcee204718
1⤵
PID:1240

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4072

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:736

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:4888
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
  2⤵
  PID:4648
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 600
    3⤵
    - Program crash
    PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4648 -ip 4648
1⤵
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 456 -ip 456
1⤵
PID:2520

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
672b315b1264446d398173db64490880

SHA1
1f9393103c0e89838e5867ff1ff90f6c8ce34a5e

SHA256
73823680f745130c767c611726eda5250a118ef75305272786e200257082f08a

SHA512
6bc07f83440189ed557d0d4a3a4d1e3c6b026aab242e47372c8de1d91bb3779f7f456bd2ccea0503e92aaec605fd62e100a685057a4c51beb73ef78d63da9a60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\background.html

Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\icon.png

Filesize
6KB

MD5
c8d8c174df68910527edabe6b5278f06

SHA1
8ac53b3605fea693b59027b9b471202d150f266f

SHA256
9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5

SHA512
d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\aes.js

Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\background.js

Filesize
15KB

MD5
ea3be1d9d46a81e327735145aa05492d

SHA1
dfb4c3ed2009a4d44c841945ef422b3687a83fdd

SHA256
a82cbaeffb3637b22554391b3450d3948591ab3dcbd265049bf98994b5c168d1

SHA512
8076cc716112e3bf180428bfa75f2e91cebb2697d22ab5819d42d579d13c74336100881780c75f48ab531fb4bc461ed2ca1e8c40fb216162cb8abb4fa1c526f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\content.js

Filesize
14KB

MD5
dd274022b4205b0da19d427b9ac176bf

SHA1
91ee7c40b55a1525438c2b1abe166d3cb862e5cb

SHA256
41e129bb90c2ac61da7dac92a908559448c6448ba698a450b6e7add9493739c6

SHA512
8ee074da689a7d90eca3c8242f7d16b0390b8c9b133d7bbdef77f8bf7f9a912e2d60b4a16f1c934f1bd38b380d6536c23b3a2f9939e31a8ef9f9c539573387b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\jquery-3.3.1.min.js

Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\mode-ecb.js

Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\pad-nopadding.js

Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\manifest.json

Filesize
1KB

MD5
f0b8f439874eade31b42dad090126c3e

SHA1
9011bca518eeeba3ef292c257ff4b65cba20f8ce

SHA256
20d39e65b119ed47afd5942d2a67e5057e34e2aef144569796a19825fea4348e

SHA512
833e3e30f091b4e50364b10fc75258e8c647ddd3f32d473d1991beda0095827d02f010bf783c22d8f8a3fa1433b6b22400ad93dc34b0eb59a78e1e18e7d9b05f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
64e85caefdd1c821515861f427a3fc63

SHA1
2dd6e9d415faa3ce5f8d460412d89f1643523dac

SHA256
c647170eefd402aacfbad73a4a4cd8f974917c1de486211bfdbd3b9df506291a

SHA512
afeab23c0b951ed4a39cd402e3c5c8f7d3806853e84d95fee65415573150200dabea8904b655be68eed7083c90e34342eb420945f1efdf48ceaf6a728176c4b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1b45169ebca0dceadb0f45697799d62

SHA1
803604277318898e6f5c6fb92270ca83b5609cd5

SHA256
4c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60

SHA512
357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9ffb5f81e8eccd0963c46cbfea1abc20

SHA1
a02a610afd3543de215565bc488a4343bb5c1a59

SHA256
3a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc

SHA512
2d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\62132671-4c70-4edd-8766-4e109c8e86eb.tmp

Filesize
6KB

MD5
850e1dc53724deed0e24013e6d917721

SHA1
0881cc9dae57f9668476c4718db4eace4eafd52a

SHA256
d036b1c6bf836aa542b169a4a589705ff05af6c0a6b1eac0492f015ab4c77a78

SHA512
309aaabf41fadf7b96478eaf0368c6e7e8424bf03abc1be1abc12ddfbb75bc7b16a6093501644b72f395480c3be5d87767d4a8ea31ded313f0b1b05a9435911d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
260B

MD5
f64bdd78fecc24109d8df9f1fb8f32c8

SHA1
27d0e2cd85b6b5c14ac826d2983d62c4fc1b7f1a

SHA256
3a46ba6cb94d8a53dc814750e7b9053a9d32d0cc7551cc675761cf009b2fd671

SHA512
64397afc494850f7355e1f50e484d3f928205f75c92edef7ed61e73c54fbf6c66c6aa57131c3ff51abc622c3ad090f951c3d5ed09c3b013fecfb99b89b14becf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
51e9247a92af573b6191f45daee872f3

SHA1
a872cf2f4a382f95139d889e6ee7a19a9bde8c3d

SHA256
2d1e78d0126437f02929941bc9c7ebb51965f9416dae2471a3f84b0625e172a5

SHA512
c59df25beeae14ef9756103ba57012498e9a68c27fc74e26af34556e7df069485f73926c653e95cd4e5fdc16aaac020eef67f328b0b3bbf277a81b8294ae0940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
47368908b7fd73f1fb5a7a67545a74a4

SHA1
7d78d7b8168105c67552c2bf3ff0a1501cb9a3e5

SHA256
8effae7461fd89c591a7f7eb20d16ba312229ee69f42dc08d63ff3115aa2d832

SHA512
60a2fc25cb5fddc71ebc6cf17231e6eb8342161fee192d8fd9bdb517a45d4a4f8b649014fad43020e1978df981462ad03acd48c3c34e71bb56ac8ad5a1a69b8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
e511daf81af2c984507ac6cd34454e0a

SHA1
c34688b5cfcea61d570a98bbb5fb474a36520970

SHA256
a9d6e89729aac41b0eed2fae6a3e5253683732473eed53090fa9d40ef98a40ac

SHA512
c55b04ee3d7a346629eb95a900fc59b1905cb0f39de4733056dc929f41aa65b09e3fb0271cd7d04710dd2bb405684872dfb3b73d72e67488cdef08d6a0831641

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
595524c9b15d62475479fadfea032f7a

SHA1
790b4b1ccfef9964fcfffdb0f42756093322d13a

SHA256
86661327c99d44aae1fdc8ff06680369056b5105783191956a01d1956377af22

SHA512
3ecbc591d28a5b63635b450328dd495ae9aa4d586bfef640b21112e0bd1718720d694e21fab986b83647919a7d585e5d1d5cc110e4a64736b36e477d5705bcca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
865be6032f852ff8d28547d50ae94cf4

SHA1
5b997c4ee15b723a842edb928adfe3fae99a9b79

SHA256
8ac5e921823af30ab949f509dab9e9c93256822273726cc73024987d039543c1

SHA512
aa0b0022e8726c0227ecd463f0fe4e63aafd32dcf9ae3b1290373b695832d824fbb11b074291a483e864daf4f58c8634637568fb5a5e72f7651cf678dbfae683

Download Submit
C:\Users\Admin\AppData\Local\Temp\Complete.exe

Filesize
804KB

MD5
92acb4017f38a7ee6c5d2f6ef0d32af2

SHA1
1b932faf564f18ccc63e5dabff5c705ac30a61b8

SHA256
2459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1

SHA512
d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe

Filesize
975KB

MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe

Filesize
712KB

MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe

Filesize
1.7MB

MD5
970f682974bd33a8d5f66766b5b12a6d

SHA1
2291800f9de19882bb6edf7bbc49cf0ea94c51af

SHA256
782653622f21d12f27e26df8cb0632541fc6859d3fff3059569d7b3c43ce8771

SHA512
625cdb115f670fbc860554460f8748204021ea9462ec9797be8d1567117a55389e54c15837bb8551a00dc6f38113eea2f886259a87d4ee283ee8825c7154a364

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe

Filesize
2.6MB

MD5
c19e9e6d64a7331c331aec6da816605c

SHA1
7b3dc7ea045c7cca4443743e663d16c0caa6972f

SHA256
1b6c8be025972acc5669e1df29e039e1a5ea91f7445af40be069126374e64993

SHA512
068eeb52b6471b168220e3ce14d0eccf82c686a55b2d178288f58998c7160878454f432cfd9d55bef335651c36fd17e77393d96fb488c5378bd2f1e7aea67e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe

Filesize
2.2MB

MD5
930d2a72f9bb3ae6b3ac7dcb1e745046

SHA1
bbf4d0b0e99f06fa9b7c7a31bde014a1714ca775

SHA256
ee7c6be301b52420079640f84d08e48bcdc304d02b3c1172cd30637097c97503

SHA512
912047dff3c68620376c3133e8c6f77d31f9cce096037f826a2038a27a3726aeafe1ff1d88d48366466971841eecd07ea01a024c693e16d35c03d03d40a32236

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
1.4MB

MD5
41b7c6d48d13e1a864bf2d3759e257e6

SHA1
7ee45121a927d744941651bd6673d3df21f1611b

SHA256
820c980f68378170cec0e1f2f4e2e319a07b1d030d7712ece110f579fcd1a8c2

SHA512
0ac230d6ea4f7eaf1c5dbc919e1de41416e4c5e527e0ec583135eab2067d0fcd22615d80a93f803ce327cdbb58b5b236ca47d759647b8c36a98a17a3e1504077

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install_Files.exe

Filesize
1.7MB

MD5
509b000635ab3390fa847269b436b6ba

SHA1
cc9ea9a28a576def6ae542355558102b6842538b

SHA256
7266a9d0f9a50aff61cc32794e421c4215e49e0b54c6b90e13ae05a8a8e5fc12

SHA512
c64d0cabeede0f3617d3535767637d8ffc7dc51145f2e2db48b6f720dfe76e2e897e456f91c83235b1b5c9833e468244f2fe67379c0da47b9ea045b1362cebd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe

Filesize
201KB

MD5
b70f516d57624c741cabeebb65cce996

SHA1
98c27ae9fa2742dfedcf765c5b37d7830673c2ff

SHA256
32e4d190cebe0be41e148b8863fad2c8973b1afc9d60238ac9ec1daeb1e1a2d2

SHA512
aae21583810803053b0112f720c142de570b75c41d6bb63ae7e870750678478cc7140204c1108b83fee7f53de77e5de2a9752fdff0279563ceea94c2401acf95

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat

Filesize
552KB

MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll

Filesize
73KB

MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\CrashpadMetrics-active.pma

Filesize
1024KB

MD5
03c4f648043a88675a920425d824e1b3

SHA1
b98ce64ab5f7a187d19deb8f24ca4ab5d9720a6d

SHA256
f91dbb7c64b4582f529c968c480d2dce1c8727390482f31e4355a27bb3d9b450

SHA512
2473f21cf8747ec981db18fb42726c767bbcca8dd89fd05ffd2d844206a6e86da672967462ac714e6fb43cc84ac35fffcec7ddc43a9357c1f8ed9d14105e9192

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad\settings.dat

Filesize
40B

MD5
1a7cdcf21794595155d9daf1ec65d8da

SHA1
40352477e8e67dcd08926c4d5904886a59ca052d

SHA256
ce57ea98de4e5bc14ef94248254970c775ec2c2e1105acf460333f725b3366f3

SHA512
3e1c27fc5dd19282fbaec773dd87077fe1749a450b2ee15bf001548751cc6293025e3454482706126131febb642021ae655350bbe8d43c5cd057b73708241895

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\36c48056-9b71-421f-8c1b-9429afdd140b.tmp

Filesize
18KB

MD5
78f02d56c5910d31065a4af4e7026d5e

SHA1
8e4dd06d049bc8e36412f411384b8998dfa78842

SHA256
f414c49bc22ef2b21508544d277957b1889adee01e66d8f42afd150392678d01

SHA512
125d0b180a7fe35784e542a06b99d40f98861dfe0e9ec71ba78ccebb6775b91dc44f589aaa7bffe48cc1d61962a5643efc83332ea4155601b3dfefd555f4b0df

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
fdd72fb20b018045a0caaa49c02298c6

SHA1
b6aecd69ab69707f29aaaf1d2c92c262afd64a0d

SHA256
b4ff3350f55c3b5a125ce68f6644041eaf033d7a8367a058e8327937f99fb9c2

SHA512
0d29dbb337dbc8f038679f69447ceec35391ef0ba46d9baad468b8d526f8e51fabb2f00c8805410998d2222b22871711e8d649c81db59c22cf9f1c4fbccdbad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
39d1001203aa894c30e02d82f445e93c

SHA1
e5b8956cb1e329adb05701aac96189be1a78a1db

SHA256
24e8fe943097065e10830c4f2b0136e50db9baca6af5825c82079bb7bea4cf0f

SHA512
0b948f0142274d0dbc78f90e48146847852045fd5a7621535c9123ddf13d0e34eba74f7114de7762a1cddb0846f699f5dd95723234450ae7ec378848750c16f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\f_000003

Filesize
19KB

MD5
398dff0892f353e77176493bc8630784

SHA1
47a69ec6c5efbab66e0de6a1d0cd797963e7c049

SHA256
dd46804a3000a532d47ad2ef7cc3ee9bccf0ab9ef9b7becb1d5b594b899e3d44

SHA512
ed868a14494a73c53c76d6932c4268a4bd3aa227494e5890fcc14ba06b9703a89568d36efd5342a9681a491005d3e77ec359039d6ec7ef7cd22a38bc0079a736

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\f_000009

Filesize
16KB

MD5
9978db669e49523b7adb3af80d561b1b

SHA1
7eb15d01e2afd057188741fad9ea1719bccc01ea

SHA256
4e57f4cf302186300f95c74144cbca9eb756c0a8313ebf32f8aba5c279dd059c

SHA512
04b216bd907c70ee2b96e513f7de56481388b577e6ccd67145a48178a605581fab715096cfb75d1bb336e6ad0060701d2a3680e9f38fe31e1573d5965f1e380a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\f_00000a

Filesize
49KB

MD5
55abcc758ea44e30cc6bf29a8e961169

SHA1
3b3717aeebb58d07f553c1813635eadb11fda264

SHA256
dada70d2614b10f6666b149d2864fdcf8f944bf748dcf79b2fe6dad73e4ef7b6

SHA512
12e2405f5412c427bee4edd9543f4ea40502eaace30b24fe1ae629895b787ea5a959903a2e32abe341cd8136033a61b802b57fe862efba5f5a1b167176dd2454

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
dc1922b176efbaa4dbf917f8af22d554

SHA1
e51131e98990e7d65cbb42b278a897cf38079d15

SHA256
d6b3f9a407bef0ad73416bf7ccf6a339505b140a047e7a93eac4afbe3b34eca3

SHA512
c463145a2046edbf482d56d4b792329a21b7764ac9cc4cbc928306afc8d2a90c9fa51eed6d341d4adda4cdb0bad84656baaef1afe4acfa982a94a302e09ac295

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
2c2b38b6c3fc1bfb412aa67a5502b382

SHA1
011108b418b9e079dde0ba4c83e5fdd0719cf3e1

SHA256
65e96cdaef5bb8e03ece5eb9632e98e813877ead41fb87cb491f04b0054075e0

SHA512
826b9f8850693e15ef45423bd7fdb840075e3fadedf845694dad3f6979c10a0c1fc2a6d4f0b84fa786958ab62ad810bf1924da193c0602c1bb05588f875d0c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Code Cache\wasm\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\DawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extension Scripts\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extension Scripts\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en_GB\messages.json

Filesize
593B

MD5
91f5bc87fd478a007ec68c4e8adf11ac

SHA1
d07dd49e4ef3b36dad7d038b7e999ae850c5bef6

SHA256
92f1246c21dd5fd7266ebfd65798c61e403d01a816cc3cf780db5c8aa2e3d9c9

SHA512
fdc2a29b04e67ddbbd8fb6e8d2443e46badcb2b2fb3a850bbd6198cdccc32ee0bd8a9769d929feefe84d1015145e6664ab5fea114df5a864cf963bf98a65ffd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\index

Filesize
256KB

MD5
a96cee05c87fc2c2451bbc83cb790b27

SHA1
e6d23447e731c2aba927cab1d46a45b8ccb6fe76

SHA256
4fd37f441fd0a99caea83b5369326250adacf8d28dfb06c754e37ff6889c50aa

SHA512
3549860faab476dbf559881e0a21541086f0c1b94aeb5ffdd150a94f63b09e032464616d9d6aba93d14b4ab05889e7d0a66090bdd7578c5dbcfeae4416fa112a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\History

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Login Data For Account

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Network\TransportSecurity

Filesize
874B

MD5
5ea56f4b2f5d9b53301b2593134aa272

SHA1
4f0ac5a80add8dea37ec8ead216e58a98a1cadc2

SHA256
67f561332265711d521f2e7cb9cbe8acc17c5fe22497d0eff85eb4e4e300c44c

SHA512
aa23ca3f011fe3925c3a875304314b558354699cb4a35c17c649a527d42d683388012d4f4c6ca618c51d5cd93540bf4d4457e179f660e81629830d2b607b9e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Network\TransportSecurity

Filesize
874B

MD5
17dc428423b11711220b7c79ab4fbb92

SHA1
ea4a708b88b238730771f0218eeb4557c2b1499a

SHA256
eb0c5e75eb15da5fa74b8ce7fc58b3523f4f392728a8dbb17fe2fa0274c993ec

SHA512
835e89c83e00f17cf19febf354615c0cde12fe25b893ae963a772fca85615ef0573764172d6c12a9f3cce9721f1113d10408fae6106dce7713534a029971c19f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Preferences

Filesize
6KB

MD5
08a1ff5ef3536209a851555d24c7e3e8

SHA1
d700c95dd169b038836df4fa206c378067276671

SHA256
12b9d010875c8b3824bde171112ee7a9d77ff601ec72580d288f7733b5e8abaf

SHA512
6ce8bf823c85bf2dd926efec29f683d6a0ddff999feff32fca0ebb7fa416c4426ad8e24f86e820c5176bf5f1c349285c9c144f02e40c13e85c73c8f3ffd0f521

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Preferences

Filesize
6KB

MD5
b08723c3f79e8fdd9ae8bf80a31f6379

SHA1
cb0f07865a313eefa122339254ab0ac6088a4b5a

SHA256
89e4e1919f44dd0466bad10bc4ce6c2ddad8cb00dd9e7b4582bc5b6a16b2f22b

SHA512
0b349cce708b270c1240a8844970c714e1defca6bb5c33f4be94bf346d8bdd1c346a6adc65a61051109b02000911fd2833364b8e9debe3123efc2945636cc7a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Safe Browsing Network\Safe Browsing Cookies

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
b61ec9fb6dba2754aac5e8e2e01c948d

SHA1
dbc77eb37f6335161afb7ff48e376ad4ded09764

SHA256
6b0d2f83395d25fdc8eb8e9487fb7e640a981757034aa1a2753035db2fc3e3c1

SHA512
fedff7a6fa6802886d89b93584d452dc594f4c170f7902f7c1fa8be9114cec4e7d42d38808acb9dd6f9c52ee0132383c1f3501d71f33bc7f4cf5b1e46d8f7ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Last Version

Filesize
14B

MD5
9eae63c7a967fc314dd311d9f46a45b7

SHA1
caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

SHA256
4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

SHA512
bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Local State

Filesize
128KB

MD5
d88bc8c5b0e9869f3fd54ae90e76ccf4

SHA1
d69d6d69b3204334330f1ab93c199f6f77674eff

SHA256
2ca90a20f25b8f744b45bb19e5d36059455b050d134a35d773829a3d7cde9540

SHA512
cfbbf6f17edb051f37c96d12c9ccd807a45f1636859430a7bc5dd2f10538ee7be7ae4e53aab97b4ddc78427b96f97dd0c777c07aa66677c79aa186c5ed8ac147

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Local State

Filesize
254KB

MD5
9baff4278d026e97a974240ffecd713a

SHA1
16725ffd252835cf7d560a7a808fbf69dfd9d672

SHA256
51c37b14a7c8a103b44db2da5ecf20dc86a0b521edcd9fb0a5c6546e2002a549

SHA512
d9755afbfbb5bbb5f2b519aa9649af343e409b6a94073ea0f784390d9ff1a70ffa5d820f29d24fa479a55e99d135c7a86271556d62a8b3bc7705dd3cdd082884

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\ShaderCache\index

Filesize
256KB

MD5
9d5599303b65f768ed8e4dc980b6d6ea

SHA1
56f982e3b6585afbc9dd8937456c04924a66405e

SHA256
032efe5280ed63b6a7519549967c9747be9abdc480b3e91d596460b747d55b25

SHA512
c61adc31028245aea50351d33bd6d7b6f9af237e197ddbd5f30846b9645ec59f839da0ee84e31d40464551e6cb82fa36496cf8fc1db561e33f93023512b8f776

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Temp\d

Filesize
9.3MB

MD5
25aea565f1fa84ad4a05be75555eeea8

SHA1
f884a23843d3d3df8184b4ba16c9b8a5dacff520

SHA256
6a4ca86924b503521aeddff4ab8f84c4fd7ade38e56f50cb0dee688d415f703d

SHA512
88b88f7356da104e8a4a1dcd995d3eae18ba92d79e23d74636fdca55efd905ed3874ff24cce265cd7505e9db7230210aa4bbc123cca21a50995c1596eee96da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.INTEG.RAW

Filesize
55KB

MD5
922b1f672b55cc879ec4d4d47a585b7f

SHA1
7b9f4c54b9d4cdc4db4768b0f6f521c42633834c

SHA256
6145edabc6116a9c16461db849d66fda4ea311fca4b7f696c41f54b7d7f5c60f

SHA512
e8673a8800b733cdd8362bbaa05a2274b78dbd9c8cb00bf3831c0a20dbb7182b46c31de591ad8d7e8e10abe7d2d2da67e24ab61ebc6008e704ccdca791287ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
9ab1798970f39c29d64e22f32dcabb74

SHA1
6fb9b779977ea72c11e018409bdac83525f0e98a

SHA256
9c880a91d513b5807639f4924f52d8eb854e9361d8454836510b2b0d696eccd6

SHA512
077aa344fbcd1f44c0417dacea1966f618618d8ec60603727d9bb5ef218996ca33fe3ba95944c16c3ff880920f851a79f947b6cf7b8f8ada76df31b4281c0af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
f68e3a1f0a261a0d0a9a5aefc759869f

SHA1
ca9e2ad1ca15b09cc2970192e923740676365713

SHA256
c7711030f00194e25f4f14fd26f5b54c7dee519c3ac580f8246b7ba57b0e8523

SHA512
5179a02740dbad1abe3a1c2e441bbcd5d79b35daaf36260a6ded5d76185fa261fdd90173b5c84fc2edc40759fa29a864556fa20443a20b303ce2d5afcf36fba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
e4670560052cc1f484b4daed272b5332

SHA1
50df06b8a21efd47ab4626923fddee55379d03c4

SHA256
68be76955e52f3972a62592a4cd75f3b4b1dd7187e470ee4d3b6f050e451ccbe

SHA512
0de14ee7c5c7ea91af0a72d956a3f87ef9f48e8ad8b7413661991fa0da2cf348f71458e3f376dc6c61f3ccbf96346e893b70417ec504d60398e04ebc06c87f56

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
1f87960caf9d8cadd73219a328917ad3

SHA1
dee0cad2c3d0353122e6fb2a6f9e8ea08fc92646

SHA256
b0e0d190e354202de0e8d14688739911c66c43280e45c3c104f3a9993c2022c9

SHA512
adb631921ecda8438b807a4bfbba9fe136aa6cadd8c26c15b3e20f9143e55c9e66eb274abebaedc38c3ceca357c88d8360559fc710099197fbce39264f5f1c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
10c46548bfabefcd29321e3dd40a832b

SHA1
a6ccfdf48f8b966e9773a2ded1a5f02190f8661a

SHA256
1dd8f0273df56650cc1e1e847cb58f4f1c9a903be213d59982df7697ba85ab59

SHA512
a4b37fc2efa37ebd950aa3b86b4f466a16661a13776b7db37caf4305382c36361a0c14b7aa389e6990769103ee86c3331c6b24de6b7474ac3ef8f4a21d308eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
f57a017bb998ded30854092e9e64b0ca

SHA1
962bffecfa8b9a79010e1180027076f3c8c6af19

SHA256
2fff5e4d9f7f5ea1953ddbcd2f0d3bd72bda134d2f9affc99cb78023b02a1bf9

SHA512
f56bf97058ab55351063d17f5d1da3bdc314abfae8ba04b4ce8a74350e6bbf9a7fc7caa2abcda87b0e485bd4a2c4c2a0ea0e13afc90cce833f4c991c411af485

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
016fb59fb12e11529f1d402696d749c0

SHA1
930714023d57035d97daa238d7cc624feccb56f8

SHA256
23637d3add8e5eb28639864a92a44601cd2ae473bfa556291c870f2e820fe9af

SHA512
cedd457c14d66b3b1273dd6ee5c748e4caba0881ace77b4e7274f0ee3f0e2450799778a0bc366911595788dfe1f5bdf4cb9f2af00e6f5dc71102514a6a414b47

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
8343142f0ac3573b6eb8226d2c3310ba

SHA1
79a62eac5e637a72343c6ac0472a803105e53004

SHA256
114fab3ec2d40aa1d79add6d76262761f9404b45b216dd632006a0936aea2227

SHA512
c679b6e5c65aea5a677069626f5b7dd973737fd4186543c3e8745ffed8ebaf54ca1f25d92051ef42e0c1fb90a1205735344f7970d58a6b6f5a43d598b8cf181d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
e77a451353bf19985e8166407642d53b

SHA1
85cba21cad0cfabbee9c855e8fc2b491dd33ef59

SHA256
1277f8e69d64fa1fb38c07a647f7d4a0856e4a09545b40253151b569c4d2a5b3

SHA512
838041caf39b285218b374306e7e0c05e9c77ea34f9ae2374c84ab104c79bc18805dc02de730890c28d2864be3c9b56b77e18bf82390dc9d5704efe295b72d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
b1e1e04a6eee064f659d89143343e488

SHA1
041ffdf0025e06d0e691c68b8e339435d1ba2cca

SHA256
f2ebdb7c90527e2d0a3355d4a230319404093d191d4f6a8693a8300a9206eba7

SHA512
e81322d36c11feebdafa406429e73c55f0700ba65b96f9fb072234fa6da33b7c9176cff9ce5d1112e3093062cde4fc64400c78ebcef8d18211b5de0115c18d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
90b168f44c20bb3eb74bfb77f5041e6d

SHA1
f90bb74d9a2066a8b409b3004a4db0d1c2984ec2

SHA256
19ee59a67aeebeb6ee3f7814998b6e95c8d3b86c8e2a464e5e7e5671ed421f29

SHA512
625e5b7ec8b43fd7fbf225fd009b32283a8201a4f7f0f4659569c6c66ad7313f50022c0da5450830f5449d8ded2aa4454b7bfe2aac7edd00800f6e25362b4773

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
d07498b9de435fbf465771fa06f687be

SHA1
7cef58141141530d15e62459d8da7ae880036758

SHA256
8e0b2cf64e87e95ba2c6b9d347774616860baeb824a6cf894865b0ad1c31072c

SHA512
c4c1363fcc5466b586fa0373e14640e4938d03449fa0fd76ece250e51f5ed43854d604098ef0919926d03caaec54d21401cd32b43234b6173253199491999c66

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
6b3566b67c028584fc31828a029c0975

SHA1
5e0cc1f5700eade834a275805e88a2f53e1fdbfd

SHA256
ee1fd2637db3fdff12335fa18fe7b65bda5b84f2b971f8224d5e2509b1e1c6f3

SHA512
39d62eb837dda7a2d4d2f4b0528f4cc835ae98e8d6ea36d4e8c17197812e78de0b034a5343925815aeaeb666eaa82ac6d56a244071ffc822248b1b9818727cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
f583dc244fe3ea759c37e0cd0af6e291

SHA1
2f9b08a088022d7eec4722c63ccfe485f4e7cee5

SHA256
6b5caeba774d6f1d7159f716e4f646164bc912bd8d07421b79d133374ae5e03e

SHA512
1fd653256d67e4f8047312573bc3e120b03dde2697c92e052d137cc0421f36c5cf7229628aacae1b5036c0e1f7e9b16b24f87c8f2069b9df3118a46ed4f82fb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
5d640b759132de82bc80de82caa54d31

SHA1
491653cba9060f52a8fc213673a524476aae5b4f

SHA256
210249d3d125e85b01166778d874a4b7d04179d4d81894ac5e733e67df1968e4

SHA512
dbd80e9ceb4c694fcc98b2d7e2071b3a8279a4bb927219f4ee4c4d78789c6d1566c2a6ab028bb7c209f973836eeee90c8701406ea563aca3b5381b19679ceb03

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
a966c9891dd0f12337586ab103c716ab

SHA1
3439cc70e0f46c8630bc4aa205da9c8b211ea996

SHA256
755caefd75764f41d941d2b8a097cdbdd8ead4af7d71364961af1e5667c5fe2c

SHA512
1c3de028831eb72fbec509a0619b3154e6b24854e3a6a810cce135173b3ea92a288fc811de6cc59851f9989ddd4113d54166777b2fb6ea5ccad108ac8e5ff212

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
20e26e8ec74a7a4d2de653995b67b3a4

SHA1
fa7c2e81dd2c4fc37eb76623629746551a73c54a

SHA256
c320d82357fe8672e09afdd13447fa8c3de306275f204e22718ba6f5a44b4f72

SHA512
fd31797f7a32e369b2fe0f7c754c228385a0c4bc9f7c1a362a109f50f31b8a94da10a982d2f2cc73ec04d5494f7997306c68f26bfe5caee7bfd135083e11f6d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
3dfe802117913824e4b1dbfde00d50e9

SHA1
725720ddf0f1dc7ce0a6ad336408cac0f79c4cf9

SHA256
edbca5363d198f6f9c1582f6f6b72b2f8a16ba7d7d31644c0dbc2375ea827c10

SHA512
c56d44c17b6eba5908871ff17e25832275aada0e10a9b48e01be87550235014befc55ff440dcf0103706120a8d4aa2b435f3867742f58d97c86eb1e1fd7595b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
5978b4e937b2c1a05fe80b7a39f70f6a

SHA1
f509566679e42bccfecfb25a7a58a94b7fe4b154

SHA256
36014716ed064c4537a350df3ef171ee53c0c37854ab185a531463cf74157aba

SHA512
e66374732ed5eab006946a0720c8b72d267287198ca5730264420dc2fa645e1e8a5732bccbcd6847e4af7f171956f2c68c6ed0ecdb1ca8abb22d5b0efa3a5b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
6dbd3882140afd9a2d9c85ca34c69350

SHA1
ff9816d47761019c7b55a43bfcc7e36defcf0057

SHA256
abbdd9841f32fb8b10412243a99f8cd60dc45f2bd30b392678b30ca05b0843c7

SHA512
2fb423e9920da2eb87cd244435fde030f47b882cdc36edf85dbf3e6d617d552eabd4a7411179c263d450c8533a6cf9400bc3bf8d6c9c76b0c2f61f6ce9ecc1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
1f4fec3830965d6e886a48e7eaabb761

SHA1
e5e45de1e0fcc348a07573c3d09cb157ee939eca

SHA256
92e9d5f8517907d612eeaf993852c18ee94c47ebc6a68fa25d9e1dc198a0349b

SHA512
a7c7d669ecc3fbc3c9a1cf1ad288e57e4febd6d5df7e577c9cccee3933e777af7247934e520d749526ad163b3fd218c92822edfdbeb4528161765eeb449033ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
c21fe56cb079ef754408cd8da18e16ad

SHA1
2aad4b9e088cea23e07e2997abe8d0bdf5220f93

SHA256
bfb869e333575ae4b8f42dad87522ea618ba0c72116dc25d5a169c135f2ddf94

SHA512
726cda7546ca21618148c6b5d107a80e225d0cde9375639f50a0858ef5d88a3a1e7cad8d00a45ffa23bd8521cd2c1c651481c0f6483ffccde02cf7dc57f8d844

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
e385a454890d3abdf13c2fa860b8d7b9

SHA1
e52c00aa43b4d7cc6213fb7a135589425e3697eb

SHA256
6fb7e034db3b3dfc961b5281aaa5cc6fe23cb750c97e7db0bfd96c31fcc6d76c

SHA512
4453073ceee07eb34085e962700f6408ff740f3bdefc140bd63fa8c3c95eb550afed4c5dd05292db96ef19c8cd05b8038aa4990dc4a0e2553c0696e0b8af340d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
fbdb25e1025400573681365c2d816194

SHA1
cad5c6b36ec29806d10404a7bb6632c0eabda613

SHA256
3ecdd5e8c69af9fa5ecd8066a504b16229ff2fb94a9904d16ed90033eda5b97c

SHA512
eddec99729ed328fb06506c9794f3f575a5af72ba6ed1be78af691c8b33f9114a658105fb705372c9eb3c236c5c5d2c68446b27256a717fbb3a7c2994c7a77d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Filesize
31B

MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Filesize
1KB

MD5
ace888f98c06ab9f101e7d6d24cfb605

SHA1
76565f2bbf3587ea614f4f1a89d1604db3dfaa6a

SHA256
42138e8c852a8bea389c0f8f1ec4bde6a7c5dc82236c2d7bf981f42614eed70d

SHA512
7386852696034749f624c2a772a4810faf9cafa93a78d93703ce0eb87511b858f6dce280165fa05267960d3c53b5d02769c67d24212a4ec228ddbb6d14ca50f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe

Filesize
537KB

MD5
6bb2444563f03f98bcbb81453af4e8c0

SHA1
97f7d6c15d2a1cd34d32e6d6106fcf5e8a0515ed

SHA256
af1beafe8b2042586f291bd09192e420349c87bfaf48233c9ae5ceae4b19df4d

SHA512
dbf81f69c4e9086cf6da8e83f3f32346e44a590d4c037c02c83a5e3af2f666dec0a00a4eb296c90d54a4231b8060b76cf26147f4bb78b6e04d6009c77082be36

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
184KB

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
61KB

MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe

Filesize
891KB

MD5
8e33397689414f30209a555b0ae1fe5c

SHA1
b915a1cb575c181c01b11a0f6b8a5e00e946e9c3

SHA256
45b8610362cb8b8948f0a3a193daaeca16a13798921573cd708450f478079976

SHA512
f8bfab698890515c7df76d6147e423faacd0e6d58b9e5ba9b891b56c5b62e0d1798165d510fa22b9a453e80a7e9eb511418c00158126b89aacbd7c7a43873b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe

Filesize
832KB

MD5
d584253beb7d92e7457eb0fc27dbe70a

SHA1
917e32a5dedbc4aa6d9fc9f33e1eee0678a46e2b

SHA256
dfd7d2fc5994d1f723beda6ea0f66e70318e752f1c937444a1b52e6701a6e973

SHA512
12a3411b62b35758efed4988bcb1596df417d24045882fc18866be4c60a8076169faed23729e897d8ae5f3426dac1e343cb889eb039e45df96d9086f4a33ae17

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe

Filesize
320KB

MD5
080c3f8149c5b67cefd849dcd105fcf7

SHA1
cfee93890cd9a4b1e4394e9594120f19ace18921

SHA256
af48db1851289b227fdfd4beb823a71a72c12f5b50e6145c90837439f6784c79

SHA512
5124ac55fe5df409936f9bdb4197b3836585730d6a9d0764e9fc5f2da9ed3a08bc4154f0faff793082991959cab1513284a61e70c86662a48e8d0e2340ac7c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe

Filesize
214KB

MD5
1a1ea56ab621b6302509b15c30af87f3

SHA1
6249a3c2f4336a828d59b07724ae9983a3eef264

SHA256
5d3685c1a78ebb08d03a5de627bba9c55f0e7bfbd6d5efa61c6ad26d111bb2c4

SHA512
66a7c29bc1f0e573c24af632edf1250ae50517c37cd5d2560e0f8619ebb76f26137bd234f504501dd4a79ad7779a17e3e83951cb907f92174102fa3811d48a90

Download Submit
\??\pipe\LOCAL\crashpad_1652_OIERMMZIOZKCBPGW

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/456-145-0x0000000002DC0000-0x0000000002EC0000-memory.dmp

Filesize
1024KB

Download
memory/456-212-0x0000000000400000-0x0000000002C6D000-memory.dmp

Filesize
40.4MB

Download
memory/456-149-0x0000000000400000-0x0000000002C6D000-memory.dmp

Filesize
40.4MB

Download
memory/456-146-0x0000000004760000-0x0000000004769000-memory.dmp

Filesize
36KB

Download
memory/1128-68-0x0000000001FA0000-0x0000000001FC8000-memory.dmp

Filesize
160KB

Download
memory/1128-67-0x00007FFCF1C00000-0x00007FFCF26C1000-memory.dmp

Filesize
10.8MB

Download
memory/1128-91-0x000000001AC80000-0x000000001AC90000-memory.dmp

Filesize
64KB

Download
memory/1128-150-0x00007FFCF1C00000-0x00007FFCF26C1000-memory.dmp

Filesize
10.8MB

Download
memory/1128-57-0x0000000000020000-0x000000000005A000-memory.dmp

Filesize
232KB

Download
memory/2484-1262-0x0000000004DB0000-0x00000000051F7000-memory.dmp

Filesize
4.3MB

Download
memory/2484-1264-0x0000000000400000-0x000000000309C000-memory.dmp

Filesize
44.6MB

Download
memory/2484-1369-0x0000000000400000-0x000000000309C000-memory.dmp

Filesize
44.6MB

Download
memory/2484-1398-0x0000000000400000-0x000000000309C000-memory.dmp

Filesize
44.6MB

Download
memory/3508-206-0x0000000002DC0000-0x0000000002DD6000-memory.dmp

Filesize
88KB

Download
memory/3916-1478-0x00000000045C0000-0x00000000045C8000-memory.dmp

Filesize
32KB

Download
memory/3916-140-0x0000000000400000-0x000000000060D000-memory.dmp

Filesize
2.1MB

Download
memory/3916-1481-0x00000000048D0000-0x00000000048D8000-memory.dmp

Filesize
32KB

Download
memory/3916-1482-0x0000000004740000-0x0000000004748000-memory.dmp

Filesize
32KB

Download
memory/3916-1970-0x0000000000400000-0x000000000060D000-memory.dmp

Filesize
2.1MB

Download
memory/3916-1495-0x00000000043E0000-0x00000000043E8000-memory.dmp

Filesize
32KB

Download
memory/3916-1479-0x0000000004720000-0x0000000004728000-memory.dmp

Filesize
32KB

Download
memory/3916-1503-0x0000000004740000-0x0000000004748000-memory.dmp

Filesize
32KB

Download
memory/3916-1505-0x0000000004870000-0x0000000004878000-memory.dmp

Filesize
32KB

Download
memory/3916-1475-0x0000000004480000-0x0000000004488000-memory.dmp

Filesize
32KB

Download
memory/3916-1518-0x00000000043E0000-0x00000000043E8000-memory.dmp

Filesize
32KB

Download
memory/3916-1265-0x0000000000400000-0x000000000060D000-memory.dmp

Filesize
2.1MB

Download
memory/3916-1526-0x0000000004870000-0x0000000004878000-memory.dmp

Filesize
32KB

Download
memory/3916-1528-0x0000000004740000-0x0000000004748000-memory.dmp

Filesize
32KB

Download
memory/3916-1459-0x0000000003770000-0x0000000003780000-memory.dmp

Filesize
64KB

Download
memory/3916-1465-0x0000000003910000-0x0000000003920000-memory.dmp

Filesize
64KB

Download
memory/3916-1473-0x00000000043E0000-0x00000000043E8000-memory.dmp

Filesize
32KB

Download
memory/3916-1480-0x00000000049D0000-0x00000000049D8000-memory.dmp

Filesize
32KB

Download
memory/3916-134-0x0000000000400000-0x000000000060D000-memory.dmp

Filesize
2.1MB

Download
memory/3916-1472-0x00000000043C0000-0x00000000043C8000-memory.dmp

Filesize
32KB

Download
memory/4044-222-0x00000000051F0000-0x0000000005B16000-memory.dmp

Filesize
9.1MB

Download
memory/4044-184-0x0000000000400000-0x000000000309C000-memory.dmp

Filesize
44.6MB

Download
memory/4044-211-0x0000000000400000-0x000000000309C000-memory.dmp

Filesize
44.6MB

Download
memory/4044-178-0x00000000051F0000-0x0000000005B16000-memory.dmp

Filesize
9.1MB

Download
memory/4044-172-0x0000000004DB0000-0x00000000051F0000-memory.dmp

Filesize
4.2MB

Download
memory/4488-190-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4512-126-0x00000000724C0000-0x0000000072C70000-memory.dmp

Filesize
7.7MB

Download
memory/4512-1395-0x00000000724C0000-0x0000000072C70000-memory.dmp

Filesize
7.7MB

Download
memory/4512-1227-0x00000000724C0000-0x0000000072C70000-memory.dmp

Filesize
7.7MB

Download
memory/4512-1389-0x0000000002BB0000-0x0000000002BD8000-memory.dmp

Filesize
160KB

Download
memory/4512-1263-0x0000000005530000-0x0000000005540000-memory.dmp

Filesize
64KB

Download
memory/4512-129-0x0000000005530000-0x0000000005540000-memory.dmp

Filesize
64KB

Download
memory/4512-116-0x0000000000AE0000-0x0000000000B6A000-memory.dmp

Filesize
552KB

Download
memory/4848-128-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5656-1984-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/5656-1390-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/5656-1391-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/5656-1393-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/5656-1394-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/5936-1444-0x0000000005200000-0x0000000005700000-memory.dmp

Filesize
5.0MB

Download
memory/5936-1445-0x0000000005700000-0x0000000006026000-memory.dmp

Filesize
9.1MB

Download
memory/5936-1989-0x0000000005200000-0x0000000005700000-memory.dmp

Filesize
5.0MB

Download
memory/5936-2011-0x0000000000400000-0x000000000309C000-memory.dmp

Filesize
44.6MB

Download
memory/5936-1446-0x0000000000400000-0x000000000309C000-memory.dmp

Filesize
44.6MB

Download
memory/5936-1450-0x0000000000400000-0x000000000309C000-memory.dmp

Filesize
44.6MB

Download