vidar | hxxps://www[.]youtube[.]com/watch?v=-10QrILnrFs

Analysis

max time kernel
360s
max time network
482s
platform
windows10-2004_x64
resource
win10v2004-20240226-es
resource tags

arch:x64arch:x86image:win10v2004-20240226-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
05-03-2024 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/watch?v=-10QrILnrFs

Score

10^/10

vidar a33cf6c67dfe18bb7ae780b0a82c77b7 microsoft evasion persistence phishing stealer upx

Malware Config

Extracted

Family

vidar

Version

8.1

Botnet

a33cf6c67dfe18bb7ae780b0a82c77b7

https://steamcommunity.com/profiles/76561199649267298

https://t.me/uprizin

Attributes

profile_id_v2
a33cf6c67dfe18bb7ae780b0a82c77b7
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 OPR/96.0.0.0

Signatures

Detect Vidar Stealer 8 IoCs

stealer

resource	yara_rule
behavioral1/memory/7072-2924-0x00000000006A0000-0x0000000001B68000-memory.dmp	family_vidar_v7
behavioral1/memory/7072-2935-0x00000000006A0000-0x0000000001B68000-memory.dmp	family_vidar_v7
behavioral1/memory/7072-2937-0x00000000006A0000-0x0000000001B68000-memory.dmp	family_vidar_v7
behavioral1/memory/7072-3066-0x00000000006A0000-0x0000000001B68000-memory.dmp	family_vidar_v7
behavioral1/memory/5936-3220-0x00000000006A0000-0x0000000001B68000-memory.dmp	family_vidar_v7
behavioral1/memory/5936-3249-0x00000000006A0000-0x0000000001B68000-memory.dmp	family_vidar_v7
behavioral1/memory/5936-3335-0x00000000006A0000-0x0000000001B68000-memory.dmp	family_vidar_v7
behavioral1/memory/5936-3339-0x00000000006A0000-0x0000000001B68000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/6780-3244-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/6780-3247-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/6780-3253-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/6780-3251-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/6780-3255-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Detected potential entity reuse from brand microsoft.
phishing microsoft

Launches sc.exe 19 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
6904	sc.exe
6808	sc.exe
5756	sc.exe
5504	sc.exe
400	sc.exe
3704	sc.exe
1232	sc.exe
6320	sc.exe
6356	sc.exe
7916	sc.exe
9040	sc.exe
2716	sc.exe
8440	sc.exe
5728	sc.exe
6944	sc.exe
1468	sc.exe
8100	sc.exe
4664	sc.exe
6408	sc.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2744	7072	WerFault.exe	181
3952	5936	WerFault.exe	220

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\2\0	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 5e003100000000005b58fd801000415353454d427e310000460009000400efbe655861b8655863b82e000000b3360200000007000000000000000000000000000000656da90041007300730065006d0062006c00690065007300000018000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\1\MRUListEx = ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\2\0\NodeSlot = "8"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\1	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 6a00310000000000655863b8100053455455505f7e310000520009000400efbe655861b8655863b82e000000b135020000000b0000000000000000000000000000009ecc7b00530065007400750070005f00500073007700720064005f003100320033003400000018000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "4"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 0100000000000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\2 = 6c003100000000005b58259310004153507e312e4e455400540009000400efbe655861b8655863b82e000000023602000000080000000000000000000000000000005e9c0f014100530050002e004e00450054002000570065006200200050006100670065007300000018000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\1\NodeSlot = "6"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\2	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Setup_Pswrd_1234.rar:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
228	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5380	WINWORD.EXE
5380	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4780	msedge.exe
4780	msedge.exe
1372	msedge.exe
1372	msedge.exe
7576	identity_helper.exe
7576	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2988	7zFM.exe
2276	firefox.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeRestorePrivilege	2988	7zFM.exe
Token: 35	2988	7zFM.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeRestorePrivilege	8320	7zG.exe
Token: 35	8320	7zG.exe
Token: SeSecurityPrivilege	8320	7zG.exe
Token: SeSecurityPrivilege	8320	7zG.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe
Token: SeDebugPrivilege	2276	firefox.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2988	7zFM.exe
8320	7zG.exe
2276	firefox.exe
2276	firefox.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe

Suspicious use of SetWindowsHookEx 39 IoCs

pid	Process
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
2276	firefox.exe
5380	WINWORD.EXE
5380	WINWORD.EXE
5380	WINWORD.EXE
5380	WINWORD.EXE
5380	WINWORD.EXE
5380	WINWORD.EXE
5380	WINWORD.EXE
5380	WINWORD.EXE
5380	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 2276	4916	firefox.exe	87
PID 4916 wrote to memory of 2276	4916	firefox.exe	87
PID 4916 wrote to memory of 2276	4916	firefox.exe	87
PID 4916 wrote to memory of 2276	4916	firefox.exe	87
PID 4916 wrote to memory of 2276	4916	firefox.exe	87
PID 4916 wrote to memory of 2276	4916	firefox.exe	87
PID 4916 wrote to memory of 2276	4916	firefox.exe	87
PID 4916 wrote to memory of 2276	4916	firefox.exe	87
PID 4916 wrote to memory of 2276	4916	firefox.exe	87
PID 4916 wrote to memory of 2276	4916	firefox.exe	87
PID 4916 wrote to memory of 2276	4916	firefox.exe	87
PID 2276 wrote to memory of 4956	2276	firefox.exe	88
PID 2276 wrote to memory of 4956	2276	firefox.exe	88
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 4168	2276	firefox.exe	89
PID 2276 wrote to memory of 3644	2276	firefox.exe	91
PID 2276 wrote to memory of 3644	2276	firefox.exe	91
PID 2276 wrote to memory of 3644	2276	firefox.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://www.youtube.com/watch?v=-10QrILnrFs"
1⤵
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://www.youtube.com/watch?v=-10QrILnrFs
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.0.41000716\94745505" -parentBuildID 20221007134813 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 20671 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d14998d-da65-40c1-90d4-faddf3fe16c3} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 1988 1ce1550ac58 gpu
    3⤵
    PID:4956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.1.1501619689\744283272" -parentBuildID 20221007134813 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 21487 -prefMapSize 233414 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bcc5ce81-2f8a-4079-a749-3cd2d9b48b5b} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 2416 1ce143ec058 socket
    3⤵
    PID:4168
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.2.6057515\2077600860" -childID 1 -isForBrowser -prefsHandle 3080 -prefMapHandle 2896 -prefsLen 21525 -prefMapSize 233414 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {254119f8-5bdc-4aa8-8408-2d7121780e23} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 3364 1ce18606d58 tab
    3⤵
    PID:3644
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.3.790686836\1233010352" -childID 2 -isForBrowser -prefsHandle 3608 -prefMapHandle 3604 -prefsLen 25988 -prefMapSize 233414 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35ac5a7a-9f96-4f7c-bb5f-cb35002bd19a} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 3620 1ce00862558 tab
    3⤵
    PID:3700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.4.93854116\1213447959" -childID 3 -isForBrowser -prefsHandle 4960 -prefMapHandle 4956 -prefsLen 26047 -prefMapSize 233414 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {076578f2-cda7-4715-b948-84388ba6f604} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 4968 1ce1a48f558 tab
    3⤵
    PID:2264
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.5.661239487\2041190175" -childID 4 -isForBrowser -prefsHandle 5104 -prefMapHandle 5108 -prefsLen 26047 -prefMapSize 233414 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f3f3e29-6372-4013-ab32-a6a25f4402d8} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 5092 1ce1a48ec58 tab
    3⤵
    PID:2832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.6.1477513210\1245739961" -childID 5 -isForBrowser -prefsHandle 5164 -prefMapHandle 5168 -prefsLen 26047 -prefMapSize 233414 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5436ad25-d870-41f4-814a-1509748ba2fe} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 5156 1ce1a48c858 tab
    3⤵
    PID:5052
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.7.272214833\1269190619" -parentBuildID 20221007134813 -prefsHandle 5668 -prefMapHandle 5724 -prefsLen 26047 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1dea2bd1-957c-4bc3-968e-3cb9a6a65f20} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 5732 1ce1b613558 rdd
    3⤵
    PID:1532
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.8.391098767\2099400124" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 5892 -prefMapHandle 5740 -prefsLen 26047 -prefMapSize 233414 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e630664a-671e-4254-a12f-533fe91e34f8} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 5904 1ce1b7a7758 utility
    3⤵
    PID:916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.9.1512738144\1843998747" -childID 6 -isForBrowser -prefsHandle 6348 -prefMapHandle 6336 -prefsLen 26047 -prefMapSize 233414 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9605bea-fc64-4253-8e3c-c857319d26c5} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 6364 1ce1bc77758 tab
    3⤵
    PID:5200
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.10.418990587\624534948" -childID 7 -isForBrowser -prefsHandle 6492 -prefMapHandle 6496 -prefsLen 26301 -prefMapSize 233414 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f39b79b-6b4f-4bc7-9c83-95d744dad0a5} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 6484 1ce19427558 tab
    3⤵
    PID:5500
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.11.1093864928\735344793" -childID 8 -isForBrowser -prefsHandle 6792 -prefMapHandle 6796 -prefsLen 26301 -prefMapSize 233414 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f6427d7-7905-4b93-8b96-dcb5d452dbc6} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 6872 1ce1816d658 tab
    3⤵
    PID:5512
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.12.1301517417\574613338" -childID 9 -isForBrowser -prefsHandle 3576 -prefMapHandle 3580 -prefsLen 26301 -prefMapSize 233414 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {58c57eab-31cf-4b9a-a380-2298306c6c0b} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 6080 1ce008c3b58 tab
    3⤵
    PID:5156
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.13.278781939\776403444" -childID 10 -isForBrowser -prefsHandle 6080 -prefMapHandle 6644 -prefsLen 26301 -prefMapSize 233414 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4272343-b6e5-43f8-9cea-cf8d3b1703a9} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 6648 1ce14652458 tab
    3⤵
    PID:5568
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.14.2126444683\109333639" -childID 11 -isForBrowser -prefsHandle 10792 -prefMapHandle 6344 -prefsLen 26301 -prefMapSize 233414 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6f14a5b-b964-48d8-a0ad-817c731ba98b} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 10776 1ce16a0f458 tab
    3⤵
    PID:960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.15.2027531683\754902427" -childID 12 -isForBrowser -prefsHandle 5884 -prefMapHandle 6540 -prefsLen 26301 -prefMapSize 233414 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75564a9a-0807-46f8-a5d0-a01fec3d1322} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 5680 1ce1b7a9e58 tab
    3⤵
    PID:2296
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.16.12435721\1820468787" -childID 13 -isForBrowser -prefsHandle 10964 -prefMapHandle 10976 -prefsLen 26566 -prefMapSize 233414 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89e9c088-b7f4-4ff4-bfbb-47d046c08810} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 6644 1ce16a96858 tab
    3⤵
    PID:4584
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.17.1593504037\187678323" -childID 14 -isForBrowser -prefsHandle 10492 -prefMapHandle 10524 -prefsLen 26566 -prefMapSize 233414 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ecbb937-798d-4ee2-a181-0dc89a62bc70} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 10484 1ce1dea7d58 tab
    3⤵
    PID:840
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.18.861930089\1287728379" -childID 15 -isForBrowser -prefsHandle 10344 -prefMapHandle 10340 -prefsLen 26566 -prefMapSize 233414 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11cf73d1-95a3-4a1e-adec-988f93e649a6} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 10352 1ce1dea6858 tab
    3⤵
    PID:1544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.19.1257747849\1993378141" -childID 16 -isForBrowser -prefsHandle 6564 -prefMapHandle 5368 -prefsLen 26566 -prefMapSize 233414 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e7c3278-fe10-45ee-8d2d-16c84d9b9035} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 10492 1ce1e23eb58 tab
    3⤵
    PID:6364
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.20.2103364894\1443174933" -childID 17 -isForBrowser -prefsHandle 10760 -prefMapHandle 10864 -prefsLen 26566 -prefMapSize 233414 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b40643e7-e1f7-4147-94ca-da5ff0b4099b} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 9976 1ce1e8d6658 tab
    3⤵
    PID:6808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.21.1011003024\487620512" -childID 18 -isForBrowser -prefsHandle 5712 -prefMapHandle 9764 -prefsLen 26566 -prefMapSize 233414 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3934b1f8-a76d-430f-b447-8b0b3e21c32f} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 6784 1ce1eaeb658 tab
    3⤵
    PID:6880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.22.1267591844\834425446" -childID 19 -isForBrowser -prefsHandle 9576 -prefMapHandle 9744 -prefsLen 26566 -prefMapSize 233414 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a030634f-0fe9-4fd1-b953-d2c8f7cdbdde} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 9488 1ce1eaec558 tab
    3⤵
    PID:6432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.23.746728092\1204160464" -childID 20 -isForBrowser -prefsHandle 9412 -prefMapHandle 9768 -prefsLen 26566 -prefMapSize 233414 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83877cba-5bdd-4792-93bd-8e1594c1a311} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 9452 1ce1e22a258 tab
    3⤵
    PID:6356
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.24.1164862554\354803719" -childID 21 -isForBrowser -prefsHandle 9404 -prefMapHandle 9488 -prefsLen 26566 -prefMapSize 233414 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {989df4fd-253f-4461-9afb-a075e2c1ddf2} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 9376 1ce1e22c658 tab
    3⤵
    PID:6412
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.25.1648966108\21828298" -childID 22 -isForBrowser -prefsHandle 8988 -prefMapHandle 9148 -prefsLen 26566 -prefMapSize 233414 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c1b5363-a10f-4f40-aea1-4890bd1d7eb4} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 8968 1ce1e22c058 tab
    3⤵
    PID:7088
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.26.865291670\1605716605" -childID 23 -isForBrowser -prefsHandle 8972 -prefMapHandle 8976 -prefsLen 26566 -prefMapSize 233414 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {604e59b5-aa91-43b6-92bb-98456107d2d1} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 8960 1ce1e22cc58 tab
    3⤵
    PID:6496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.27.573336575\1158433041" -childID 24 -isForBrowser -prefsHandle 9088 -prefMapHandle 8420 -prefsLen 26566 -prefMapSize 233414 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3acc5035-299a-4065-adf5-cbe0d04bff4f} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 8408 1ce1f76cc58 tab
    3⤵
    PID:7204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.28.94394788\2070296779" -childID 25 -isForBrowser -prefsHandle 8260 -prefMapHandle 8264 -prefsLen 26566 -prefMapSize 233414 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c40764a2-232e-44e4-aece-24e50b075e38} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 8252 1ce1fdcf858 tab
    3⤵
    PID:7868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.29.166886679\582235442" -childID 26 -isForBrowser -prefsHandle 8120 -prefMapHandle 8116 -prefsLen 26566 -prefMapSize 233414 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8f96c0c-7768-47ec-ab72-ec3b42105858} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 8128 1ce16909f58 tab
    3⤵
    PID:7900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.30.478459256\891658140" -childID 27 -isForBrowser -prefsHandle 8532 -prefMapHandle 8568 -prefsLen 26566 -prefMapSize 233414 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec70d23a-3ae8-4bae-8493-bad9c40011e5} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 9148 1ce1b40ae58 tab
    3⤵
    PID:7540
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.31.1130415507\1731024970" -childID 28 -isForBrowser -prefsHandle 8260 -prefMapHandle 8344 -prefsLen 26566 -prefMapSize 233414 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71183866-06bb-4c8d-a19e-8ed438f1a621} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 8228 1ce1b408758 tab
    3⤵
    PID:7588
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.32.4427331\878599878" -childID 29 -isForBrowser -prefsHandle 6364 -prefMapHandle 7432 -prefsLen 26566 -prefMapSize 233414 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38b3e6a0-42a2-40a5-8f74-f0fe6fee1c4e} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 7352 1ce1c9a6758 tab
    3⤵
    PID:8768
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.33.1672033861\1608873412" -childID 30 -isForBrowser -prefsHandle 7380 -prefMapHandle 7376 -prefsLen 26566 -prefMapSize 233414 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {952b096b-9795-41cc-9fd4-a40bc1cd6168} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 7388 1ce1d05e458 tab
    3⤵
    PID:8776
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.34.1728136285\1563344412" -childID 31 -isForBrowser -prefsHandle 7548 -prefMapHandle 8300 -prefsLen 26566 -prefMapSize 233414 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8872bde7-fe01-44ab-9a3f-350fcbe4da61} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 6668 1ce1d12ae58 tab
    3⤵
    PID:8788
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.35.6497671\421604393" -childID 32 -isForBrowser -prefsHandle 7140 -prefMapHandle 6676 -prefsLen 26622 -prefMapSize 233414 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68f7f794-9681-464a-a139-395a43fb8ce7} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 5004 1ce1d4f4e58 tab
    3⤵
    PID:7196
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.36.1909540805\2097229090" -childID 33 -isForBrowser -prefsHandle 8300 -prefMapHandle 7540 -prefsLen 26622 -prefMapSize 233414 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {644cd6b3-e14d-46cb-982f-9ff4df69353e} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 7548 1ce15508258 tab
    3⤵
    PID:5512
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.37.847639339\329216150" -childID 34 -isForBrowser -prefsHandle 6484 -prefMapHandle 3564 -prefsLen 26622 -prefMapSize 233414 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1bacb274-d3e4-4bca-bf6b-f56050d07e82} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 3584 1ce008c6b58 tab
    3⤵
    PID:5708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.38.1475604538\1739494489" -childID 35 -isForBrowser -prefsHandle 10072 -prefMapHandle 9680 -prefsLen 27371 -prefMapSize 233414 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ad7a6a2-e383-4205-834d-992243ac5f13} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 9600 1ce14651258 tab
    3⤵
    PID:3108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.39.1841947382\2005383441" -childID 36 -isForBrowser -prefsHandle 7980 -prefMapHandle 8772 -prefsLen 27371 -prefMapSize 233414 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6fb209c-450a-4e7e-a092-bcacdd9f2c90} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 8756 1ce1b1f0d58 tab
    3⤵
    PID:3592

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Setup_Pswrd_1234.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2988

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:8708

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Setup_Pswrd_1234\" -spe -an -ai#7zMap245:94:7zEvent27590
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:8320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Downloads\Setup_Pswrd_1234\ASP.NET Web Pages\v1.0\readme.htm
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0xf8,0x134,0x7ffc167146f8,0x7ffc16714708,0x7ffc16714718
  2⤵
  PID:7212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,1491099868977785703,17169077422967633125,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,1491099868977785703,17169077422967633125,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,1491099868977785703,17169077422967633125,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1491099868977785703,17169077422967633125,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:8180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1491099868977785703,17169077422967633125,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:8936
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,1491099868977785703,17169077422967633125,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  PID:7560
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,1491099868977785703,17169077422967633125,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:7576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1491099868977785703,17169077422967633125,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:6192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1491099868977785703,17169077422967633125,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:9064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1491099868977785703,17169077422967633125,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:9072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1491099868977785703,17169077422967633125,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1491099868977785703,17169077422967633125,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:8832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1491099868977785703,17169077422967633125,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1
  2⤵
  PID:6260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6064

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\Setup_Pswrd_1234\ASP.NET Web Pages\v1.0\thirdpartynotices.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5380

C:\Users\Admin\Downloads\Setup_Pswrd_1234\Setup.exe
"C:\Users\Admin\Downloads\Setup_Pswrd_1234\Setup.exe"
1⤵
PID:7072
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 7072 -s 2168
  2⤵
  - Program crash
  PID:2744

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:7396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7072 -ip 7072
1⤵
PID:2788

C:\Users\Admin\Downloads\Setup_Pswrd_1234\Updater.exe
"C:\Users\Admin\Downloads\Setup_Pswrd_1234\Updater.exe"
1⤵
PID:5624
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  PID:5992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:4308
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4916
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:9040
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4664
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:3704
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2716
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:5756
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:8200
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:4752
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:9052
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:6688
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineK"
  2⤵
  - Launches sc.exe
  PID:6408
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:8440
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:5504
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"
  2⤵
  - Launches sc.exe
  PID:5728

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Setup_Pswrd_1234\Readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:228

C:\ProgramData\GoogleUP\Chrome\Updater.exe
C:\ProgramData\GoogleUP\Chrome\Updater.exe
1⤵
PID:9076
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  PID:6208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:4988
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:5596
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:6320
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1232
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:400
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:6904
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:6944
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:8936
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:6852
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:6512
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:7460
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:7476
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    PID:7744
- - C:\ProgramData\GoogleUP\Chrome\Updater.exe
    "C:\ProgramData\GoogleUP\Chrome\Updater.exe"
    3⤵
    PID:8124
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      PID:4252
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:116
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:7940
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:1468
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:6356
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:8100
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:7916
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:6808
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      PID:7432
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      PID:8372
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      PID:8380
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      PID:7732
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:6780

C:\Users\Admin\Downloads\Setup_Pswrd_1234\Setup.exe
"C:\Users\Admin\Downloads\Setup_Pswrd_1234\Setup.exe"
1⤵
PID:5936
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5936 -s 2320
  2⤵
  - Program crash
  PID:3952

C:\Users\Admin\Downloads\Setup_Pswrd_1234\Updater.exe
"C:\Users\Admin\Downloads\Setup_Pswrd_1234\Updater.exe"
1⤵
PID:8628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5936 -ip 5936
1⤵
PID:6264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GoogleUP\Chrome\Updater.exe

Filesize
4.4MB

MD5
a67a95bc2ab08201076094c015f99337

SHA1
1c5cf7c612131d2dea52a68abf5310356958183a

SHA256
a13b7009d36faaccf7d52859280d9afe9d49f56a5a3a7feb4afd4c56ba50143b

SHA512
c09e6d3ba958ac5fe13f96c6e5ed98ef8cbdb8cb6d0e73f227657ea02d224293098c0973bcdd93b39f69b7db0d984c388eacd7c6ac300408519cd33ed19bc646

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4b206e54d55dcb61072236144d1f90f8

SHA1
c2600831112447369e5b557e249f86611b05287d

SHA256
87bf9a4c3564eb3d8bef70450da843ae6003271222734c4d28d9961c52782e0b

SHA512
c9e8d2452368873e0622b002a0c2f8a2714b5897a09475738a9f9740122d716a9f0d3841725230d58e039564c820d32a6f3a675a7bb04bd163bab53dcb4e22f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
73c8d54f775a1b870efd00cb75baf547

SHA1
33024c5b7573c9079a3b2beba9d85e3ba35e6b0e

SHA256
1ce86be0476a2a9e409fcb817126285bc4ad83efd03ee06a2f86910fe18d4d94

SHA512
191344f5830cfea68499bd49073ffa7215a42265a9629d203d07849b2417c0ffdbdbf288bf2c669e91009a0d7e8bd6a6b378c92fc283049141231ca7bf4da3b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
0b1bc4f5f22bea91abf091d4e5f9d030

SHA1
a7859047391b8ddc1789c09a046553e27c0414af

SHA256
26ca3beb282b73da71ca81df1b698cd1314cf3b65340ad84c48266437721b318

SHA512
2ffd279f98f3c403e32f7e8f100817634ccec3ec699186583a3685e15922c66721d91c9946a98641fd943803ff7c7a8a9740844a2a3eb78567f03edc50c9224f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
582B

MD5
e0a86a2122464e11b2cc8759f21431fc

SHA1
b23e6e5f6997d5d1b2251077aa7a550fdd5702bc

SHA256
584dd8c9d1cf7a901c030491b04296fe298ac54023b995a3ba2f552102a07093

SHA512
e09b195d9384def3fd3323da234d32d59b7254b375be341fca7160a63c4c9cda6770ca133938b9ddf629e9798caa93bc43a79f89f524461eae843931c7aa3226

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4bcd8121317a3d1dbdf1a44816c60bc0

SHA1
c28f5a56eb86722c1401816bab82e73a8c37090f

SHA256
dc4e3c1ed616ce32738b433fc95ba7cd4c8084f561d9c9c4c2db0f845d990fc6

SHA512
de6341b5e32b242df16e2458b09090988232f73055db097b8d8c4eea37c301a6cc29d57a03cd84b5af2b05bd6e803e0d8057a8137b37b10ca0f431e930713ac6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8b78258f4b7f3d3085168c1b7a0c279e

SHA1
395a10d9001c0b5bceaca883003b9d2f2bc5f646

SHA256
3e3be1e153b6e9b111836bc10efdb9a630b2fdc6eb01933b3b8fcca4afd88a70

SHA512
bb5dc63468dcf47a826fe253a7a1375fa18e504e4194bb59d7f46ddb6ea42ea6c3a65373a81cf7bb25b54a49b73a51735a26c1c0970908355c7026be1161a27d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
89fae3384742357c5c201cf96d5e9dfc

SHA1
0008cf809609af5472c2d35cf9fa8de02b784e79

SHA256
b76c58c30dc3971b80466aa318139293690af6b7bd88e971d93e3d773aa6dfeb

SHA512
f8b7ac597b8d7b940e774eced138a9135a01845cb7915c1a6d9e2634207cfca5e38c9bd4b53f2491449d68c0160ac36e1f9bb206a65cff085dd1cf918599e038

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ee3d429a6711fdaba95d185a9020aae7

SHA1
0f23c86ef6361aea35229a3436d7263bda658b33

SHA256
9253d682aa2b995d22b9d4fef27700ab77fd70f6296c6b5be42ff5be1310c190

SHA512
296fbebec0eb37d3451e5fdda40ff9e94a42135a2c5a5ebbc17828f2f53e0a4d7983424a7b1f623876d2d3d056ab4435fc365be732bc4bc0fd329f4133056e98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
00f99752fe33c1fd0656aeebd1dbcac2

SHA1
983bb2660dcb4bc20a28368e26a4f72994454048

SHA256
3c56eb0381ee06481df097d36c75c636b785c56d4e15888e80a774b864f30e89

SHA512
602f4a710bcdfc1969f12b65dfc849c57f49e850d0c02f7a0b97735e96a41ce27897ea4ffa09d0ebd9cddc663e862d19c200b12dd52a68716d14b9f6076fc9bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5d2d8b.TMP

Filesize
872B

MD5
5ca0a11230e7ea1ceba95627bcb6ebb0

SHA1
ae9c9732f9c9b9bf94683514e8066de69a3a7213

SHA256
fea8ddc2331114243536490dd4f3088e764a00f3476bd8a521c2075ba22c2778

SHA512
0511e8436cd56ffcaba2e49b90fb2e9685737904308ec395ebb15870f795c3d6e31d1795459297526df3f21fc02137f395aa68291439f4652c162b42a11b8186

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
b4f7dcd823bd089f6a7b186ab1536cf9

SHA1
69c37aaa1ae7ffd7324bc2e0be9bec701e44668d

SHA256
2682e1ce6f063258c136db03597f0ae9a5822e12d0564e58d7f18b57547c0ac4

SHA512
f3b1d8f3153d863d344af292180a1f025a3447d819bec8d5bf220d428c39e425728ad78390d133bf936df9ddf7ca6532b11232ab52756496408643b7990c5dbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
0d4d56b1a46fc44fac6fdf884592eb7e

SHA1
45c05254a9dc5c0547bb71bbda2cae55f2ae7e19

SHA256
90b2b66be05c6f6cd624bf8ed6edf83994804685b1a0320bf5071d31e28d2f18

SHA512
2f03908f5c4c32caa905352d1daae89ee203b1b26a2509da0df5c2c63f611d61241362e89af4664fa86f70887c208d802efaae8407b3c5df5e6835bc35d1fa2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
76e6b2d05efdf0c66982dad2b258db24

SHA1
94d6cb646fe913c6ba3b241aad176b07d729bba2

SHA256
464ff29d30bb7f80ce1bdcc1206fa0544fe4d3af16c0f48767126334ea52ca39

SHA512
3935bd2964b7ea26868440a63cb588bb539451569c6caba945029574d783e5e2bd59f48538c6fe54083d6e041903d2a70a3bc191b966600572d5c4ac7bc4182c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
a282d178d9b496c0a1a3af90de71d1d7

SHA1
91040909f4044cb9afa7e59dde9a26eeeeac4135

SHA256
0c70e20e6d786a2aeccd129a319d6d11c597fecfa72a9357f9030b56b60e3a9b

SHA512
25d7b4320c2286ffe7c11e908ca2550e888bf6502608ab0e10625ac5022a502e0a0630d1d493b77c8cb04a7647d5e67b89bedd28ed3d9249dcd5af185f95261c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tooqwtv0.default-release\cache2\doomed\10754

Filesize
19KB

MD5
a8d5fd0054c9d298eaa31e935315e786

SHA1
6a26f64ad3a6310d78a5bf513dc06f6b988db3e0

SHA256
8ba6eff595bc53116ab5b0b5546d2b94c429e3269fb2936d069a59804ec1237a

SHA512
74acca2c30d6511ba6dd087286b822426ce25d5df1e4114d1fe03172cdd20e7ffc184880db75de81312c8aa25ed7f9fda8e1b58f99dd259e1652a697609b6526

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tooqwtv0.default-release\cache2\doomed\11263

Filesize
11KB

MD5
156da3bbcd3222efedd0f52185dc8e17

SHA1
965c1aaba89c4943c502039d3337899ef96e910d

SHA256
26ffd70a57d96053993e9e9b07357c5e2a06126d5ad008e9dbf85501ead587ed

SHA512
4e527fc32f080656160061639f8da32c9dd76aa8da6785372aa5f2c3c998d232805153c5fc7bdb7b1649c7c67ec9c52ea3bae6ccb6b647047dca71a913179c81

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tooqwtv0.default-release\cache2\doomed\15449

Filesize
8KB

MD5
773c4d244d9f3c11d80b40251e2c9139

SHA1
9463ffadb1a60afce1bdf4c16a2154e54989f631

SHA256
bbc7c59c2ba8486529baacb4b7066eb571af7b1b2ea6db65b08960f2e5e122c9

SHA512
24d973b976c0d10f92b33d1093f331e4ae7064020ce3d3ac48b94c9207448ed5d4e64b6fd352a1c667b52f78702073e10cfbaf3c24bdf469fccbe4ce7c8ef066

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tooqwtv0.default-release\cache2\doomed\16645

Filesize
21KB

MD5
2f13b123cd646946c6957ecb2cc5f27e

SHA1
1a35f4abb0d7f227551ca37283484acc0442e328

SHA256
640356f0415224fcb2c26afbbfe4ed91e2338db0fdd1b53062e0e592531076af

SHA512
7d4df1821de017cd15c55fbd31e80a121bbcfe336a0fe7d350e1670939b35d4485209bcf07240b2927e54e674652ddd4843210fc472f9f5a44c62cec722b4e46

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tooqwtv0.default-release\cache2\doomed\18322

Filesize
9KB

MD5
f47dee22cf1d33c88f773c6a3af0151d

SHA1
91fb15bb21ee42bf19f5688a594bb5a97abf4c9a

SHA256
1ebbf7443e4aafb5dd099cfdd23be654b6ec1a1d24459ee3f458047273f634b4

SHA512
b6d813f62a7be28acc075e8bb4fafc04a116b75800676b0b5049e9403f5e81c112cf1a90f10a07477a0cf1e6c506bc974c2dd25f11dd0ed2254b048358beb1d3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tooqwtv0.default-release\cache2\doomed\21191

Filesize
9KB

MD5
7b822ea2f99240412893a34fc329511a

SHA1
1bfc76b96bddf18e9a3bd0380d1a0ec1f40e358c

SHA256
86f8ff09492f3991b515f883d6d8cfb0b3b6b844bb38198f474886e3f8d97aed

SHA512
121ee9efc092e0f9f7d7d8119bea626d373153b2ca6ee0cfa82b082c8e8a912a5b35fe66c3461d8d25e6426566bbd7bbe52e5e2119ab0d6b99efe3ae9a0c9fca

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tooqwtv0.default-release\cache2\doomed\21251

Filesize
15KB

MD5
7eb2d208bf83c95b8498fdeffb205ad0

SHA1
d3905533648ad14b8114e648a57e3d9c72c917b3

SHA256
6a2b5f64cfb8f3bbc7c6b8ac69656c37bebaa77c5856e966ca2a1f9a3c3fda21

SHA512
e39345d026d5c6c86431044785ed41243f401f6027081172c447aae2a126a8eb285136e71c86b0afed29fb32ebe390dc0677005c249d639deada5d765921a5a4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tooqwtv0.default-release\cache2\doomed\22770

Filesize
42KB

MD5
c713fdae2c0c053c5ab3de0d3fbd9651

SHA1
17cbd6616eb0b09d09b6ae3013da7d4292976cbd

SHA256
bb1073c5a269064f806b08a0bfe526d0a566c263df534eae18b6c84468780e2f

SHA512
c7dd031fe2aeaa7d43f3f54a24944499b7ba6e264da247da0a8229f7fdb31ee9f4c573b57052573bee75cb47e22caaa8d121a1d10c6eacab3b8ff9a16b8c70c0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tooqwtv0.default-release\cache2\doomed\24422

Filesize
8KB

MD5
0132dc65f43a752cc34021845160e899

SHA1
3e941260c06512264bb8ee30e09104053da21852

SHA256
c11eba2cae16d1cb4beb59b1775ed0913d66c9979d63fe7a38fb9736892b75c7

SHA512
61bff0d22f9b64955248297fd8e5e36cfe103570e4d08af91f2c8d1dc3feb7a009167718b19af74799e4d707f7007bf85cde6093ca594e9495ee5b6ac20ccb82

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tooqwtv0.default-release\cache2\doomed\28981

Filesize
10KB

MD5
a0699fa0bc82034804cac240f76acb4d

SHA1
2c09c53f1ea40ce688db3697fca5c536a34ac473

SHA256
fd7a9c97a974321046387f08cf6fe8d426d06cc447af383c837451912d0d73ae

SHA512
a6a798db09988aa1221a2a3aed5b8492bedb7b838e2e0b488ce0fd0f1481ae5e75ffe1806ad12d36e9a0240d8bcf50e37b8ca3ac88cb1ada259ce1850edcf795

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tooqwtv0.default-release\cache2\doomed\3258

Filesize
9KB

MD5
3d92b3742bcd4ebf1bbe2bfc624968ef

SHA1
9776e2f2fee1d126bca40d330b04e580b49b5dd1

SHA256
24d80b0ca096fbf49cc9acc48d1100797d2076e730a5522b11f0f7fcb7628761

SHA512
cb6a2116221acb0976d3ed4e280868fdb992b6a2a9e7ee469887cc86b0f8d3cf888c639baaaf598a12a0be0c4a36e84c79a75ee5fe04834b2aafab6d283f6d39

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tooqwtv0.default-release\cache2\doomed\974

Filesize
43KB

MD5
13061fe37413227930f0911757b21da9

SHA1
b0363a0ccf4434492e581f7d4635b1fa24d1c718

SHA256
c794d153695160caa321b6e7c1fc6dad338ae0408083c3a4b8436b08be91e807

SHA512
e4fd75adef6a95a2126dc8ec23559fcea52e995e74bcb792013ef1603030589ef76faffe78fcf51a57fca1ff3d80775b725ec0d45822d72859f46d4e6ffc98dc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tooqwtv0.default-release\cache2\entries\2DEB3B81EB96245D9BC1CF71DE19C61850835DAB

Filesize
42KB

MD5
ebbaf47b22b1f492dbf8c24b2a0611a0

SHA1
0e0969b35aeefc647a09519649ba13bb58277e24

SHA256
b09ce0775106432dbc047c6a99d8a35f63500a6145cf3326e9a356f7bbc92192

SHA512
120227dbb8c3d311cba91de6584ac22ab4b7f5c8aa802b70552eb6c290cefcb1becb56c9656a76a71a8a4ca75a3347c5f30d89a20c386ef662d50d6f20c2947f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tooqwtv0.default-release\cache2\entries\A69601CDF0936FDA3E922B48E74D09D5DA20A25B

Filesize
16KB

MD5
6d0f1bc504ca7911dd221d62dc44c2e7

SHA1
7ac71c82b10c822bd892089bd69d14943a5ecf62

SHA256
c5140a1f6d0355733cdc41cc707a9f55b10659a99250efb3aa5d11c4de3e9dc0

SHA512
5af93da2a517be8763d730117bf440c299c26abc427f2b01f94c639f79a2c63a5d066f8be99ca1b40b84f9976a2cd110c05765c116d06966b8d9d8a7eef42f5a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tooqwtv0.default-release\cache2\entries\AC31535E2F682AEAA4D12265CE3FF534A1342AE4

Filesize
204KB

MD5
47129a371edbafd6977ab52d41710b59

SHA1
ff75bef92d8950ee0b580457948f0fae91bd905b

SHA256
48b2604e39a5de72c230644c1d3da25a23076385d8a1a84cb6f29f8ac50f610f

SHA512
8b3ac59a2b82cf3f37914cc8684633a3a369f8b3caa13e02cb1c2700e4868e08b3f5562d727abde57d913ba5080493a0870b1db24d4fe9657efd148bf329365a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tooqwtv0.default-release\cache2\entries\B2AFB48D00AB1C196711C56973B1F061CE06629C

Filesize
43KB

MD5
46c2a650e3810ef21043220c79c4055f

SHA1
b3bb1400a60e8f7a5044e58c95add6ce441e5168

SHA256
1fa41ec4e42c0f3a3abddd8ee49bfd47b983fe4a1bc2af3490a299bfb73b54b9

SHA512
e0a439ec0dcd141b6c9522089329287307eaa7f630c78dbfa49de11571b9ffdad6eef089ee19a22b3a1e5e50ba6bb49c5fb65b86541623f946548ae13677ba36

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0if1k1kk.dcr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
271B

MD5
c478ac259ae20fab2a781a8ba55ad63e

SHA1
fad793214dd531dc3f1e9302a0a5b6bf23b1402e

SHA256
20534bff57ee69d4086fe2bafa5aefd6ac795d6c300b4b459e4a0aba17159892

SHA512
9e7200f189b15562afb88178787a7d18ac541b08f7c916cc2940d5f1bd93bd6e91507fd45bb4d43911cd96e84b9b87baeb390b07838ac6ea6040f8ec07193d63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
5KB

MD5
902e9960a24df501cde7f000a048e96d

SHA1
055abebdadaa7f99ae561bb14096acaf0f7ed2b9

SHA256
db731cf164b2a1f2282e320f5b73f281cabfa5e70ad8e52a070ab1e6fe0cdf52

SHA512
e80878a5c243d383d03b8f0a75ade2b5e9365d969b695f168428c9bd45723bb34a0069f0360c741a644f176ed22621679252c142a3a03b7314e87e915fc3a3f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
5KB

MD5
0d3179665d89c8299ee996973b8b034d

SHA1
204cc511e8c79f467145564949da8ea0d1dc9f05

SHA256
ffa1e32aef762118f6ba12e082833a2b1db2199cc9b1323526cb28fb34dfd094

SHA512
ea1b2a20058d329d77cc6b50a7f1846a19e6a34347792e94b0fd50c4fdd212f1fe160ad43f975812617dce00cf33fa04f90024b302ab43e9742664f5cc6e3d0a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
12bd19124e8307965efa2b2877080478

SHA1
5fdabb45900577e050c85f4ac21f22a31ea67a15

SHA256
e8054a19eb9bbe14c385fbdfd98eb129a3071da001c6102c222d4babc080592b

SHA512
e925d1c3fd46245529ac8c1e0ea4482f7bce36259ea140669408af14a43e3efcb0e9ca06e2f216c0d1956507deb4b8c0a4838aa0f2fe5de84fe8e11581ab236c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
4KB

MD5
e12eb73ef89f4bf04542c88b7b0d374a

SHA1
d5ebc340ba99ede0ce05a5380963008dd52d0af1

SHA256
680d0f9a255a4fd7453bf66f3964b5ba4f330b7e40f70364060c3fd9a77caa37

SHA512
d434f9e4f07515c4fdc4c26cffae2ab4c977e6bcf549c3977776e6d18e6a59fd2c807a3f4560b2cb22466fff15279e5f56dba3513bf20bd8aaeedfcb928cae9f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
335cc99df2c0d861d61464d56c89b6ae

SHA1
be1d9dfb6cc4a4cffc495d5a3cd7060a6e84f934

SHA256
35ff84818c7461d0cec52cdd62f0bc917e3c435d932388db5aa6704a296e69b2

SHA512
6c3acce441c1fb75855be3b5b230c3f835c9d61f70c37db67af6c8b2ef272ba2fc847748f71244aa6c9ca849a504750f1824baaf53c8de1d2509e6904a48380c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\datareporting\glean\pending_pings\a1fd00e4-b6c5-4d5b-a59e-e652f9d47029

Filesize
746B

MD5
c72169bd74537d9325d9522548ce6db4

SHA1
d79ab43ab1a2ae6d82228f92673398b7ff0a140e

SHA256
66b02048b1164fa747f77bb0fd75eab2c444ddedcaf5e37cce4ec287509efff0

SHA512
171767ee347972279739f0bdf1e59d12db950f22bf3ab8823267495442096af6ad6562d41e8f0cb207d25a1520c2b7a4e8157b7e04f65796214269799f97a945

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\datareporting\glean\pending_pings\e566b3ef-4c00-4810-af69-afad29a65f48

Filesize
12KB

MD5
10b7893d404aefb7ffee01bba044926b

SHA1
7a1bc320113d5857bb45069bca53b408e7d9b6b0

SHA256
8bc4f001b18d4a938410014e7a6973a41af9d9eb5f7b2cfe24f7b9334c950304

SHA512
fcbaf944125966259f05305b5aa32379fba22d9272f2aef8afc68b03ce74f2a4fae1d5e21e71d1b4c9761670f5218fa0b3b59657037460d91c10d6934009929d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\prefs-1.js

Filesize
6KB

MD5
07ab5aaedcdc10eebf233243d48e0cf8

SHA1
00201000df9095f0f78783a7133a7890af10bece

SHA256
6ad73567f3b5580a615e872890bc71f57820b71b7490e334debe80f6d030005b

SHA512
89d0d37c8c1a07583a5b93b592afe4bc1d810b053d566fe09d73613d9f82a8ebfe7f399a8c4c70e432f9444f37b7f79f2c48329646743860ad22f0263d210e04

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\prefs-1.js

Filesize
6KB

MD5
739f372b7d209b4a2d4b963bd01a132c

SHA1
47bffb07f73e9a5e4c8384c9739b0930287323d1

SHA256
6c1f116e0d65b22f6f00259ddb4422e7e75e23d3a5e401bf41718b5f2286baa6

SHA512
0d88e4904f2a1365373fe8d82353aab0c5f4d99e32dadd59a4f8bcac91800db44fa5d82b3b715cb9c6d94b8038666583ba2e138112c00c15fa0a0c128d6c1e24

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\prefs-1.js

Filesize
7KB

MD5
a67eabc0889b39efbf2d1e7f5a4a7fc6

SHA1
749332b6b584737a96340f66e751797154fd0d58

SHA256
99644dbe5d4210fa280a96eb82a902815261e3b70284be7ce14645129410866f

SHA512
d5cca02b609b7fa9df5c7723cdf7d55e953372ac27aceabb9b14adfd4660ead122e985d9bbdbc4b9f5d460a59b652191145e1e76521ab533dfb607cc7c834948

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\prefs.js

Filesize
6KB

MD5
29d55737768f57edd8cf3ae1c9c62e2b

SHA1
1ea10e8d7b6165a7483a60cdf8f8fefb8586da60

SHA256
54ebbc2eb146fc1da60ef5268b2ed310719ab382d428f686e5f2902e441fb73a

SHA512
8f86604ec0d4b680e60489046697ea2cb431595114073b4c4a090260a7e661682f8ef18f750c7f05c27d74524748aa29b8195de2a05dddb9328638a8191c2a8c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\prefs.js

Filesize
6KB

MD5
f08fe077875061e4601daa883c619d63

SHA1
ae919657821febb8b76fdb660180bb56454e6bf5

SHA256
359b8236c0aeee1780b1d4cb2c5cbf4b8ce5b7eb18934c2d04280d1f489d2e90

SHA512
f24c1a2b31f7e4ca9a2ada02003a564a0eaf3c34f6d4d126ccb1a28a6f5a081a57b9413ac034f5d8dc76174b9839d7de621cdf0620b80035747b3322d61be386

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
14KB

MD5
31f8273e1704e3723ac19fdd5648bb74

SHA1
03b82ebdd2ce425e5668fe4415903bf3ef76cf41

SHA256
7c131cfa7fd74af2b0358df9de9ac3ca759170d32565b03d57bed0a6c08dd376

SHA512
bde187c4d2644c4c509e794161f374081a55fc21e4b0e3c52e5f5e1edea60a5ece717cdf2c0d53f098aea5f0d8eb723060c7c1d98e4c37ae490250d9e4fc7abb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
16KB

MD5
7d5051bb827a24219d76dbe8929a6e84

SHA1
3fdc6c8af5792c6bec28fdfceebdfc66ddab70be

SHA256
db264f8cbaf8f6aa082ab85f9b02966395fe0e859430a46ad40f3218d38ac646

SHA512
c1905700d78394d457908384cb4ae8d1e624a55f7f5275237d930b6daa6c82a9ae06435e94e4409430ec6e2e86a8ec146183eeb413e8286c5b6f10c708036767

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
16KB

MD5
9c6c7304abfb439b4ebf6dc2d8b6748b

SHA1
566af7e22c34de627fa335cc71b4b9b62b431be8

SHA256
9a42e426618b4a8eb975e2e59fc569b2604b46aea23a0baf857a1e5fe2d98dbc

SHA512
9a10329b16d440a8e0b13bba108b5f118bb731e0a625fc9c2284f7ad494325521c69229b85fd648f3f7112be4ad2ed946f676a0f49119bb566803f3d1abd5e47

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
16KB

MD5
6d930bba71c85fc115ee71fb9292327d

SHA1
b5eb05c2abbc16d1b037b452bb9986f6fe556785

SHA256
015f2d4d79c212bead8f0f04a48ad893e12a00afc54ec214ace51e6b9e1399c9

SHA512
17bb444a53e3e97e920b43c13aa22e98b3987c54405ca9ea4a2f95f742ad26061f74b023588a83b6837c44b3c57e03ff65ad404f4a6f71a61ac15bcd1e0ceda3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
16KB

MD5
08e032ca3054d5c52ad30ea3776afdc6

SHA1
24e6511b3980deeadc20319035a44ddb4e317fd0

SHA256
54dd1a1607161dca7180a460da7e076e65a7a059bd6840c9b1c46d4f32a5bc8c

SHA512
4a12b122e34dc6bd4f86c51aed98936956b157bb923de1b9491d29eb886d6304a923e95499a0a91f3b9d22f115fb7c3bbdb3daf46ebc1be71fbad8193eb5070f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
16KB

MD5
99906382eab51bea6b7c5cf4172d66f9

SHA1
a3fa3a6f982d230fd167eb32b0b5fd607737661f

SHA256
c68932f73f8564658eacd31430d43ba14ee1429dbf1618a5ccfa5f6b564736ff

SHA512
9510a89c6216cfdcbaeb56bd153f21d5cf6a5c681044755600b64c956a31caff2522ae564ea53eb70b9e531f7b39e9dedac0237597a2ccf148026aeddde7bbfd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
479474746ee1e59c16b37fc1c2f4bb07

SHA1
e15899ea9a0c07d04c1f81c5680936b8bb4bfcd2

SHA256
4f26d10bf5c8750016b1980e682a7a3498b55944dcd7d5d36a45c68be7f84c0e

SHA512
25873470e360eae7dc01d47a34d928ae10014544e64998a6a1ad0d029636c831d504ac1ee22a81eb66272b0a4fef458ca8c7a22387ef8ed9eb75110e9d80b9f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
16KB

MD5
38f4fbfa5af8f39571fc8b4bde834085

SHA1
2448c653dcc767125d79d1bf91cbec3e4337e3f3

SHA256
21ab9f78cba52851e55b075b04c34a970708d21e01c67b68d92a63e70322f918

SHA512
364fcf77aaf53b84afe806d1f050432a2b64606683946647fe92895e88ce060822cbf41da14476819cf798a4ebe3db9ca817925ccb8568911784ca5fd15f60bc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
15KB

MD5
cadb8efe2d968a2f81f66c8a93eb073f

SHA1
31d6e5cc055ed5a450f100e36a62402450407154

SHA256
d1ab5041756345c9068515772336304566eea174576ea3c0a75f25d6637f16f1

SHA512
2d35ae5e308996c93867d2aef83329a7bb3e96db1d8b4345ec94d43bad617c27acd26460180c2dd3889e0566b101206982070bf7277dd7adc94b7561e68dde7c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
16KB

MD5
3e38bc35faddb5ee187b6bd77c2a284b

SHA1
93dadc98c39a5676bfafac1be489837c9a4a43fb

SHA256
b3477a8f949115991ac586f811d3a3665eb9e18e78b95568473a29e211121383

SHA512
8d5107ee72f4cf9e03dce601c36d36e5fe851554aa2e6293638d46b26803d1cdc37762820bcb8eccb3a496e7ce167e0b2931292917646f2e4be2ff0948f63224

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
16KB

MD5
09ded69410a26205a5add4985b8b92b3

SHA1
d740f281efc6dc27f8387a79f49d0f724b93e2c5

SHA256
68b25ed48f3edef9f64047686e131146d106d5027bbd20fb9864233102481ccd

SHA512
9c4e24a44b3672b734ad16f6f3b2cf29a58df04026075dd73873fdde305d4bdc99c454a62b57b2321d8099c8043f2251eadf2e2d10e6961d2da9ffe5bfc9d3c7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
9fe541718facc0077e22b99b6e359673

SHA1
eb553cfad041994389ec18afbeb10c4a93aa3951

SHA256
72ec6bc1ccc38f30eb5e7a9edff55a97d2dd2312dde5aee60b50b9292cca5f1e

SHA512
96dd48045e6155a46f36cd87825779f332688c6a4339de7f057768d6d8a975428a857e5d8a31a514df474c235bd25e8e3d75eeffd7e5e50077ebb8635399526b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
16KB

MD5
6c353d4b4adadefdb5fc472655afb93d

SHA1
3a097ec683995d7acf6776522350de2775da3258

SHA256
a51da160f2a9abbcb254c044e49d5143a135ea6f8c85268d28071aad8d7ab086

SHA512
03f611677ddea60225d6c65151a2618241e1cfd208bedf340d1943736a09d4c13eb1cc9106f9d61409e5130a8da722de1233ecf315f74a72398a371fc3aca76e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
16KB

MD5
782b585f20cfd65704168f62df15b612

SHA1
5b59e0c84d3d91ba9949e2502250df6222f2c5bf

SHA256
5aeb859281700008b07adfdf9b00f48bbcbc84bbf71010ebd8ddf069c9818037

SHA512
397edff6c6919a2ac5e123d1b1b4a3a4f87f57ff8e746c491f60328550f60b48379ac3fe980247e6a4ba5e4e48a82f69ae5442f315b68d60d0fa6468429eefec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
16KB

MD5
28a6f8813287ec60665a4d2bba4a651e

SHA1
1b268f023aa6d5057cafe65d43be4dcaebcf40d5

SHA256
61f33579c3cc0a0533d32e10413edb1bb0c291943ddce887797571f750cd5c60

SHA512
c2c4c1a2b054528869f24f88ef1ec40b44bddd5d4be35638fcb63d496c7f16846b8a207070e688fbf05115ddaa8e5203d6cb30da8de04148ef317a5abcf67aca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
16KB

MD5
bf3d61c661d9cd0355c9880d896804ef

SHA1
d34e9a60f2be1390ca6370add4ddd7353918a935

SHA256
eaceb96d3541b23fb25df22bb3f0e85e6a3805f4e0d3378e279e8a15c2b5de6c

SHA512
1b0e88ec42b61bbc8ffcb1eb234dc05bc9794f0d7df74669fff894cef82ccfc7c96429d0c81a1f111790c5d6d92c9503a3825d29aeeb3945fca60ba6c8dd6e23

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
16KB

MD5
870027c016522a25815d914843969418

SHA1
5b40b66b1aa9833e3fac33bbd4430b2e608f7214

SHA256
82c6713a94cdd5f8ba7eceef1c46fd462382d049098ff38aac485c3fb19cb303

SHA512
29f785d8c042b70cb79d2f361c72681d93b84618789b9c40b02ff4b020995b9cd031e7688d05c9a52b7b75a114d1e5cc3f6193018f2c9d4034a91fcd031ac68a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\sessionstore.jsonlz4

Filesize
16KB

MD5
5e63c0ba1cb78a8d81a3eeae6899ab2c

SHA1
bbce1f5ba77c4aaf381b9b35e406b499280dee8f

SHA256
b703201a63a37b44547fd1bb3e388a3915640e54db48181a50afed18a67fce9d

SHA512
2f2fbdd540f27ebe47fd8db035871d88053f1c6179c6b5eb0838d36798c5b1831cfd606e96d45fea93eef48cefab5d842500cbb6717e7a5065658cb3e1faeb18

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\storage\default\https+++www.virustotal.com\cache\morgue\146\{29033f68-5fe0-45c8-a415-16989d138f92}.final

Filesize
45KB

MD5
cd0513cd1a0e7dd84a7c57379521392c

SHA1
c89c76c0a18826c8aeb71c3b72ca9e07c23095b4

SHA256
cac8d7e268e2f73aea529850d0ef5115f4d81833ee8b7f4295abe6fe43b3031a

SHA512
805d9eab35ed73023a54bd85eb5af22217be0d0d70fdcbe02c450f3779deec1f6f5a5808259be796a0a4f16234e1b322899b87af1491ad6c0ab8f177fc6a4bdd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\storage\default\https+++www.virustotal.com\cache\morgue\255\{8e8afc96-26ec-4129-ad3f-59302da6aeff}.final

Filesize
45KB

MD5
e1f4b96552a27e71ab783ab2700d70fb

SHA1
1c42ef501ccab6a5f2b7383b40f409425b64bc15

SHA256
b8244d2674019b9d385f85cb210ee9379c4803a5e843c375a036b4df73af620c

SHA512
481c9d960a0de502ff65445abc1c8eed58639f205697429cab02162e00f0ea8b3be6e2d8da37aa72f7f854d9ee04ed6d1625b44fc02aa1b45e0f107f638f3d69

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\storage\default\https+++www.youtube.com\cache\morgue\108\{c7603562-207d-401b-8f99-8b971f92bc6c}.final

Filesize
231B

MD5
45e25bb134343fe4a559478cd56f0971

SHA1
79f18ad0b7e3935c3231ced0edd8ea3c7997ca93

SHA256
dae4dd8e56ccc952312b3b238a1db294d4d7ad4f532c31cd1c2e5f9dee881678

SHA512
9b32b125c4183fe992630bc6ce9a511157959556fdce53f8264aba2aa8fb7b0e53b408b505da2cc96cdec771470927e74cba3bbd6eb71a5077e9f933cdc85292

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\storage\default\https+++www.youtube.com\cache\morgue\21\{8f20b5fc-c505-4d2a-86b0-2c24e76af215}.final

Filesize
3KB

MD5
5b0f165bbdb71faa1bb5b26c4f022e96

SHA1
704bbe81e0d8370e675246e1cbb347bf8599aa45

SHA256
b95a445bd9d295276e8423f1ad3fc50c740512a634f2115364217544bc87d44f

SHA512
6c521b2c55135ec98f79193bf9c62b73cfb1801cdeed03a9871878f677aacea46cae165a4290682768ca1c1192dff2e87b63c39228164d72d2c7abbe732f8d20

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\storage\default\https+++www.youtube.com\cache\morgue\231\{61799761-64d6-47d1-8986-4d7f3b5830e7}.final

Filesize
4KB

MD5
b211b7f7186aff0324af8f23700b1568

SHA1
2f228f1d3f95153ffae767d0d565e7e9f9b02bdf

SHA256
bf8c5dc1ebca7f3f908ea8846d6f825625ff494e1efef540190cac47978fdec0

SHA512
b6465ec91027087b22e3ca99c344d770fb6cc3791998da1ba2ffdde959b7152c44d9272c040eba0e38056c6e99fa7350616a021a45fe1d1b73baf185b73b5a77

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\storage\default\https+++www.youtube.com\cache\morgue\231\{617e225d-22b6-429f-a9bf-424e401b1fe7}.final

Filesize
77KB

MD5
d272a28d90baea630e244b0effa81f63

SHA1
86774c0271e95261211db7a4edfc83914c573874

SHA256
aa573669f760033b33adca9ec4610ecacb79c178eca96c06a3061fc31fb33c03

SHA512
4efb35fa8a215243b65237a052f8982d1b1535f09e34e64ddc762338215fee79353e0e048a72e061a819e84eba7428f4ef2e0b88fdc4e853450a5ad5deff152b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\storage\default\https+++www.youtube.com\cache\morgue\253\{43c9cbdf-fcf7-4887-b354-97b5db14a5fd}.final

Filesize
168B

MD5
51bb0fe00991a2ae6707b3aefc583918

SHA1
21ec201ebf41ad57faaab02f7961ce5a746e6dbb

SHA256
97dc140355b2b45b54c3dab1ac66b951afae0bc742402cbc342be117f4424e0a

SHA512
41863cc0f1252366a5514dd62a06f4bba493029b8c7a35e19173b6d7f9114e7098fa35d284623b6641d28f7d7bee1ce99064987afc985dbf0354368f71f9a39b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\storage\default\https+++www.youtube.com\cache\morgue\53\{8fb832a7-5bd1-4846-9253-d5188c9de135}.final

Filesize
132B

MD5
be203547ce77fa7a91259437b55c0d1f

SHA1
cff2ff2c9469ac96eff7baaa308cdc886fab804d

SHA256
e5f9c781a4756c64455652d9b4bd944aab9ecc1eef556814c00b1797209f4840

SHA512
adf00778a63ea8a143f8fbbf61188392a87a376234e17856339036854cff3a5247aed0b1c0b603332e244d348d58402ba58b32f6df6cc8e18f9d8242f6573f71

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\storage\default\https+++www.youtube.com\cache\morgue\88\{847f0877-d34d-4fd9-bfdd-f5035ab72b58}.final

Filesize
192B

MD5
2a252393b98be6348c4ba18003cc3471

SHA1
40f75302fcbe4a8ac2e33a8d9daf801abc2a9598

SHA256
04cae3c7b208fc55b25763913d0bbdc99232942086efdf705f2a27764be6f5ee

SHA512
07af4a7b0d10f1b5e1fe0877b21abc98483d78797608a1763cfb71e25559fdce10d20f03c16f4284d7ae7ab90266f45240425e3a264de9525ec1657345b85198

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\storage\default\https+++www.youtube.com\idb\1870146746yCt7G%cCf7C%o5nffci3g.sqlite

Filesize
56KB

MD5
cff9bcccc471f8c69b9f25c27dc6d06c

SHA1
e125a4f94e076f5ed6c704014e1575ced52426e1

SHA256
5ca43934e76fb2313dfa77c8b235829706bc6958d24e95b6626e7d8741d16eae

SHA512
4a9a1cde6565c0e66bc0798a10868161f127f9f955efdf253c28556ecbff230f0e9416af0589ec6335b246cc6b011d4da0af6ab2e0152dfeda24b55b8292fbec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\storage\default\https+++www.youtube.com\idb\2171031483YattIedMb.sqlite

Filesize
48KB

MD5
a18718294bd09a7297a45c9c1cfdcf39

SHA1
f72eb9fcd47407510139ecdca5b12884b30e6194

SHA256
f8c1329b436dcf54a9d4a00d798190d40a20bc4fb2547788b26641f5beca1bc2

SHA512
7f99beb3cd694035ea49f34c78e9b899e5599b0feae3cdd1f60c11c724b293f9836637a90810477b98daafbcef74ea4f89f4c56ba6327dec04ffb722750ea6de

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\storage\default\https+++www.youtube.com\idb\3211250388sbwdpsunsohintoatciif.sqlite-wal

Filesize
40KB

MD5
e70b274e382a0aa897ef08210e9956c7

SHA1
1304337b65f8520294b95e9dfc6ee3e25ac87bc5

SHA256
00a150d03129aad29add8098f277ea3359d292629e8b3422797ffaba13006701

SHA512
030ad2ca10c6809aa285601bb34ced2b9745ec1f0ff66ed35d2283e2ca3935109d0e7a92596ff0dab01313ed70c0f7aa0026c80ad4098a00b1d813f069ca8b5a

Download Submit
C:\Users\Admin\Downloads\Setup_Pswrd_1234.T_MNwi_v.rar.part

Filesize
448KB

MD5
1a2af540259fa6105ad1b412d11e6b3c

SHA1
1c0eeaeedf1a35b7e2a91e08adde4dd78eb73dbf

SHA256
206186671ed7dcc244a4da73bf0a7dd145c6c04fe42de3403f78a2622da8eb58

SHA512
e7298fcd8657fa977667f38516a62d43e49e5da4404ac7abdabce691eee8c590184783355dbc7df2bd4c1f4532bc36f7044527b6a4e3f3403da9d7c89075d1aa

Download Submit
C:\Users\Admin\Downloads\Setup_Pswrd_1234.rar

Filesize
1.6MB

MD5
69ae524f75cac92d21f0cd33e7e81832

SHA1
728fce64baf6019e4746fccddfbd9fb9fb5c1d1b

SHA256
c01aaed27cde5df78fb8dd556f28dfef281e38e38d97bf64686a87112ef6c5fd

SHA512
07b82fb8c451a7ecf8eddb7c2944a7dde58417e1d752829acd3870794ce5d6d7f7426d707b7689971773742984e00d608312fba73994a61008fb95af249cc113

Download Submit
C:\Users\Admin\Downloads\Setup_Pswrd_1234\ASP.NET Web Pages\v1.0\Microsoft.AspNet.Razor.ru.1.0.20105.408\lib\net40\ru\system.web.razor.xml

Filesize
88KB

MD5
398dc059ac7b960a31bba803c6d4b7a3

SHA1
dfac62f6e4ac50a0029031244fc5a1469ffe90e8

SHA256
943feccacef5fe23b3daf662594e3b45fcb8bc1caf25ea1c474721921caa9488

SHA512
f3bb82690b39dad744be9c403f7efcf2c40c903f85be013fff4b1a2ac77e8d59e77bc1eb9989134f800fba3d9bcb987485a92b719386750c70dd7fa1acb533e0

Download Submit
C:\Users\Admin\Downloads\Setup_Pswrd_1234\ASP.NET Web Pages\v1.0\Microsoft.AspNet.WebPages.ru.1.0.20105.408\lib\net40\system.web.webpages.razor.xml

Filesize
6KB

MD5
9c8531c1d5f692cd921c8a56d85bc85d

SHA1
801b699bec07e93fdd05469f15cf80be4178e409

SHA256
16953fbbff24c3d927e5640060948da47c15a32918ecb2fc4f922a82b3fcfa9c

SHA512
3e7fbce84ca7bc96d46ffc3b4fc7acf21d962d379589125a6515178693c379eb6b5833e428ec11f106e9b807147c698e898840a20a8189a01baf76ace9a1f719

Download Submit
C:\Users\Admin\Downloads\Setup_Pswrd_1234\ASP.NET Web Pages\v1.0\WebConfig\System.Web.WebPages.Deployment.dll

Filesize
25KB

MD5
f9efab153915541f6cbdd147f85f9842

SHA1
5d923740f2377298ad917eb9f5bfb45e0b1465fb

SHA256
130fe2b8282263c77d9bee89d636166848291432696c449d708c819b17bf053a

SHA512
74890a53f2b0b73816e5155fb2b48580fa1dbf3e35077e7915d96ae57516c5da2bbf968978ae134e12754039a5ada6f8dfbcdc121cab9b887a6d4d259b68f3ba

Download Submit
C:\Users\Admin\Downloads\Setup_Pswrd_1234\ASP.NET Web Pages\v1.0\readme.htm

Filesize
109B

MD5
31ecdc0c4df4a3ac6b11c69a40f4933c

SHA1
009a38f655493847a4a7394b10072c95552c8e6f

SHA256
c1b654e033bee5331e6a77c5a58d77e9a5a0f5795cb104a1cde1d3f85b0cbb6e

SHA512
a7bdea58a072202edf4232fdb1de9e88b0064c6a9936a7b54159c9a98bbce2600fa34920060f5eac5dd1b7fd059160b8d962bc7930b8a585db80869d7e67ceda

Download Submit
C:\Users\Admin\Downloads\Setup_Pswrd_1234\ASP.NET Web Pages\v1.0\thirdpartynotices.rtf

Filesize
79KB

MD5
e32047a0cfc6d3803334af237136d8ba

SHA1
ff5659ec219e76b4809b4a1e735e67e6bdb70704

SHA256
204d9390f0240e863e1a54788081a508dffa45b08c2553d2888243ccdb1bf882

SHA512
5a3b71d4b4dd39e7889962698b555cb306b1ba49346f46a4a77e4c3d8393780f5fe50a0a4ca121e1cbdc44b0390903c81485574176bd5e57a1c23b9bf9359e0e

Download Submit
C:\Users\Admin\Downloads\Setup_Pswrd_1234\Assemblies\System.Net.Http.Formatting.xml

Filesize
134KB

MD5
5a488fa116245f3e588a1e1c5c15c760

SHA1
4f58ef47e03dc69db069fcb6a5ef4cdeec921d25

SHA256
3fa5685fd4a78b54208a53bcb50de99e50a78b43f84433f4af60acc3153f14c8

SHA512
4dbd496a6a0ecfbb31903cb1780825b040bca29fe9671d5d253d8be23e78dcffd9bb9bcbb9c8816ea0d2a5cabeafb4a924c4e6e89e8de21a45d534c65cc18c3f

Download Submit
C:\Users\Admin\Downloads\Setup_Pswrd_1234\Assemblies\System.Net.Http.WebRequest.xml

Filesize
5KB

MD5
ea53391029e45f20c0e80baf12767748

SHA1
b997f6a247adf73e957da96f304186539cebfd06

SHA256
d2243be9c2895696cee40b1d30958828064885ec8bcd12c1f4396d696e9aeea1

SHA512
062088f6805461fc3ece08dbe361734abf82cdfdf75e5d501cc61f95dd0e738eefffa833b2949693da8577f217ed753375f007ba68327def0078ec5e09aaa6b9

Download Submit
C:\Users\Admin\Downloads\Setup_Pswrd_1234\Assemblies\System.Net.Http.xml

Filesize
197KB

MD5
2c2c95fbe11ad27c9899cb8ca2dc0fc2

SHA1
3d7ef087c0574f8598bcaaf48b89d1772fb5492d

SHA256
68df40007ad7b30d2d32e094d73c0f34a09f0b96a1cec954a4a25d9a5cf5d7a4

SHA512
5fbfddbfbce11ec5ed6391f28c394cb404138f4a17068d6c9b78fdfef28c1718cc4d25a057b83e1a942c32b5cf4a2db0417d97e9e2f90be9410598191fbf1cf4

Download Submit
C:\Users\Admin\Downloads\Setup_Pswrd_1234\Assemblies\System.Web.Http.SelfHost.xml

Filesize
13KB

MD5
5d931fe262275e8b3f6e18435dac511f

SHA1
f95f33db7c611934534f21efd6b984b1b2625eb6

SHA256
f064d6d0db0664bca6e99bea5b9f8c5a653f1f14b0074214a61ce4704dff262c

SHA512
77ba41e39bfb80d48fa348dabc7fa66253c025818e5f209b95c2d5cf500c216a5df2ac8d8c4f1f23a62bb772bbd47beb91b81c588c1758674d5d1097d56751a1

Download Submit
C:\Users\Admin\Downloads\Setup_Pswrd_1234\Assemblies\System.Web.Http.WebHost.xml

Filesize
9KB

MD5
b78ce790dbcf539aed11359fcfe9b4d8

SHA1
19fe4942d1fa71ff5ac2f4fddb0c978105d0993c

SHA256
894771092c80f8910bf918c1dec00be86aa8408ee6e33160d6b67c7c8b12f054

SHA512
ea99497a4a9b8d33e78399d6c9829c2b090eca82e73219d4eba696e404600621a9c7e99cd519f2c1e90ab74843471f779b712bf9ae33b50db1ab8d27ad8e6962

Download Submit
C:\Users\Admin\Downloads\Setup_Pswrd_1234\Readme.txt

Filesize
300B

MD5
53950dfe0ff0be7a95878f9a14dd68e1

SHA1
f48a20933212c2895b4e0c85d90d49e7b97c24f1

SHA256
5ee65dfce026b3fa5f0259dabbfc708e06af8e7d671ad0ec69ad14dabacddc17

SHA512
bbc664963cf152841cad898e0568785ce9f5b6f0431bf5ae638af9b6fe1835019cab9ed3b8ca36a5141de8104c2483e8fff9de86a9356ab4d46795b238383a3c

Download Submit
C:\Users\Admin\Downloads\Setup_Pswrd_1234\Setup.exe

Filesize
21.3MB

MD5
802322921a653c208c36e74ed09490eb

SHA1
1aa7ce0380bff0e73cf966033c0b88393a7febc1

SHA256
17767992f0d07e4613da4297d9c72b6ead81f6e4066c8c42ec3345d64a9e9c9a

SHA512
8bcef51570a248610160f0d2643239d6268ec17b511a315bdaf837b7a73220a1b4b9e828ed50bd1c168f80981dcc54fea9eee510f73e97180d21c88b531f7f0f

Download Submit
C:\Users\Admin\Downloads\Setup_Pswrd_1234\Setup.exe

Filesize
24.5MB

MD5
e48125a4bb7477b0bf38258842fd1e96

SHA1
f75ac50e7b04fd0cac16d23f84f9b6658f538120

SHA256
f069b45be657a631bd694b67f9241e8b21917f68113d5e8e1244f93cedfa35f6

SHA512
f6bc78901a874a5ed07c2dc1d21cf3adb097b3092e57d9284f8fc21cb347ff43f87ae5d8ab0528f2dbe92dddf183df3278537961386f88606e8c98f0ec8802c3

Download Submit
C:\Users\Admin\Downloads\Setup_Pswrd_1234\Setup.exe

Filesize
1.9MB

MD5
ed007d7f50e68656f86a40059323dca3

SHA1
9d71679179e5afbe7369873c2bffc8834511c4d4

SHA256
8601282762b51ca942b775e9ef39f4985cc9c10f13419863611d669a0dbe4bd0

SHA512
2681ef3f2008b36d83d199c5d898e51a5ef4652102053b33421788c575990872e16e13ad9cda24a01a8344260c5302e15fe59c7adfe17c1cc44b0ff4301f4204

Download Submit
C:\Users\Admin\Downloads\Setup_Pswrd_1234\Updater.exe

Filesize
5.5MB

MD5
4cf2d6056ee3e667bcc9052695229543

SHA1
9ad727e068864632c389e4553736eaa0540a2905

SHA256
0aed7f1df4bebaac9ead827459165028cba493b24dfe68ef44fac9873e1d47d9

SHA512
596759c0a7b381f2d8643b12de39ac556e95cd519c5341083f5cd885e26c181f43653c4525f4c10fb2dbdaacc4f7692a5e06b80c36f1a10d5937b947c7f53d12

Download Submit
C:\Users\Admin\Downloads\Setup_Pswrd_1234\Updater.exe

Filesize
5.3MB

MD5
92b65f322ddb6d2a20f7173e2519f109

SHA1
61f61a913459a31dbabe924abbb8fae387b81983

SHA256
9e467f11cec8839b9a5b06b37864484cae4cbc0b1327f46e7f391a21356c9e42

SHA512
a98f5dacc9944f71b764789ce93186ddcdd05ffe4bbf7163631367b4806c91cc980281f2c5d9f0d3f2e46fcd1e27ef621c0cff7a9c790a06c1c9c0008595f752

Download Submit
C:\Users\Admin\Downloads\Setup_Pswrd_1234\javaws.dll

Filesize
934KB

MD5
0ecc963e01f7d51aea3d6c402d72c3f3

SHA1
57a3b4965d8bade0e2325905ef7adb9b29e02ea6

SHA256
bb6404ed83bd863b74899a40817f72c860c3ac76c8ba315e159e652b38abb521

SHA512
4abd39159f8ba162cb46cdcccbe09963f8b618cb4e8ad6518615d66725316384cefd939887099e6011454b3d15bdee0f9ac2b50b11a91e63bfa3bde2cdd76c7e

Download Submit
C:\Windows\TEMP\gyeiapcrixfe.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cf012b07c3f0a6e651183ffe38a1e509

SHA1
d38bd67f0fa1057441cf3fac0ecbb203a3965fbd

SHA256
158d943ee61059a1c25608df452af9336df3944c757bb89d8c1c6643dbbb1060

SHA512
2f4826bb30418df4640e77d4ad0fba22d512d29e19c903d6425ead68bc326707fa6e201add0c363aa36cf78e301f9c04b5d63c1a57aad7ce3756bce1822108b0

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
memory/4252-3309-0x00007FFC14CB0000-0x00007FFC15771000-memory.dmp

Filesize
10.8MB

Download
memory/4252-3310-0x0000029141560000-0x0000029141570000-memory.dmp

Filesize
64KB

Download
memory/4252-3311-0x0000029141560000-0x0000029141570000-memory.dmp

Filesize
64KB

Download
memory/4252-3332-0x00007FF4D50C0000-0x00007FF4D50D0000-memory.dmp

Filesize
64KB

Download
memory/4252-3337-0x0000029141560000-0x0000029141570000-memory.dmp

Filesize
64KB

Download
memory/4252-3338-0x00007FFC14CB0000-0x00007FFC15771000-memory.dmp

Filesize
10.8MB

Download
memory/5380-2907-0x00007FFC35C10000-0x00007FFC35E05000-memory.dmp

Filesize
2.0MB

Download
memory/5380-2766-0x00007FFC35C10000-0x00007FFC35E05000-memory.dmp

Filesize
2.0MB

Download
memory/5380-2764-0x00007FFBF5C90000-0x00007FFBF5CA0000-memory.dmp

Filesize
64KB

Download
memory/5380-2761-0x00007FFC35C10000-0x00007FFC35E05000-memory.dmp

Filesize
2.0MB

Download
memory/5380-2772-0x00007FFC35C10000-0x00007FFC35E05000-memory.dmp

Filesize
2.0MB

Download
memory/5380-2774-0x00007FFBF4A50000-0x00007FFBF4A60000-memory.dmp

Filesize
64KB

Download
memory/5380-2780-0x00007FFBF4A50000-0x00007FFBF4A60000-memory.dmp

Filesize
64KB

Download
memory/5380-2767-0x00007FFC35C10000-0x00007FFC35E05000-memory.dmp

Filesize
2.0MB

Download
memory/5380-2769-0x00007FFC35C10000-0x00007FFC35E05000-memory.dmp

Filesize
2.0MB

Download
memory/5380-2896-0x00007FFBF5C90000-0x00007FFBF5CA0000-memory.dmp

Filesize
64KB

Download
memory/5380-2897-0x00007FFBF5C90000-0x00007FFBF5CA0000-memory.dmp

Filesize
64KB

Download
memory/5380-2765-0x00007FFBF5C90000-0x00007FFBF5CA0000-memory.dmp

Filesize
64KB

Download
memory/5380-2895-0x00007FFBF5C90000-0x00007FFBF5CA0000-memory.dmp

Filesize
64KB

Download
memory/5380-2778-0x00007FFC35C10000-0x00007FFC35E05000-memory.dmp

Filesize
2.0MB

Download
memory/5380-2894-0x00007FFBF5C90000-0x00007FFBF5CA0000-memory.dmp

Filesize
64KB

Download
memory/5380-2759-0x00007FFBF5C90000-0x00007FFBF5CA0000-memory.dmp

Filesize
64KB

Download
memory/5380-2762-0x00007FFBF5C90000-0x00007FFBF5CA0000-memory.dmp

Filesize
64KB

Download
memory/5380-2763-0x00007FFC35C10000-0x00007FFC35E05000-memory.dmp

Filesize
2.0MB

Download
memory/5380-2779-0x00007FFC35C10000-0x00007FFC35E05000-memory.dmp

Filesize
2.0MB

Download
memory/5380-2908-0x00007FFC35C10000-0x00007FFC35E05000-memory.dmp

Filesize
2.0MB

Download
memory/5380-2777-0x00007FFC35C10000-0x00007FFC35E05000-memory.dmp

Filesize
2.0MB

Download
memory/5380-2776-0x00007FFC35C10000-0x00007FFC35E05000-memory.dmp

Filesize
2.0MB

Download
memory/5380-2768-0x00007FFC35C10000-0x00007FFC35E05000-memory.dmp

Filesize
2.0MB

Download
memory/5380-2760-0x00007FFBF5C90000-0x00007FFBF5CA0000-memory.dmp

Filesize
64KB

Download
memory/5380-2775-0x00007FFC35C10000-0x00007FFC35E05000-memory.dmp

Filesize
2.0MB

Download
memory/5380-2773-0x00007FFC35C10000-0x00007FFC35E05000-memory.dmp

Filesize
2.0MB

Download
memory/5380-2770-0x00007FFC35C10000-0x00007FFC35E05000-memory.dmp

Filesize
2.0MB

Download
memory/5380-2771-0x00007FFC35C10000-0x00007FFC35E05000-memory.dmp

Filesize
2.0MB

Download
memory/5624-3162-0x00007FF6D7860000-0x00007FF6D8439000-memory.dmp

Filesize
11.8MB

Download
memory/5936-3241-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/5936-3245-0x0000000004410000-0x0000000004411000-memory.dmp

Filesize
4KB

Download
memory/5936-3248-0x0000000004570000-0x0000000004571000-memory.dmp

Filesize
4KB

Download
memory/5936-3250-0x0000000004580000-0x0000000004581000-memory.dmp

Filesize
4KB

Download
memory/5936-3252-0x0000000004590000-0x0000000004591000-memory.dmp

Filesize
4KB

Download
memory/5936-3246-0x0000000004560000-0x0000000004561000-memory.dmp

Filesize
4KB

Download
memory/5936-3249-0x00000000006A0000-0x0000000001B68000-memory.dmp

Filesize
20.8MB

Download
memory/5936-3335-0x00000000006A0000-0x0000000001B68000-memory.dmp

Filesize
20.8MB

Download
memory/5936-3220-0x00000000006A0000-0x0000000001B68000-memory.dmp

Filesize
20.8MB

Download
memory/5936-3339-0x00000000006A0000-0x0000000001B68000-memory.dmp

Filesize
20.8MB

Download
memory/5992-3166-0x0000019F71FF0000-0x0000019F72000000-memory.dmp

Filesize
64KB

Download
memory/5992-3165-0x00007FFC14CB0000-0x00007FFC15771000-memory.dmp

Filesize
10.8MB

Download
memory/5992-3180-0x0000019F72350000-0x0000019F72452000-memory.dmp

Filesize
1.0MB

Download
memory/5992-3181-0x0000019F71FF0000-0x0000019F72000000-memory.dmp

Filesize
64KB

Download
memory/5992-3184-0x00007FFC14CB0000-0x00007FFC15771000-memory.dmp

Filesize
10.8MB

Download
memory/5992-3174-0x0000019F71EF0000-0x0000019F71F12000-memory.dmp

Filesize
136KB

Download
memory/5992-3179-0x0000019F71ED0000-0x0000019F71EE0000-memory.dmp

Filesize
64KB

Download
memory/5992-3167-0x0000019F71FF0000-0x0000019F72000000-memory.dmp

Filesize
64KB

Download
memory/5992-3168-0x0000019F71F50000-0x0000019F71FD2000-memory.dmp

Filesize
520KB

Download
memory/6208-3216-0x000002529E090000-0x000002529E09A000-memory.dmp

Filesize
40KB

Download
memory/6208-3193-0x000002529E0A0000-0x000002529E0B0000-memory.dmp

Filesize
64KB

Download
memory/6208-3214-0x00007FF416560000-0x00007FF416570000-memory.dmp

Filesize
64KB

Download
memory/6208-3215-0x000002529E4B0000-0x000002529E565000-memory.dmp

Filesize
724KB

Download
memory/6208-3194-0x000002529E0A0000-0x000002529E0B0000-memory.dmp

Filesize
64KB

Download
memory/6208-3217-0x000002529E6D0000-0x000002529E6EC000-memory.dmp

Filesize
112KB

Download
memory/6208-3218-0x000002529E6B0000-0x000002529E6BA000-memory.dmp

Filesize
40KB

Download
memory/6208-3219-0x000002529E710000-0x000002529E72A000-memory.dmp

Filesize
104KB

Download
memory/6208-3221-0x000002529E6C0000-0x000002529E6C8000-memory.dmp

Filesize
32KB

Download
memory/6208-3213-0x000002529E070000-0x000002529E08C000-memory.dmp

Filesize
112KB

Download
memory/6208-3223-0x000002529E6F0000-0x000002529E6F6000-memory.dmp

Filesize
24KB

Download
memory/6208-3224-0x000002529E700000-0x000002529E70A000-memory.dmp

Filesize
40KB

Download
memory/6208-3229-0x00007FFC14CB0000-0x00007FFC15771000-memory.dmp

Filesize
10.8MB

Download
memory/6208-3192-0x00007FFC14CB0000-0x00007FFC15771000-memory.dmp

Filesize
10.8MB

Download
memory/6780-3251-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/6780-3253-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/6780-3247-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/6780-3244-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/6780-3255-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/7072-3066-0x00000000006A0000-0x0000000001B68000-memory.dmp

Filesize
20.8MB

Download
memory/7072-2933-0x0000000006AB0000-0x0000000006AB1000-memory.dmp

Filesize
4KB

Download
memory/7072-2924-0x00000000006A0000-0x0000000001B68000-memory.dmp

Filesize
20.8MB

Download
memory/7072-2930-0x00000000043B0000-0x00000000043B1000-memory.dmp

Filesize
4KB

Download
memory/7072-2937-0x00000000006A0000-0x0000000001B68000-memory.dmp

Filesize
20.8MB

Download
memory/7072-2935-0x00000000006A0000-0x0000000001B68000-memory.dmp

Filesize
20.8MB

Download
memory/7072-2931-0x00000000043C0000-0x00000000043C1000-memory.dmp

Filesize
4KB

Download
memory/7072-2936-0x0000000006AD0000-0x0000000006AD1000-memory.dmp

Filesize
4KB

Download
memory/7072-2934-0x0000000006AC0000-0x0000000006AC1000-memory.dmp

Filesize
4KB

Download
memory/7072-2932-0x0000000006AA0000-0x0000000006AA1000-memory.dmp

Filesize
4KB

Download
memory/7396-2960-0x00000252B38E0000-0x00000252B38E1000-memory.dmp

Filesize
4KB

Download
memory/7396-3022-0x00000252B38E0000-0x00000252B38E1000-memory.dmp

Filesize
4KB

Download
memory/7396-3006-0x00000252B38E0000-0x00000252B38E1000-memory.dmp

Filesize
4KB

Download
memory/7396-3031-0x00000252B38E0000-0x00000252B38E1000-memory.dmp

Filesize
4KB

Download
memory/7396-2975-0x00000252B38E0000-0x00000252B38E1000-memory.dmp

Filesize
4KB

Download
memory/7396-2945-0x00000252B38E0000-0x00000252B38E1000-memory.dmp

Filesize
4KB

Download
memory/7396-2953-0x00000252B38E0000-0x00000252B38E1000-memory.dmp

Filesize
4KB

Download
memory/7396-2949-0x00000252B38E0000-0x00000252B38E1000-memory.dmp

Filesize
4KB

Download
memory/7396-2943-0x00000252B38E0000-0x00000252B38E1000-memory.dmp

Filesize
4KB

Download
memory/7396-2944-0x00000252B38E0000-0x00000252B38E1000-memory.dmp

Filesize
4KB

Download
memory/7476-3235-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/7476-3233-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/7476-3243-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/7476-3236-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/7476-3237-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/7476-3239-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/7744-3291-0x00007FFC14CB0000-0x00007FFC15771000-memory.dmp

Filesize
10.8MB

Download
memory/7744-3289-0x0000012BE9100000-0x0000012BE9110000-memory.dmp

Filesize
64KB

Download
memory/7744-3287-0x00007FF48C180000-0x00007FF48C190000-memory.dmp

Filesize
64KB

Download
memory/7744-3288-0x0000012BE94C0000-0x0000012BE9575000-memory.dmp

Filesize
724KB

Download
memory/7744-3262-0x0000012BE9100000-0x0000012BE9110000-memory.dmp

Filesize
64KB

Download
memory/7744-3261-0x00007FFC14CB0000-0x00007FFC15771000-memory.dmp

Filesize
10.8MB

Download
memory/9076-3190-0x00007FF61D990000-0x00007FF61E569000-memory.dmp

Filesize
11.8MB

Download